Configure tenant settings
In this topic, you will learn about how to programmatically control access to features and capability settings found on the Settings pane in a Qlik Cloud tenant’s management console.
When using the management console of a tenant as a user with the Tenant Admin role, you will see various settings that help you control which features your users have access to. The configuration method varies by service, both in terms of the API calls required, and the level at which it can be configured. Some services support user or space-level access, while others are available only at the tenant level.
| Setting | Setting description | Setting scope | API support | Guide |
|---|---|---|---|---|
| API keys | Allow users to create and manage their API keys, if they have the “Developer” role | Tenant | Yes | API keys |
| Application Automation | Allow users to access application automation | Users & Groups | Yes | Application Automation |
| Automatic entitlement assignment | Enable automatic license assignment if using Professional and Analyzer licenses | Tenant | Yes | Automatic entitlement assignment |
| AutoML | Allow users to configure ML deployments and experiments | Users & Groups | Yes | AutoML |
| Chart sharing via email | Allow users to share charts via email | Tenant | Yes | Chart sharing via email |
| Data alerts | Allow users to create and manage data alerts | Tenant | Yes | Data alerts |
| Dynamic views | Enable dynamic views for Qlik Sense apps | Tenant | No | |
| Email server | Configure an SMTP server to send tenant notifications, share content, tabular reporting, etc | Tenant | Yes | Email server |
| Groups | Create groups if sent via group claims from your identity provider | Tenant | Yes | Groups |
| ML endpoints | Analytics endpoints for machine learning endpoints | Tenant | No | |
| Mobile offline usage | Allow offline mobile usage | Tenant | No | |
| Notes | Allow users to create and manage notes | Tenant | Yes | Notes |
| On-demand app generation | Enable on-demand Qlik Sense apps | Tenant | No | |
| SCIM auto provisioning | Set the token expiration period | Tenant | Yes | SCIM auto provisioning |
| Subscriptions | Allow users to create and manage chart and sheet subscriptions | Tenant | Yes | Subscriptions |
| Tabular reporting | Allow users to configure Excel reports in Qlik Cloud | Tenant | Yes | Tabular reporting |
| Tenant alias hostname | Set the “friendly” tenant hostname | Tenant | Yes | Tenant alias hostname |
| Tenant encryption | Configure tenant key providers | Tenant | Yes | Tenant encryption |
| Tenant name | Set the name of your tenant | Tenant | Yes | Tenant name |
| Usage metrics | Display usage information for content in the hub | Tenant | Yes | Usage metrics |
Prerequisites
- You have a basic understanding of Qlik Cloud and the features available to users.
- cURL for running the inline examples, or access to Qlik Application Automation and the Qlik Platform Operations connector.
- Access to an API key or access token from an account assigned the Tenant Admin role, or an OAuth client for the Qlik Platform Operations connector.
Note: The cURL examples in this topic show the command syntax for Windows Command Prompt. If you are using another command line interface, different syntax may be required for line continuation. You may also need to adjust the number and type of quotes surrounding the parameters and their values.
Variable substitution
Throughout this topic, variables will be used to communicate value placement.
The variable substitution format is <VARIABLE_NAME>. Here is a list of
variables referred to in this tutorial.
| Variable | Description |
|---|---|
<TENANT> | The URL for the tenant that you are configuring. Equivalent to tenanthostname.region.qlikcloud.com. |
<ACCESS_TOKEN> | A bearer token or API key for authorizing https requests to the <TENANT>. |
<TENANT_ID> | The tenant ID for the <TENANT>. Can be retrieved via https://<TENANT>/api/v1/tenants/me. |
Configure API Keys
API keys can be used by developers to gain programmatic access to the Qlik platform, acting as their own user. APIs are bound to a user, and the user requires the Developer role to generate an API key.
No code option: Using Qlik Application Automation, you can use the
Get API Key SettingsandUpdate API Key Settingsblocks from the Qlik Platform Operations connector to do this without code.
To update API key settings, retrieve the current settings:
curl -L "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json"If successful, responds with 200 and the current configuration:
{ "api_keys_enabled": true, "max_api_key_expiry": "P365D", "max_keys_per_user": 5, "scim_externalClient_expiry": "P365D"}To change these values, send one or multiple operations to update the configuration:
curl -L -X PATCH "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[ { \"op\": \"replace\", \"path\": \"/api_keys_enabled\", \"value\": true }, { \"op\": \"replace\", \"path\": \"/max_keys_per_user\", \"value\": 10 }, { \"op\": \"replace\", \"path\": \"/max_api_key_expiry\", \"value\": \"P365D\" }]"If successful, responds with a 204 and an empty response.
Learn more about:
Configure Application Automation
Qlik Application Automation is available by default to all users with the appropriate user entitlement in the tenant.
As automations exist only in personal spaces, you can determine who can create,
update, and delete their automations by adding or removing the Automation Creator
role from the Everyone group.
If you are not familiar with groups in Qlik Cloud, review the managing groups topic.
No code option: Using Qlik Application Automation, you can use the
Add Role To Group By NameandRemove Role From Group By Nameblocks from the Qlik Platform Operations connector to do this without code. Use group namecom.qlik.Everyoneand role nameAutomationCreator.
To remove this role from the Everyone group, thereby removing the ability for
users to use automations, you must first retrieve the list of roles assigned to
the Everyone group. The Everyone group always has the
ID of 000000000000000000000001.
curl -L "https://<TENANT>/api/v1/groups/000000000000000000000001" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json"This will return the group definition for the Everyone group:
{ "id": "000000000000000000000001", "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo", ... "name": "com.qlik.Everyone", ... "assignedRoles": [ { "id": "6467dcd960754c03a3ed402c", "name": "AutomationCreator", "type": "default", "level": "user" }, { "id": "63580b8d5cf9728f19217be0", "name": "PrivateAnalyticsContentCreator", "type": "default", "level": "user" }, { "id": "605a1c2151382ffc836af862", "name": "SharedSpaceCreator", "type": "default", "level": "user" } ], ...}This response indicates that there are three roles assigned to the Everyone
group; AutomationCreator, PrivateAnalyticsContentCreator and SharedSpaceCreator.
Your next request will patch this group, requesting that the roles are replaced
with just PrivateAnalyticsContentCreator and SharedSpaceCreator.
curl -L -X PATCH "https://<TENANT>/api/v1/groups/000000000000000000000001" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[{\"op\": \"replace\", \"path\": \"/assignedRoles\", \"value\": [{\"name\": \"PrivateAnalyticsContentCreator\"}, {\"name\": \"SharedSpaceCreator\"}]}]"If successful, an empty response with an HTTP 204 code is returned.
For more information on this endpoint, review the API specification for groups. If you then wish to add this capability back to a subset of your users, you can opt to assign this role on a user-by-user or group-by-group basis with a patch call to the users or groups APIs.
Configure automatic entitlement assignment
If you are a customer leveraging Qlik’s user entitlement model, users will be assigned a named Professional or Analyzer entitlement, or consume Analyzer Capacity as they use the platform. For more information on this model, review assigning user entitlements.
No code option: Using Qlik Application Automation, you can use the
Get Tenant Auto License Assign SettingsandUpdate Tenant Auto License Assign Settingsblocks from the Qlik Platform Operations connector to do this without code.
To turn off the automatic assignment of named entitlements to new
users as they are created, or as they access content in the tenant, change the
values of autoAssignProfessional and autoAssignAnalyzer to false in this API call:
curl -L -X PUT "https://<TENANT>/api/v1/licenses/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "{\"autoAssignProfessional\":false,\"autoAssignAnalyzer\":false}"If successful, the result of the request is returned with an HTTP 200 code.
{ "autoAssignProfessional": false, "autoAssignAnalyzer": false}For more information on this endpoint, review the API specification for licenses/settings.
Learn more about:
- The way user assignments works in Qlik Cloud for user-based subscriptions.
- The licenses API.
Configure automatic group creation
Security in Qlik Cloud can be applied to both users and groups. Using groups to secure access to content and resources simplifies access management by allowing an identity provider outside of Qlik to manage user access to Qlik resources using group membership. As group membership changes, Qlik automatically picks up the changes and ensures that users can only access content and resources according to their group memberships.
No code option: Using Qlik Application Automation, you can use the
Get Auto Create Group SettingsandUpdate Auto Create Group Settingsblocks from the Qlik Platform Operations connector to do this without code.
To enable group management on a tenant, access
the /groups/settings
endpoint and set the autoCreateGroups property to
true to permit group creation on user login, and the syncIdpGroups property
to true if you are using a compatible interactive Identity Provider and wish
groups to be synchronized:
curl -L -X PATCH "https://<TENANT>/api/v1/groups/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[{\"op\": \"replace\", \"path\": \"/autoCreateGroups\", \"value\": true},{\"op\": \"replace\", \"path\": \"/syncIdpGroups\", \"value\": true}]"The response from this request is an HTTP 204 updated status code. There are no
additional details provided in the response.
Learn more about:
- The groups API.
Configure AutoML
Qlik AutoML is available by default to all users with the appropriate user entitlement in the tenant.
You can determine who can create,
update, run, and delete ML experiments and deployments by adding or removing
the relevant roles from the Everyone group. To learn more about
the controls for managing access to AutoML, review the help topic
on Who can work with Qlik AutoML.
If you are not familiar with groups in Qlik Cloud, review the managing groups topic.
No code option: With Qlik Application Automation, you can manage roles without writing any code. Use the
Add Role To Group By NameandRemove Role From Group By Nameblocks from the Qlik Platform Operations connector. Specify group name ascom.qlik.Everyoneand role names asAutomlDeploymentContributorandAutomlExperimentContributor.
To remove these roles from the Everyone group, thereby removing the ability for
users to use AutoML, you must first retrieve the list of roles assigned to
the Everyone group. The Everyone group always has
ID 000000000000000000000001.
curl -L "https://<TENANT>/api/v1/groups/000000000000000000000001" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json"This will return the group definition for the Everyone group:
{ "id": "000000000000000000000001", "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo", ... "name": "com.qlik.Everyone", ... "assignedRoles": [ { "id": "6467dcd960754c03a3ed402c", "name": "AutomlDeploymentContributor", "type": "default", "level": "user" }, { "id": "63580b8d5cf9728f19217be0", "name": "AutomlExperimentContributor", "type": "default", "level": "user" }, { "id": "605a1c2151382ffc836af862", "name": "SharedSpaceCreator", "type": "default", "level": "user" } ], ...}The response in this example indicates that there are three roles assigned to the Everyone
group: AutomlDeploymentContributor, AutomlExperimentContributor, and SharedSpaceCreator.
Your next request will patch this group, requesting that the roles are replaced
with only SharedSpaceCreator.
curl -L -X PATCH "https://<TENANT>/api/v1/groups/000000000000000000000001" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[{\"op\": \"replace\", \"path\": \"/assignedRoles\", \"value\": [{\"name\": \"SharedSpaceCreator\"}]}]"If successful, an empty response with an HTTP 204 code is returned.
For more information on this endpoint, review the API specification for groups.
To re-enable this capability for specific users or groups, you can assign this role individually with a patch call to the respective users or groups APIs.
Configure chart & object subscriptions
Subscription reports let you schedule recurring emails containing your preferred sheets or chart. You can set your desired filters and have a report with the newest data delivered to your inbox at a scheduled time. For example, you could receive overnight order information in an email every morning.
To turn off chart & object subscriptions for all users, set the value
of /enable-report-subscription to false:
curl -L -X PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[ { \"op\": \"replace\", \"path\": \"/enable-report-subscription\", \"value\": false }]"The response from this request is an HTTP 204 updated status code. There are no
additional details provided in the response.
Learn more about:
- The chart & object subscriptions capability.
- The sharing tasks API.
Configure chart sharing by email
Chart sharing by email is offered via the right-click context menu while navigating
Qlik Sense apps. Clicking Share, then Image will prompt for an email address
to which you can send an image of the selected chart.
To turn off chart sharing for all users, set the value of /enable-sharing to false:
curl -L -X PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[ { \"op\": \"replace\", \"path\": \"/enable-sharing\", \"value\": false }]"The response from this request is an HTTP 204 updated status code. There are no
additional details provided in the response.
Learn more about:
- The sharing visualizations by email capability.
- The sharing tasks API.
Configure Data Alerts
Data alerts are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the feature context menus in Qlik Sense.
No code option: Using Qlik Application Automation, you can use the
Get Data Alert SettingsandUpdate Data Alert Settingsblocks from the Qlik Platform Operations connector to do this without code.
To turn off data alerts, set the value of enable-data-alerting to false:
curl -L -X PUT "https://<TENANT>/api/v1/data-alerts/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "{\"enable-data-alerting\": false }"If successful, an empty response with an HTTP 204 code is returned.
Learn more about:
- The data alerts capability.
- The data alerts API.
Configure Notes
Notes are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the feature context menus in Qlik Sense.
No code option: Using Qlik Application Automation, you can use the
Get Notes SettingsandTrigger Enable Notes Settingsblocks from the Qlik Platform Operations connector to do this without code.
To turn off notes, set the value of toggledOn to false:
curl -L "https://<TENANT>/api/v1/notes/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-d "{ \"toggledOn\": false }"If successful, the result of the request is returned with an HTTP 200 code.
{ "available": false, "reason": "toggle", "lastFetch": "2023-07-21T16:26:30.158Z", "toggledOn": false}This indicates that notes is no longer available to users.
For more information on this endpoint, review the API specification for notes/settings.
Configure SCIM auto provisioning
SCIM (System for Cross-Identity Management) is an open standard for automating the exchange of user identity information between identity providers and enterprise applications. It aims to simplify user management by providing a common API for creating, updating, and deleting user accounts across different systems.
To update SCIM auto provisioning expiry settings, retrieve the current settings:
curl -L "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json"If successful, returns the current configuration with a 200 status code:
{ "api_keys_enabled": true, "max_api_key_expiry": "P365D", "max_keys_per_user": 5, "scim_externalClient_expiry": "P365D"}To change these values, send one or multiple operations to update the configuration:
curl -L -X PATCH "https://<TENANT>/api/v1/api-keys/configs/<TENANT_ID>" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[ { \"op\": \"replace\", \"path\": \"/scim_externalClient_expiry\", \"value\": P365D }]"If successful, returns an empty response with a 204 status code.
Learn more about:
- The SCIM provisioning capability.
- The API keys API.
Configure tabular reporting
Create dynamic tabular reports by combining the Qlik add-in for Microsoft Excel with report preparation features available within a Qlik Sense app. Deliver report output by email and to folders defined in Microsoft SharePoint connections.
To turn off tabular reporting for all users, set the value
of /enable-reporting-template-subscription to false:
curl -L -X PATCH "https://<TENANT>/api/v1/sharing-tasks/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[ { \"op\": \"replace\", \"path\": \"/enable-reporting-template-subscription\", \"value\": false }]"The response from this request is an HTTP 204 updated status code. There are no
additional details provided in the response.
Learn more about:
- The tabular reporting capability.
- The sharing tasks API.
Configure usage metrics in the hub
Usage metrics are enabled by default in new tenants, and can be configured at a tenant-wide level. This setting affects all users in a tenant, and will hide the usage metrics visible in the hub.
No code option: Using Qlik Application Automation, you can use the
Get Item SettingsandUpdate Item Settingsblocks from the Qlik Platform Operations connector to do this without code.
To turn off usage metrics, set the value of /usageMetricsEnabled to false:
curl -L -X PATCH "https://<TENANT>/api/v1/items/settings" ^-H "Authorization: Bearer <ACCESS_TOKEN>" ^-H "Content-Type: application/json" ^-H "Accept: application/json" ^-d "[{\"op\": \"replace\", \"path\": \"/usageMetricsEnabled\", \"value\": false }]"If successful, the result of the request is returned with an HTTP 200 code.
{ "usageMetricsEnabled": false}This indicates that usage metrics are no longer available or visible to users.
For more information on this endpoint, review the API specification for items/settings.