Configure tenant settings

In this topic, you will learn about how to programmatically control access to features and capability settings found on the Settings pane in a Qlik Cloud tenant’s management console.

When using the management console of a tenant as a user with the Tenant Admin role, you will see various settings that help you control which features your users have access to. The configuration method varies by service, both in terms of the API calls required, and the level at which it can be configured. Some services support user or space-level access, while others are available only at the tenant level.

SettingSetting descriptionSetting scopeAPI supportGuide
API keysAllow users to create and manage their API keys, if they have the “Developer” roleTenantYesAPI keys
Application AutomationAllow users to access application automationUsers & GroupsYesApplication Automation
Automatic entitlement assignmentEnable automatic license assignment if using Professional and Analyzer licensesTenantYesAutomatic entitlement assignment
Chart sharing via emailAllow users to share charts via emailTenantYesChart sharing via email
Data alertsAllow users to create and manage data alertsTenantYesData alerts
Dynamic viewsEnable dynamic views for Qlik Sense appsTenantNo
Email serverConfigure an SMTP server to send tenant notifications, share content, tabular reporting, etcTenantYesEmail server
GroupsCreate groups if sent via group claims from your identity providerTenantYesGroups
ML endpointsAnalytics endpoints for machine learning endpointsTenantNo
Mobile offline usageAllow offline mobile usageTenantNo
NotesAllow users to create and manage notesTenantYesNotes
On-demand app generationEnable on-demand Qlik Sense appsTenantNo
SCIM auto provisioningSet the token expiration periodTenantYesSCIM auto provisioning
SubscriptionsAllow users to create and manage chart and sheet subscriptionsTenantYesSubscriptions
Tabular reportingAllow users to configure Excel reports in Qlik CloudTenantYesTabular reporting
Tenant alias hostnameSet the “friendly” tenant hostnameTenantYesTenant alias hostname
Tenant encryptionConfigure tenant key providersTenantYesTenant encryption
Tenant nameSet the name of your tenantTenantYesTenant name
Usage metricsDisplay usage information for content in the hubTenantYesUsage metrics

Prerequisites

  • You have a basic understanding of Qlik Cloud and the features available to users.
  • cURL for running the inline examples, or access to Qlik Application Automation and the Qlik Platform Operations connector.
  • Access to an API key or access token from an account assigned the Tenant Admin role, or an OAuth client for the Qlik Platform Operations connector.

Note: The cURL examples in this topic show the command syntax for Windows Command Prompt. If you are using another command line interface, different syntax may be required for line continuation. You may also need to adjust the number and type of quotes surrounding the parameters and their values.

Variable substitution

Throughout this topic, variables will be used to communicate value placement. The variable substitution format is <VARIABLE_NAME>. Here is a list of variables referred to in this tutorial.

VariableDescription
<TENANT>The URL for the tenant that you are configuring. Equivalent to tenanthostname.region.qlikcloud.com.
<ACCESS_TOKEN>A bearer token or API key for authorizing https requests to the <TENANT>.
<TENANT_ID>The tenant ID for the <TENANT>. Can be retrieved via https://<TENANT>/api/v1/tenants/me.

Configure API Keys

API keys can be used by developers to gain programmatic access to the Qlik platform, acting as their own user. APIs are bound to a user, and the user requires the Developer role to generate an API key.

No code option: Using Qlik Application Automation, you can use the Get API Key Settings and Update API Key Settings blocks from the Qlik Platform Operations connector to do this without code.

To update API key settings, retrieve the current settings:

curl --location "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json"

If successful, responds with 200 and the current configuration:

{
  "api_keys_enabled": true,
  "max_api_key_expiry": "P365D",
  "max_keys_per_user": 5,
  "scim_externalClient_expiry": "P365D"
}

To change these values, send one or multiple operations to update the configuration:

curl --location --request PATCH "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/api_keys_enabled\",
        \"value\": true
    },
    {
        \"op\": \"replace\",
        \"path\": \"/max_keys_per_user\",
        \"value\": 10
    },
    {
        \"op\": \"replace\",
        \"path\": \"/max_api_key_expiry\",
        \"value\": \"P365D\"
    }
]"

If successful, responds with a 204 and an empty response.

Learn more about:

Configure Application Automation

Qlik Application Automation is available by default to all users with the appropriate user entitlement in the tenant.

As automations exist only in personal spaces, you can determine who can create, update, and delete their automations by adding or removing the Automation Creator role from the Everyone group.

If you are not familar with groups in Qlik Cloud, review the managing groups topic.

No code option: Using Qlik Application Automation, you can use the Add Role To Group By Name and Remove Role From Group By Name blocks from the Qlik Platform Operations connector to do this without code. Use group name com.qlik.Everyone and role name AutomationCreator.

To remove this role from the Everyone group, thereby removing the ability for users to use automations, you must first retrieve the list of roles assigned to the Everyone group. The Everyone group always has the ID of 000000000000000000000001.

curl -L "https://<TENANT>/api/v1/groups/000000000000000000000001" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json"

This will return the group definition for the Everyone group:

{
    "id": "000000000000000000000001",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    ...
    "name": "com.qlik.Everyone",
    ...
    "assignedRoles": [
        {
            "id": "6467dcd960754c03a3ed402c",
            "name": "AutomationCreator",
            "type": "default",
            "level": "user"
        },
        {
            "id": "63580b8d5cf9728f19217be0",
            "name": "PrivateAnalyticsContentCreator",
            "type": "default",
            "level": "user"
        },
        {
            "id": "605a1c2151382ffc836af862",
            "name": "SharedSpaceCreator",
            "type": "default",
            "level": "user"
        }
    ],
    ...
}

This response indicates that there are three roles assigned to the Everyone group; AutomationCreator, PrivateAnalyticsContentCreator and SharedSpaceCreator. Your next request will patch this group, requesting that the roles are replaced with just PrivateAnalyticsContentCreator and SharedSpaceCreator.

curl -L -X PATCH "https://<TENANT>/api/v1/groups/000000000000000000000001" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/assignedRoles\", \"value\": [{\"name\": \"PrivateAnalyticsContentCreator\"}, {\"name\": \"SharedSpaceCreator\"}]}]"

If successful, an empty response with an http 204 code is returned.

For more information on this endpoint, review the API specification for groups. If you then wish to add this capability back to a subset of your users, you can opt to assign this role on a user-by-user or group-by-group basis with a patch call to the users or groups APIs.

Configure automatic entitlement assignment

If you are a customer leveraging Qlik’s user entitlement model, users will be assigned a named Professional or Analyzer entitlement, or consume Analyzer Capacity as they use the platform. For more information on this model, review assigning user entitlements.

No code option: Using Qlik Application Automation, you can use the Get Tenant Auto License Assign Settings and Update Tenant Auto License Assign Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off the automatic assignment of named entitlements to new users as they are created, or as they access content in the tenant, change the values of autoAssignProfessional and autoAssignAnalyzer to false in this API call:

curl -L "https://<TENANT>/api/v1/licenses/settings" ^
-X PUT ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "{\"autoAssignProfessional\":false,\"autoAssignAnalyzer\":false}"

If successful, the result of the request is returned with an http 200 code.

{
  "autoAssignProfessional": false,
  "autoAssignAnalyzer": false
}

For more information on this endpoint, review the API specification for licenses/settings.

Learn more about:

Configure automatic group creation

Security in Qlik Cloud can be applied to both users and groups. Using groups to secure access to content and resources simplifies access management by allowing an identity provider outside of Qlik to manage user access to Qlik resources using group membership. As group membership changes, Qlik automatically picks up the changes and ensures that users can only access content and resources according to their group memberships.

No code option: Using Qlik Application Automation, you can use the Get Auto Create Group Settings and Update Auto Create Group Settings blocks from the Qlik Platform Operations connector to do this without code.

To enable group management on a tenant, access the /groups/settings endpoint and set the autoCreateGroups property to true to permit group creation on user login, and the syncIdpGroups property to true if you are using a compatible interactive Identity Provider and wish groups to be synchronized:

curl -L "https://<TENANT>/api/v1/groups/settings" ^
-X PATCH ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/autoCreateGroups\", \"value\": true},{\"op\": \"replace\", \"path\": \"/syncIdpGroups\", \"value\": true}]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

Configure chart & object subscriptions

Subscription reports let you schedule recurring emails containing your preferred sheets or chart. You can set your desired filters and have a report with the newest data delivered to your inbox at a scheduled time. For example, you could receive overnight order information in an email every morning.

To turn off chart & object subscriptions for all users, set the value of /enable-report-subscription to false:

curl --location --request PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/enable-report-subscription\",
        \"value\": false
    }
]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

Configure chart sharing by email

Chart sharing by email is offered via the right-click context menu while navigating Qlik Sense apps. Clicking Share, then Image will prompt for an email address to which you can send an image of the selected chart.

To turn off chart sharing for all users, set the value of /enable-sharing to false:

curl --location --request PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/enable-sharing\",
        \"value\": false
    }
]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

Configure Data Alerts

Data alerts are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the feature context menus in Qlik Sense.

No code option: Using Qlik Application Automation, you can use the Get Data Alert Settings and Update Data Alert Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off data alerts, set the value of enable-data-alerting to false:

curl -L -X PUT "https://<TENANT>/api/v1/data-alerts/settings" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "{\"enable-data-alerting\": false }"

If successful, an empty response with a http 204 code is returned.

Learn more about:

Configure Notes

Notes are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the feature context menus in Qlik Sense.

No code option: Using Qlik Application Automation, you can use the Get Notes Settings and Trigger Enable Notes Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off notes, set the value of toggledOn to false:

curl -L "https://<TENANT>/api/v1/notes/settings" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-d "{ \"toggledOn\": false }"

If successful, the result of the request is returned with an http 200 code.

{
  "available": false,
  "reason": "toggle",
  "lastFetch": "2023-07-21T16:26:30.158Z",
  "toggledOn": false
}

This indicates that notes is no longer available to users.

For more information on this endpoint, review the API specification for notes/settings.

Configure SCIM auto provisioning

SCIM (System for Cross-Identity Management) is an open standard for automating the exchange of user identity information between identity providers and enterprise applications. It aims to simplify user management by providing a common API for creating, updating, and deleting user accounts across different systems.

To update SCIM auto provisioning expiry settings, retrieve the current settings:

curl --location "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json"

If successful, returns the current configuration with a 200 status code:

{
  "api_keys_enabled": true,
  "max_api_key_expiry": "P365D",
  "max_keys_per_user": 5,
  "scim_externalClient_expiry": "P365D"
}

To change these values, send one or multiple operations to update the configuration:

curl --location --request PATCH "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/scim_externalClient_expiry\",
        \"value\": P365D
    }
]"

If successful, returns an empty response with a 204 status code.

Learn more about:

Configure tabular reporting

Create dynamic tabular reports by combining the Qlik add-in for Microsoft Excel with report preparation features available within a Qlik Sense app. Deliver report output by email and to folders defined in Microsoft SharePoint connections.

To turn off tabular reporting for all users, set the value of /enable-reporting-template-subscription to false:

curl --location --request PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^
--header "Authorization: Bearer <ACCESS_TOKEN>" ^
--header "Content-type: application/json" ^
--header "Accept: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/enable-reporting-template-subscription\",
        \"value\": false
    }
]"

The response from this request is an http 204 updated status code. There are no additional details provided in the response.

Learn more about:

Configure usage metrics in the hub

Usage metrics are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the usage metrics visible in the hub.

No code option: Using Qlik Application Automation, you can use the Get Item Settings and Update Item Settings blocks from the Qlik Platform Operations connector to do this without code.

To turn off usage metrics, set the value of /usageMetricsEnabled to false:

curl -L -X PATCH "https://<TENANT>/api/v1/items/settings" ^
-H "Authorization: Bearer <ACCESS_TOKEN>" ^
-H "Content-type: application/json" ^
-H "Accept: application/json" ^
-d "[{\"op\": \"replace\", \"path\": \"/usageMetricsEnabled\", \"value\": false }]"

If successful, the result of the request is returned with an http 200 code.

{
  "usageMetricsEnabled": false
}

This indicates that usage metrics are no longer available or visible to users.

For more information on this endpoint, review the API specification for items/settings.

Was this page helpful?