Add an interactive user to a tenant

Add an interactive user to a tenant

When you create tenants programmatically, the tenant is provisioned free from any user accounts. It can therefore be helpful to add an interactive login to the tenant to validate the configuration, or to provide administrator access in case of any support questions from end users (depending on your use case).

In this tutorial, you are going to copy an interactive user from an existing source tenant to a tenant you've created programmatically.

Sections

Prerequisites

  • You have access to a source and a target tenant, and meet other prerequisites listed in the Create a tenant tutorial.
  • You have confirmed that you do not plan to add your own OIDC compliant identity provider to the target tenant (this is because the tutorial uses Qlik Account, and adding a new OIDC identity provider will turn off Qlik Account on the tenant).

By default, Qlik Cloud tenants take advantage of Qlik Account. Qlik Account is a central authentication mechanism to access properties within the qlik.com and qlikcloud.com domains. The email address for which you received the welcome email to create a tenant is a member of the Qlik Account identity provider.

If you choose to change from using Qlik Account to an OIDC compliant identity access management solution, you cannot add a user to the tenant without first knowing the email address and subject of the user from the identity provider.

Note: If the tenant is using an identity provider different from Qlik Account, please consult the identity provider's documentation for information on how to acquire the email address and subject. You may also need to configure the new identity provider on the target tenant, which isn't covered in this guide.

For this guide you will be looking up the subject from a tenant created via My Qlik during the Create a tenant tutorial, referred to as the source tenant. You will then add this user information to the target tenant.

Variable substitution

Throughout this tutorial, variables will be used to communicate value placement. The variable substitution format is <VARIABLE_NAME>. Here is a list of variables referred to in this tutorial.

VariableDescription
<SOURCE_TENANT>The domain for the initial tenant created during account onboarding. Equivalent to tenanthostname.<REGION>.qlikcloud.com.
<TARGET_TENANT>The domain for the new tenant that this tutorial will create. Equivalent to tenanthostname.<REGION>.qlikcloud.com.
<REGION>The region identifier for the Qlik Cloud region that you're sending requests to. Examples include ap for Australia, eu for Ireland, sg for Singapore and us for North America.
<SOURCE_ACCESS_TOKEN>A bearer token for authorizing https requests to the <SOURCE_TENANT>. Refer to the Create a tenant tutorial for guidance on generating this token.
<TARGET_ACCESS_TOKEN>A bearer token for authorizing https requests to the <TARGET_TENANT>. Refer to the Create a tenant tutorial for guidance on generating this token.
<EMAIL_ADDRESS>The email address of the user that you are adding to the target tenant.
<IDP_SUBJECT>A unique identifier for the user from the target tenant's identity provider.
<USER_NAME>The friendly name associated with the email address and subject combination.
<TENANT_ADMIN_ROLE_ID>The id of the TenantAdmin role on the target tenant.

1 Obtain the user subject by email on the source tenant

Use the <SOURCE_ACCESS_TOKEN> to request the user information for the user you want to add to the target tenant.

curl -G 'https://<SOURCE_TENANT>/api/v1/users' \
-H 'Authorization: Bearer <SOURCE_ACCESS_TOKEN>' \
--data-urlencode 'filter=email eq "<EMAIL_ADDRESS>"'

The source tenant responds with JSON including the <IDP_SUBJECT> of the user. Record the <IDP_SUBJECT> for use when you add the user on the target tenant.

{
   "id":"62daccb20452a739b722e042",
   "tenantId":"7WZ_qyWDvlS8AvNkye9y20dn-miC0URe",
   "status":"active",
   "subject":"<IDP_SUBJECT>",
   "name":"<USER_NAME>",
   "email":"<EMAIL_ADDRESS>",
   "locale":"en_US",
   "zoneinfo":"America/Los_Angeles",
   "roles":[...],
   "groups":[...],
   "links":{...}
}

2 Obtain the TenantAdmin role on the target tenant

Find the id for the TenantAdmin role on the target tenant.

curl -G "https://<TARGET_TENANT>/api/v1/roles" \
-H "Authorization: Bearer <TARGET_ACCESS_TOKEN>" \
--data-urlencode "filter=name eq 'TenantAdmin'"

The JSON object response returns the metadata for the TenantAdmin role.

{
   "data":[
      {
         "id":"<TENANT_ADMIN_ROLE_ID>",
         "tenantId":"",
         "name":"TenantAdmin",
         "description":"",
         "type":"default",
         "level":"admin",
         "permissions":[...],
         "createdAt":"2021-04-21T16:04:08.399Z",
         "lastUpdatedAt":"2022-03-30T15:23:36.748Z",
         "links":{...}
      }
   ],
   "links":{...}
}

Record the id for the TenantAdmin role as <TENANT_ADMIN_ROLE_ID> for use when you add the user to the target tenant.

3 Add the user to the target tenant as a TenantAdmin

Use the <IDP_SUBJECT>, <EMAIL_ADDRESS>, and <USER_NAME> from the source tenant alongside the <TENANT_ADMIN_ROLE_ID> from the target tenant to add the user to the target tenant.

The JSON body for the request format:

{
  "name": "<USER_NAME>",
  "subject": "<IDP_SUBJECT>",
  "email": "<EMAIL_ADDRESS>",
  "assignedRoles": [{"id": "<TENANT_ADMIN_ROLE_ID>"}]
}

and the cURL request:

curl "https://<TARGET_TENANT>/api/v1/users" \
-X POST \
-H "Authorization: Bearer <TARGET_ACCESS_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"name": "<USER_NAME>", "subject": "<IDP_SUBJECT>", "email": "<EMAIL_ADDRESS>", "assignedRoles": [{"id": "<TENANT_ADMIN_ROLE_ID>"}]}'

4 Test authentication through a web browser

Once the user is added to the target tenant, navigate to the tenant using a web browser and authenticate to Qlik Cloud. Your browser will present the Qlik Cloud hub, and you will also be able to access the management console if needed.

Was this page helpful?