Configuring your end-customer tenant

Overview

In this tutorial, you are going to learn how to configure your tenant with examples of configuration properties. Begin with configuring Identity Providers. By default, every Qlik tenant is configured to use Qlik tenant as its identity provider. An identity provider (IdP) manages identity information for users and provides authentication services.

The default IdP should be turned off when a tenant is created in the context of an OEM partner provisioning a tenant for their own customers. This could be done in one of the following ways:

  • Automatically when a tenant is created using regional M2M OAuth client (in this case there's no user created along side the tenant).
  • As an entitlement in the license.

You can use the JWT IdP to authorize your customers end users when they access the destination tenant. However, your software will be responsible for authenticating all end users, that is, users will not be able to use a browser and directly access the tenant.

You can perform each step in this tutorial using either curl or qlik-cli. Examples for both command-line tools are provided.

Prerequisites

  • Must be Tenant Admin and have developer role assigned.
  • curl command-line tool for running curl examples.
  • qlik-cli command-line tool for running Qlik-cli examples.

You'll start by configuring a JWT identify provider (IdP). You'll use this IdP to configure which of your users will be authorized to access the apps in your destination tenant.

Refer to: https://qlik.dev/tutorials/implement-jwt-authorization for a detailed overview of JWT authorization.

You can also refer to: https://qlik.dev/tutorials/create-signed-tokens-for-jwt-authorization to learn how to create signed tokens for JWT Authorization.

Configure JWT IdP

curl:

curl --location --request POST 'https://user-test.ap.qlik-stage.com/api/v1/identity-providers' \
 --header 'Content-Type: application/json' \
 --header 'Authorization: Bearer <API-key>' \
 '{
    "active": true,
    "interactive": false,
    "protocol": "jwtAuth",
    "provider": "external",
    "tenantIds": [
        "Tenant ID"
    ],
    "description": "JWTAuth IDP",
    "options": {
        "issuer": "Issuer",
        "staticKeys": [
            {
                "kid": "KeyID",
                "pem":"-- public certificate --"
            }
        ]
    }
}'

Response:

{
  "id":"",
  "tenantIds":["tenantId"],
  "provider":"external",
  "protocol":"jwtAuth",
  "interactive":false,
  "active":true,"options":
  {"jwtLoginEnabled":true,
  "issuer":"Issuer",
  "staticKeys":
  [{"kid":"KeyID",
  "pem":"-- public certificate --"}]},
  "created":"Date and time created",
  "lastUpdated":"Date and time",
  "description":"JWTAuth IDP",
  "clockToleranceSec":5}

Create spaces in your target tenant

Create spaces in your target tenant where your apps will be accessible to end users. Spaces are restricted to members and members can only open apps in a space if they have been granted permission. Members can be individual users or a group. To learn more about spaces, see Working in spaces.

Create a development space

The development space is a shared space in the tenant where you can develop apps collaboratively and share them with other users in the space. You can use this space to test things out before making any app changes available to your customers.

Here's a curl example that shows how to create a development space using the Spaces API with the POST method. The name and type of space are passed as data with the command.

NOTE The curl examples in this tutorial are intended for use with the Windows command prompt. If you are using another command line interface, the syntax may require adjustment such as the number and type of quotes surrounding the parameters and their values.

curl:

curl -X POST --url https://your-tenant.us.qlikcloud.com/api/v1/spaces ^
--header "Content-Type: application/json" ^
--header "Authorization: Bearer <your_access_token>" ^
-d "{\"name\": \"my_space\", \"description\": \"none\", \"type\": \"shared\" }"

The response should look something like this:

{"id":"626a8cd6d3b832803c217a06","type":"shared","ownerId":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","tenantId":"xqFQ0k66vSR8f9G7J-vZtHZQkiYrCpct","name":"my_space","description":"none","meta":{"actions":["create","delete","read","update"],"roles":[],"assignableRoles":["consumer","dataconsumer","facilitator","producer"]},"links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626a8cd6d3b832803c217a06"},"assignments":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626a8cd6d3b832803c217a06/assignments"}},"createdAt":"2022-04-28T12:47:18.227Z","createdBy":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","updatedAt":"2022-04-28T12:47:18.227Z"}

To create a development space using qlik-cli, pass the name and type of space with the command using the name and type flags. Here's an example:

qlik-cli:

qlik space create --name my_space --type shared

The response should look something like this:

{
  "createdAt": "2022-04-25T13:57:17.359Z",
  "createdBy": "kqJvzqkdKhBfWc6aoSe_vQmHkcvipDkV",
  "description": "",
  "id": "6266a8bd8edf1fa6865c7193",
  "meta": {
    "actions": [
      "create",
      "delete",
      "read",
      "update"
    ],
    "assignableRoles": [
      "consumer",
      "dataconsumer",
      "facilitator",
      "producer"
    ],
    "roles": []
  },
  "name": "my_space",
  "ownerId": "kqJvzqkdKhBfWc6aoSe_vQmHkcvipDkV",
  "tenantId": "oZcMPa_1PwH4FUhgaMdrh6839YHHdEJN",
  "type": "shared",
  "updatedAt": "2022-04-25T13:57:17.359Z"
}

Create a production space

The production space is a managed space that provides governed access to apps with strict access control for both the app and app data. This is the space where you'll publish the sample app that is residing in your development space. In a managed space, only the space owner and target app consumers can open the apps. No other users can open the apps unless they have been given permission. The commands to create a production space are similar to creating the development space.

Here's a curl example that shows how to create a production space using the Spaces API with the POST method. The name and type of space are passed as data with the command.

curl:

curl -X POST --url https://your-tenant.us.qlikcloud.com/api/v1/spaces ^
--header "Content-Type: application/json" ^
--header "Authorization: Bearer <your API-key>" ^
-d "{\"name\": \"my_space\", \"description\": \"none\", \"type\": \"managed\" }"

The response should look something like this:

{"id":"626aaa693f27ff8a776c580d","type":"managed","ownerId":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","tenantId":"xqFQ0k66vSR8f9G7J-vZtHZQkiYrCpct","name":"my_space","description":"none","meta":{"actions":["create","delete","publish","read","update"],"roles":[],"assignableRoles":["consumer","contributor","dataconsumer","facilitator","publisher"]},"links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626aaa693f27ff8a776c580d"},"assignments":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626aaa693f27ff8a776c580d/assignments"}},"createdAt":"2022-04-28T14:53:29.281Z","createdBy":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","updatedAt":"2022-04-28T14:53:29.281Z"}

To create a production space using qlik-cli, pass the name and type of space with the command using the name and type flags. Here's an example:

qlik-cli:

qlik space create --name my_space --type managed

The response should look something like this:

{
  "createdAt": "2022-04-04T13:32:59.01Z",
  "createdBy": "x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88",
  "description": "",
  "id": "624af38a0bed32419b1b4b55",
  "meta": {
    "actions": [
      "create",
      "delete",
      "publish",
      "read",
      "update"
    ],
    "assignableRoles": [
      "consumer",
      "contributor",
      "dataconsumer",
      "facilitator",
      "publisher"
    ],
    "roles": []
  },
  "name": "my_space",
  "ownerId": "x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88",
  "tenantId": "xqFQ0k66vSR8f9G7J-vZtHZQkiYrCpct",
  "type": "managed",
  "updatedAt": "2022-04-04T13:32:59.01Z"
}

Authorize access to the production space

Authorization to access a space is configured using roles, which are assigned to members of a space. Each role is associated with a set of permissions that govern the actions that a member can perform in a space.

Get the ID of the production space

To authorize access to apps in a space, you need to know the ID of the space.

Here's a curl example that shows how to get the space ID using the Spaces API with the GET method. To get the space ID, pass the name of the space as a query parameter in the URL.

curl:

curl -X GET --url https://your-tenant.us.qlikcloud.com/api/v1/spaces?name=my_space ^
--header "Content-Type: application/json" ^
--header "Authorization: Bearer <your_access_token>"

The response should look something like this:

{"data":[{"id":"626aaa693f27ff8a776c580d","type":"managed","ownerId":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","tenantId":"xqFQ0k66vSR8f9G7J-vZtHZQkiYrCpct","name":"my_space12","description":"none","meta":{"actions":["create","delete","publish","read","update"],"roles":[],"assignableRoles":["consumer","contributor","dataconsumer","facilitator","publisher"]},"links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626aaa693f27ff8a776c580d"},"assignments":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626aaa693f27ff8a776c580d/assignments"}},"createdAt":"2022-04-28T14:53:29.281Z","createdBy":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","updatedAt":"2022-04-28T14:53:29.281Z"}],"meta":{"count":1},"links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces?name=my_space"}}}

To get the space ID using qlik-cli, pass the name of the space with the command using the name flag. Also, use the q flag to return only the ID of the space.

qlik-cli:

qlik space ls --name my_space -q

The response should look something like this:

6271691b6eafdbfb4f11a9ef

The space ID in the response will be required in the next step to identify the managed (production) space.

Add a user or group and assign a role to the production space

When you add a member to a space, you assign them a role, which represents a set of permissions that they have for that space. The process is the same for both users and groups, which are identified by a unique ID. In the following examples, the consumer role is assigned to a group. To assign a role to a group, you need to first get the ID of the group.

Run the following curl command with the name of the group to retrieve the group ID.

curl -G --header "Authorization: Bearer <your_bearer_token>" --header "accept: application/json" --header "Content-Type: application/json" --data-urlencode "filter=name eq \"SG-RMO Analytics\"" https://your-tenant.us.qlikcloud.com/api/v1/groups

The response should look something like this:

{"data":[{"id":"61cc983e7aaff44e27426068","tenantId":"m_nn1JcGcsN7xii8ZQF-UWAMpDP6wOF1","createdAt":"2021-12-29T17:17:50.040Z","lastUpdatedAt":"2021-12-29T17:17:50.040Z","name":"SG-RMO Analytics", "status":"active", "links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/groups/61cc983e7aaff44e27426068"}}}],"links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/groups?filter=name+eq+%22SG-RMO+Analytics%22"}}}

In this example, the group ID is 61cc983e7aaff44e27426068.

Here's a curl example that shows how to assign a consumer role to a member of the production space using the Spaces API with the POST method. The ID of the production space (from the previous step) is added as a path parameter in the URL. The type of member (group), the assigneeId (61cc983e7aaff44e27426068), and the role (consumer) are passed as data with the command.

curl:

curl -X POST --url https://your-tenant.us.qlikcloud.com/api/v1/spaces/62716f7739b865ece543cd50/assignments ^
--header "Content-Type: application/json" ^
--header "Authorization: Bearer <your_access_token>" ^
-d "{\"type\": \"group\", \"assigneeId\": \" 61cc983e7aaff44e27426068 \", \"roles\": [\”consumer\”] }"

The response should look something like this:

{"id":"626ff52f7ca0dba484332c21","type":"group","assigneeId":" 61cc983e7aaff44e27426068 ","roles":["consumer"],"spaceId":"626aaa693f27ff8a776c580d","tenantId":"xqFQ0k66vSR8f9G7J-vZtHZQkiYrCpct","createdAt":"2022-05-02T15:13:51.12Z","createdBy":"x-hE9f8HEskiW4ifVkbPr3AFRPzaWe88","updatedAt":"2022-05-02T15:13:51.12Z","links":{"self":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626aaa693f27ff8a776c580d/assignments/626ff52f7ca0dba484332c21"},"space":{"href":"https://your-tenant.us.qlikcloud.com/api/v1/spaces/626aaa693f27ff8a776c580d"}}}

To assign a consumer role to a member of the production space using qlik-cli, pass the type of member, group ID, space ID, and role with the command.

qlik-cli:

qlik space assignment create --assigneeId 61cc983e7aaff44e27426068 --spaceId 624b0d270bed32419b1b514d --roles consumer --type group

The response should look something like this:

{
  "assigneeId": "vNRGrDZIypJtcGTzauw59BbpvkRhqbmI",
  "createdAt": "2022-04-04T17:40:43.414Z",
  "createdBy": "kqJvzqkdKhBfWc6aoSe_vQmHkcvipDkV",
  "id": "624b2d9b13cea76896da2641",
  "roles": [
    "consumer"
  ],
  "spaceId": "624b0d270bed32419b1b514d",
  "tenantId": "oZcMPa_1PwH4FUhgaMdrh6839YHHdEJN",
  "type": "group",
  "updatedAt": "2022-04-04T17:40:43.414Z"
}

Turn on or turn off tenant features

Your tenant has several features that you can turn on or turn off, which include: automations, data alerts, machine learning endpoints, lineage, notes, and creation of groups, to name a few. If you are planning on using groups to secure access to your tenant (which is the recommended approach over securing access on an individual user basis), you'll need to enable creation of groups.

Enable Auto Creation of Groups

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

On-demand data features

If your app uses any on-demand data features, you'll need to enable them in your destination tenant. Examples of On-demand data features include; On-demand app generation and dynamic views.

Enable On-demand App Generation (REST)

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

Enable Dynamic Views (REST)

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

Enable On-demand App Generation

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

By default, all users are assigned a professional entitlement and have the ability to create shared spaces. However, it might be good to change how entitlements are assigned to your customer's users. This can be achieved by enabling or disabling entitlements in the tenant.

Disable Dynamic Assignment of Professional Users

By default, all new users who log in are assigned a professional entitlement until all Professional assignments have been used. You can turn off this feature by:

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

Disable dynamic assignment of Professional users

By default, all new users who log in are assigned a professional entitlement until all professional assignments have been used. You can turn off this feature by:

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

Enable dynamic assignment of Analyzer users

If you would like new users to be assigned Analyzer entitlement, enable this feature (it's turned off by default). If dynamic professional assignment is enabled, all professional\ entitlements will be used before any Analyzer entitlements are used:

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property

Professional entitlements can Create Shared Spaces

By default, all users with Professional entitlements are auto-assigned the “Can create shared space” role. These users can create shared spaces and assign space membership to users and groups. If you'd like to turn off this feature:

curl:

curl --location --request POST 'https://your-tenant.qlikcloud.com/api/v1/

qlik-cli:

qlik set property
Was this page helpful?