Configure tenant settings

In this topic, you will learn about how to programmatically control access to features and capability settings found on the Settings pane in a Qlik Cloud tenant’s management console.

When using the management console of a tenant as a user with the Tenant Admin role, you will see various settings that help you control which features your users have access to. The configuration method varies by service, both in terms of the API calls required, and the level at which it can be configured. Some services support user or space-level access, while others are available only at the tenant level.

Setting	Setting description	Setting scope	API support	Guide
API keys	Allow users to create and manage their API keys, if they have the “Developer” role	Tenant	Yes	API keys
Application Automation	Allow users to access application automation	Users & Groups	Yes	Application Automation
Automatic entitlement assignment	Enable automatic license assignment if using Professional and Analyzer licenses	Tenant	Yes	Automatic entitlement assignment
AutoML	Allow users to configure ML deployments and experiments	Users & Groups	Yes	AutoML
Chart sharing via email	Allow users to share charts via email	Tenant	Yes	Chart sharing via email
Data alerts	Allow users to create and manage data alerts	Tenant	Yes	Data alerts
Dynamic views	Enable dynamic views for Qlik Sense apps	Tenant	No
Email server	Configure an SMTP server to send tenant notifications, share content, tabular reporting, etc	Tenant	Yes	Email server
Groups	Create groups if sent via group claims from your identity provider	Tenant	Yes	Groups
ML endpoints	Analytics endpoints for machine learning endpoints	Tenant	No
Mobile offline usage	Allow offline mobile usage	Tenant	No
Notes	Allow users to create and manage notes	Tenant	Yes	Notes
On-demand app generation	Enable on-demand Qlik Sense apps	Tenant	No
SCIM auto provisioning	Set the token expiration period	Tenant	Yes	SCIM auto provisioning
Subscriptions	Allow users to create and manage chart and sheet subscriptions	Tenant	Yes	Subscriptions
Tabular reporting	Allow users to configure Excel reports in Qlik Cloud	Tenant	Yes	Tabular reporting
Tenant alias hostname	Set the “friendly” tenant hostname	Tenant	Yes	Tenant alias hostname
Tenant encryption	Configure tenant key providers	Tenant	Yes	Tenant encryption
Tenant name	Set the name of your tenant	Tenant	Yes	Tenant name
Usage metrics	Display usage information for content in the hub	Tenant	Yes	Usage metrics

Prerequisites

• You have a basic understanding of Qlik Cloud and the features available to users.
• cURL for running the inline examples, or access to Qlik Application Automation and the Qlik Platform Operations connector.
• Access to an API key or access token from an account assigned the Tenant Admin role, or an OAuth client for the Qlik Platform Operations connector.

Note: The cURL examples in this topic show the command syntax for Windows Command Prompt. If you are using another command line interface, different syntax may be required for line continuation. You may also need to adjust the number and type of quotes surrounding the parameters and their values.

Variable substitution

Throughout this topic, variables will be used to communicate value placement. The variable substitution format is <VARIABLE_NAME>. Here is a list of variables referred to in this tutorial.

Variable	Description
<TENANT>	The URL for the tenant that you are configuring. Equivalent to tenanthostname.region.qlikcloud.com.
<ACCESS_TOKEN>	A bearer token or API key for authorizing https requests to the <TENANT>.
<TENANT_ID>	The tenant ID for the <TENANT>. Can be retrieved via https://<TENANT>/api/v1/tenants/me.

Configure API Keys

API keys can be used by developers to gain programmatic access to the Qlik platform, acting as their own user. APIs are bound to a user, and the user requires the Developer role to generate an API key.

No code option: Using Qlik Application Automation, you can use the Get API Key Settings and Update API Key Settings blocks from the Qlik Platform Operations connector to do this without code.

To update API key settings, retrieve the current settings:

curl --location "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json"

If successful, responds with 200 and the current configuration:

{
  "api_keys_enabled": true,
  "max_api_key_expiry": "P365D",
  "max_keys_per_user": 5,
  "scim_externalClient_expiry": "P365D"
}

To change these values, send one or multiple operations to update the configuration:

curl --location --request PATCH "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/api_keys_enabled\",
        \"value\": true
    },
    {
        \"op\": \"replace\",
        \"path\": \"/max_keys_per_user\",
        \"value\": 10
    },
    {
        \"op\": \"replace\",
        \"path\": \"/max_api_key_expiry\",
        \"value\": \"P365D\"
    }
]"

If successful, responds with a 204 and an empty response.

Learn more about:

• The API keys capability.
• The API keys API.

Configure Application Automation

Qlik Application Automation is available by default to all users with the appropriate user entitlement in the tenant.

As automations exist only in personal spaces, you can determine who can create, update, and delete their automations by adding or removing the Automation Creator role from the Everyone group.

If you are not familiar with groups in Qlik Cloud, review the managing groups topic.

No code option: Using Qlik Application Automation, you can use the Add Role To Group By Name and Remove Role From Group By Name blocks from the Qlik Platform Operations connector to do this without code. Use group name com.qlik.Everyone and role name AutomationCreator.

To remove this role from the Everyone group, thereby removing the ability for users to use automations, you must first retrieve the list of roles assigned to the Everyone group. The Everyone group always has the ID of 000000000000000000000001.

curl -L "https://<TENANT>/api/v1/groups/000000000000000000000001" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json"

This will return the group definition for the Everyone group:

{
    "id": "000000000000000000000001",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    ...
    "name": "com.qlik.Everyone",
    ...
    "assignedRoles": [
        {
            "id": "6467dcd960754c03a3ed402c",
            "name": "AutomationCreator",
            "type": "default",
            "level": "user"
        },
        {
            "id": "63580b8d5cf9728f19217be0",
            "name": "PrivateAnalyticsContentCreator",
            "type": "default",
            "level": "user"
        },
        {
            "id": "605a1c2151382ffc836af862",
            "name": "SharedSpaceCreator",
            "type": "default",
            "level": "user"
        }
    ],
    ...
}

This response indicates that there are three roles assigned to the Everyone group; AutomationCreator, PrivateAnalyticsContentCreator and SharedSpaceCreator. Your next request will patch this group, requesting that the roles are replaced with just PrivateAnalyticsContentCreator and SharedSpaceCreator.

curl -L -X PATCH "https://<TENANT>/api/v1/groups/000000000000000000000001" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/assignedRoles\", \"value\": [{\"name\": \"PrivateAnalyticsContentCreator\"}, {\"name\": \"SharedSpaceCreator\"}]}]"

If successful, an empty response with an http 204 code is returned.

For more information on this endpoint, review the API specification for groups. If you then wish to add this capability back to a subset of your users, you can opt to assign this role on a user-by-user or group-by-group basis with a patch call to the users or groups APIs.

Configure automatic entitlement assignment

If you are a customer leveraging Qlik’s user entitlement model, users will be assigned a named Professional or Analyzer entitlement, or consume Analyzer Capacity as they use the platform. For more information on this model, review assigning user entitlements.

No code option: Using Qlik Application Automation, you can use the Get Tenant Auto License Assign Settings and Update Tenant Auto License Assign Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off the automatic assignment of named entitlements to new users as they are created, or as they access content in the tenant, change the values of autoAssignProfessional and autoAssignAnalyzer to false in this API call:

curl -L "https://<TENANT>/api/v1/licenses/settings" ^
-X PUT ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "{\"autoAssignProfessional\":false,\"autoAssignAnalyzer\":false}"

If successful, the result of the request is returned with an http 200 code.

{
  "autoAssignProfessional": false,
  "autoAssignAnalyzer": false
}

For more information on this endpoint, review the API specification for licenses/settings.

Learn more about:

• The way user assignments works in Qlik Cloud for user-based subscriptions.
• The licenses API.

Configure automatic group creation

Security in Qlik Cloud can be applied to both users and groups. Using groups to secure access to content and resources simplifies access management by allowing an identity provider outside of Qlik to manage user access to Qlik resources using group membership. As group membership changes, Qlik automatically picks up the changes and ensures that users can only access content and resources according to their group memberships.

No code option: Using Qlik Application Automation, you can use the Get Auto Create Group Settings and Update Auto Create Group Settings blocks from the Qlik Platform Operations connector to do this without code.

To enable group management on a tenant, access the /groups/settings endpoint and set the autoCreateGroups property to true to permit group creation on user login, and the syncIdpGroups property to true if you are using a compatible interactive Identity Provider and wish groups to be synchronized:

curl -L "https://<TENANT>/api/v1/groups/settings" ^
-X PATCH ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/autoCreateGroups\", \"value\": true},{\"op\": \"replace\", \"path\": \"/syncIdpGroups\", \"value\": true}]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

• The groups API.

Configure AutoML

Qlik AutoML is available by default to all users with the appropriate user entitlement in the tenant.

You can determine who can create, update, run, and delete ML experiments and deployments by adding or removing the relevant roles from the Everyone group. To learn more about the controls for managing access to AutoML, review the help topic on Who can work with Qlik AutoML.

If you are not familiar with groups in Qlik Cloud, review the managing groups topic.

No code option: With Qlik Application Automation, you can manage roles without writing any code. Use the Add Role To Group By Name and Remove Role From Group By Name blocks from the Qlik Platform Operations connector. Specify group name as com.qlik.Everyone and role names as AutomlDeploymentContributor and AutomlExperimentContributor.

To remove these roles from the Everyone group, thereby removing the ability for users to use AutoML, you must first retrieve the list of roles assigned to the Everyone group. The Everyone group always has ID 000000000000000000000001.

curl -L "https://<TENANT>/api/v1/groups/000000000000000000000001" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json"

This will return the group definition for the Everyone group:

{
    "id": "000000000000000000000001",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    ...
    "name": "com.qlik.Everyone",
    ...
    "assignedRoles": [
        {
            "id": "6467dcd960754c03a3ed402c",
            "name": "AutomlDeploymentContributor",
            "type": "default",
            "level": "user"
        },
        {
            "id": "63580b8d5cf9728f19217be0",
            "name": "AutomlExperimentContributor",
            "type": "default",
            "level": "user"
        },
        {
            "id": "605a1c2151382ffc836af862",
            "name": "SharedSpaceCreator",
            "type": "default",
            "level": "user"
        }
    ],
    ...
}

The response in this example indicates that there are three roles assigned to the Everyone group: AutomlDeploymentContributor, AutomlExperimentContributor, and SharedSpaceCreator. Your next request will patch this group, requesting that the roles are replaced with only SharedSpaceCreator.

curl -L -X PATCH "https://<TENANT>/api/v1/groups/000000000000000000000001" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/assignedRoles\", \"value\": [{\"name\": \"SharedSpaceCreator\"}]}]"

If successful, an empty response with an http 204 code is returned.

For more information on this endpoint, review the API specification for groups.

To re-enable this capability for specific users or groups, you can assign this role individually with a patch call to the respective users or groups APIs.

Configure chart & object subscriptions

Subscription reports let you schedule recurring emails containing your preferred sheets or chart. You can set your desired filters and have a report with the newest data delivered to your inbox at a scheduled time. For example, you could receive overnight order information in an email every morning.

To turn off chart & object subscriptions for all users, set the value of /enable-report-subscription to false:

curl --location --request PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/enable-report-subscription\",
        \"value\": false
    }
]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

• The chart & object subscriptions capability.
• The sharing tasks API.

Configure chart sharing by email

Chart sharing by email is offered via the right-click context menu while navigating Qlik Sense apps. Clicking Share, then Image will prompt for an email address to which you can send an image of the selected chart.

To turn off chart sharing for all users, set the value of /enable-sharing to false:

curl --location --request PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/enable-sharing\",
        \"value\": false
    }
]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

• The sharing visualizations by email capability.
• The sharing tasks API.

Configure Data Alerts

Data alerts are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the feature context menus in Qlik Sense.

No code option: Using Qlik Application Automation, you can use the Get Data Alert Settings and Update Data Alert Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off data alerts, set the value of enable-data-alerting to false:

curl -L -X PUT "https://<TENANT>/api/v1/data-alerts/settings" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "{\"enable-data-alerting\": false }"

If successful, an empty response with a http 204 code is returned.

Learn more about:

• The data alerts capability.
• The data alerts API.

Configure Notes

Notes are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the feature context menus in Qlik Sense.

No code option: Using Qlik Application Automation, you can use the Get Notes Settings and Trigger Enable Notes Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off notes, set the value of toggledOn to false:

curl -L "https://<TENANT>/api/v1/notes/settings" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-d "{ \"toggledOn\": false }"

If successful, the result of the request is returned with an http 200 code.

{
  "available": false,
  "reason": "toggle",
  "lastFetch": "2023-07-21T16:26:30.158Z",
  "toggledOn": false
}

This indicates that notes is no longer available to users.

For more information on this endpoint, review the API specification for notes/settings.

Configure SCIM auto provisioning

SCIM (System for Cross-Identity Management) is an open standard for automating the exchange of user identity information between identity providers and enterprise applications. It aims to simplify user management by providing a common API for creating, updating, and deleting user accounts across different systems.

To update SCIM auto provisioning expiry settings, retrieve the current settings:

curl --location "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json"

If successful, returns the current configuration with a 200 status code:

{
  "api_keys_enabled": true,
  "max_api_key_expiry": "P365D",
  "max_keys_per_user": 5,
  "scim_externalClient_expiry": "P365D"
}

To change these values, send one or multiple operations to update the configuration:

curl --location --request PATCH "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/scim_externalClient_expiry\",
        \"value\": P365D
    }
]"

If successful, returns an empty response with a 204 status code.

Learn more about:

• The SCIM provisioning capability.
• The API keys API.

Configure tabular reporting

Create dynamic tabular reports by combining the Qlik add-in for Microsoft Excel with report preparation features available within a Qlik Sense app. Deliver report output by email and to folders defined in Microsoft SharePoint connections.

To turn off tabular reporting for all users, set the value of /enable-reporting-template-subscription to false:

curl --location --request PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/enable-reporting-template-subscription\",
        \"value\": false
    }
]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

• The tabular reporting capability.
• The sharing tasks API.

Configure usage metrics in the hub

Usage metrics are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the usage metrics visible in the hub.

No code option: Using Qlik Application Automation, you can use the Get Item Settings and Update Item Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off usage metrics, set the value of /usageMetricsEnabled to false:

curl -L -X PATCH "https://<TENANT>/api/v1/items/settings" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/usageMetricsEnabled\", \"value\": false }]"

If successful, the result of the request is returned with an http 200 code.

{
  "usageMetricsEnabled": false
}

This indicates that usage metrics are no longer available or visible to users.

For more information on this endpoint, review the API specification for items/settings.