1 Reply Latest reply: Dec 20, 2017 3:00 PM by Lucien Thompson RSS

    Trusted Domain Users and UDC

    Lucien Thompson

      I have users in two domains that need access to Qlik Sense. I am syncing one root AD group in domain A with my UDC. All users are members of this group through group nesting. Everything works fine within domain A.

      I can even add domain B users to a nested group in domain A and they will be created in Sense.

       

      However, none of the domain B users' group membership is brought in with it.

      We are using custom properties mapped to an AD group to assign permissions in Sense so the users from domain B have no permissions. 

       

      Domain B users are direct members of group1 in Domain A that is a member (nested) of group2 that is synced with a Sense UDC.

      We have a two-way transitive trust between the domains.

       

      My question is, how do I get the UDC (AD/LDAP) to resolve the group membership of users in an external domain?

        • Re: Trusted Domain Users and UDC
          Lucien Thompson

          Ok, so it turns out the users from domain B are not synced. It just so happens the users tried to access the hub and were created automatically in Sense.

          The user account is still not associated (in Sense) with the groups in domain A they are members of.

           

          Is this a limitation of LDAP?

          It looks like external users are represented as ForeignSecurityPrincipals (SIDs) when using LDAP.

           

          I would like to add this is ridiculously easy using powershell...

           

          Get-ADGroupMember -Identity <Group> -Recursive | select name