When a User Directory Connector is synchronized any users that exist in the Sense version of that User Directory but do not exist in the connected User Directory will be disabled and become unusable.
The system will never allow the last RootAdmin account to be disabled, but as there is no guarantee that this user is available. Unfortunately, there is no check performed or warning provided if this filter will result in administrator accounts being disabled.
It's always suggested to set all RootAdmin's including the qlik service user account, within the QMC, to never be deleted by clicking the checkbox before attempting a new LDAP filter or sync. This way admins do not get deleted when trying new LDAP queries and changing filters. See How to avoid the RootAdmin(s) from becoming inactive for details.
Resolution
Discover active RootAdmins
The sync process cannot disable the last RootAdmin account, there is a safety check to prevent this, but that does not mean that the owner of that account is available or able to work to restore access to the system.
To find the still enabled RootAdmin accounts without access to the QMC you will need to access the database on the central node.
To do this:
- Follow steps on How To Connect To And Modify The PostgreSQL Database Used For Qlik Sense Repository to connect to the database
- Click Execute Arbitrary SQL Queries
- Paste the following query into the editor
SELECT * FROM "Users"
WHERE "RolesString" = 'RootAdmin'
AND "Inactive" = False
AND "RemovedExternally" = False;
- Click Execute Query
The output will show the active RootAdmins, then reach out to this administrator and ask them to remove the filter and rerun the sync task.
Re-enabling RootAdmins:
If that administrator is unable to assist, then it is possible to re-enable the other RootAdmin accounts by modifying the database. This is only recommended as a final resort, but will allow you to regain access. To do this:
- Shut down all Qlik Sense services other than the Qlik Sense Repository Database
- Connect to the database and open the SQL query window using steps from above
- Paste the following query into the editor
UPDATE "Users"
SET "Inactive" = FALSE, "RemovedExternally" = FALSE, "DeleteProhibited"=TRUE
WHERE "RolesString" = 'RootAdmin'
AND "Deleted" = False
AND "Blacklisted" = False;
If you are running Qlik Sense November 2018 or later use this query instead:
UPDATE "Users"
SET "Inactive" = FALSE, "RemovedExternally" = FALSE, "DeleteProhibited"=TRUE
WHERE "RolesString" = 'RootAdmin'
AND "Blacklisted" = False;
- Click Execute Query
- Start up the Qlik Sense Services
Creating a new RootAdmin
Alternatively, you use the attached Powershell file to create a new local account on the / a server that runs Qlik Sense then elevate that user. This allows you to have a backup account should UDC synchronization become problematic in the future.
Cause
The UDC sync process will disable any accounts that do not appear in the user directory, a user that has been filtered out is from Qlik Sense's perspective no different to a user that does not appear. As long as this will not disable the last RootAdmin account it can disable any others, including the account that added the LDAP filter, rendering the change hard to undo.
