I am outlining an open case with Qlik, for which, unfortunately, the provided solutions have not yielded results. I am attaching the initial message along with all the solutions that Qlik suggested and that we implemented, but without achieving the desired outcome.
Could someone, after analyzing the responses, help us?"
....
- ME:
I've just followed the guide available at the following link (https://help.qlik.com/it-IT/cloud-services/Subsystems/Hub/Content/Sense_Hub/Scripting/Security/manag...) for a migration from Qlik Sense Enterprise to Qlik Cloud but adding USER.MAIL field in the security table with USERID field already present, I noticed that the loading fails. However, changing the field name to USER.ID, the loading works. For this reason, I'm asking if there is a bug in the system(?). Please see the attachment below. Thank you very much,
The reason why "USERID" is not working could be it probably does not correspond with what is defined in the "IdP subject" in the "Users" section in the Management Console. Can you please double check this? Does it work if you use the "IdP subject" from the users section as the "USERID"?
The reason why it does not restrict the access when using "USER.ID" is because "USER.ID" is not a system section access field
Please cross-check and let us know. If the issue is not resolved, please provide: 1) Qlik Tenant ID 2) Qlik user, user ID, User name 3) Used Idp 4) The script you used for the section access
- QLIK_2_RESPONSE:
with Qlik Sense Enterprise on Windows , the USERID value in the Section Access security table is verified by the proxy service. In Qlik Cloud, an Identity Provider takes on that authentication role. Therefore, if Section Access is configured for an on-premises environment such as Qlik Sense Enterprise on Windows , it will not work in a cloud environment. When using an OIDC or SAML identity provider (Qlik IdP or custom IdP) with Qlik Cloud , the subject claim is used to identify users at sign in. With Section Access, the value of the USERID field in the security table is compared to the subject claim value . When you set up your tenant , make sure that the SAM account name maps to the subject claim of your identity provider. So, for example, if the SAM account name is AD_DOMAIN\Dev, set the subject claim to AD_DOMAIN\Dev. If you want to see the value of the IdP's subject claim , add /api/v1/diagnose-claims to the tenant URL in the browser, for example, your-tenant.us.qlikcloud.com/api/v1/diagnose-claims . In the JSON response, the subject claim is defined as sub . If the SAM account name cannot be used, there is an alternative method to authenticate a user. Since email addresses tend to remain the same across different environments, you can use the USER.EMAIL field in place of USERID in the security table.
- QLIK_3_RESPONSE:
Please review the below info from the cloud team:
You have to use the alternate format, as explained here:
