Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

How to allow Anonymous Hub access in Qlik Sense Enterprise on Windows

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

How to allow Anonymous Hub access in Qlik Sense Enterprise on Windows

Last Update:

Aug 11, 2022 6:13:32 AM

Updated By:

Sonja_Bauernfeind

Created date:

Oct 28, 2014 10:33:11 AM

Three requirements need to be met in order to allow Anonymous users access to the Hub:

 

Useful information:

  • Users who access Qlik Sense anonymously are identified as NONE\anonymousd9e61933-a7e5-4836-8540-5b137a600e69, where the GUID is a unique identifier.
  • To create a license rule, granting login passes to anonymous users you can use two identifiers:
    • userDirectory=NONE 
    • user.IsAnonymous()

 

 

Configure the Proxy to allow Anonymous users

By default, anonymous access is disabled. The steps provided require a restart of the Proxy service after completion. 

  1. Open the Qlik Sense Management Console.
  2. Choose the Virtual Proxy to be used for anonymous access
  3. Click Edit.
  4. In the Properties menu (right side) choose Authentication
  5. From the Anonymous access mode drop-down select Allow anonymous users

    Edit Virtual Proxy Allow Anonymous.png

Set up a license rule 

Anonymous users will need to have a license rule available for them which gives them either an Analyzer Capacity License or a Login Access Token. The instructions in this article will focus on Analyzter Capacity Licenses. 

  1. Open the Qlik Sense Management Console.
  2. Navigate to License Management 
  3. Click Analyzer capacity rules 
  4. Click Create new 
  5. Give the new rule a Name (mandatory) and Description (optional) 
  6. Create one of two possible rules:
    1. In the Basic settings, select
      user: userDirectory =
      value: NONE
    2. In the Advanced settings (see Fig 2), provide the condition:
      user.IsAnonymous()

      Fig 2Fig 2

  7. Click Apply

 

Set up a Stream for anonymous access

You can use the default Everyone stream, which has already been set up for anonymous access, or create your own. 

We will create two rules. One to allow logged in (authenticated) users access and publishing permissions. One to allow anonymous user access, but no publishing permissons. Note that based on your requirements, this may need to modified. 

  1. Go to the Qlik Sense Management Console
  2. Go to Manage Content and Streams
  3. Click Create New
  4. Name your new Stream
  5. Click Security Rules 
  6. Click Create associated rule (see Fig 2) 
    This will be our "Everyone (anonymous) can read the stream." rule.

    Fig 3Fig 3
  7. Provide a Name (mandator) and Description (optional) 
  8. In Basic only select Read 
  9. In Advanced define
    Condition: user.IsAnonymous()
    Context: Only in hub

    See Fig 4. 

    Fig 4Fig 4

  10. Click Apply 
  11. Click Create associated rule (see Fig 2)
    This will be our "Everyone (logged in) can access this stream and publish." rule.
  12. Provide a Name (mandator) and Description (optional) 
  13. In Basic only select Read and Publish.
  14. In Advanced define
    Condition: !user.IsAnonymous()
    Context: Both in hub and QMC
  15. Click Apply

 

Test!

We are now ready to test access. 

  1. Go to the Qlik Sense Hub (hosted by the Virtual Proxy you have configured)
  2. If you are logged in, log out.

    anonymous stream set up.png

  3. Our new Anonymous stream is now avaiable.

 

 

Labels (2)
Comments
RaviGinqo
Partner - Contributor II
Partner - Contributor II

Hi Sonja,

Thanks for the article, I also wanted to know what will be session timeout for Anonymous users. Can session Monitor give correct details for session analysis of anonymous users?

 

Is the session inactivity timeout on Virtual proxy applicable to anonymous users as well? 

 

Ravi

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @RaviGinqo

The same timeout applies for all users, regardless of whether or not they are logged in - and all sessions are recorded in the Session Monitor.

-Sonja 

ilyas393
Creator
Creator

Hi Sonja,

Thanks for the helpful article.

Is it possible to have the same proxy (basically the same URL) for non-anonymous and anonymous users?

Right now, we have qlik.company.com for the hub. And users are basically SSO in. They can directly access the hub and the apps if they have access to.

We now have an app that everyone at the organization should be able to access. Ours is a huge organization, and we don't have like a huge AD group with everyone in it. So, the other option is to enable the anonymous user ability so that anybody can access the portal.

When we enable ALLOW ANONYMOUS users, all the users land on the everyone stream, and users who have access to other streams are having to click on the LOG IN button to sign in. So basically non-anonymous users have an extra step to click on the LOG IN button.

Is it possible that all non-anonymous users can see the streams they have access to and anonymous users see only the everyone stream, using the same URL, and no extra clicking for the non-anonymous users?

Sorry if my post is confusion. Just want to get an idea if this is even possible?

I understand the other solution will be to create a virtual proxy for the anonymous users, but then we would end up having two URL's; one of anonymous and other for non-anonymous.

Appreciate your thoughts.

Thanks,

Ilyas

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @ilyas393 

Either way, a user will need to authenticate somehow. You may be able to build something with a single sign-on solution that will automatically login a user and then provide them seamless access to all the apps they have available, but even then there would need to have to be some trigger or button-click as how else would you make the decision between "I am going to log in" or "I am anonymous". 

It might be worth dropping this question over in our forums to see if anyone has tailored a solution like that to their needs.

All the best, 

Sonja 

ilyas393
Creator
Creator

Hi Sonja,

Thanks for your response. I ended up removing the filters from the UDC and allowing everyone at our organization to access the application, opened up just the EVERYONE stream and locked other streams with specific AD Groups. This seemed to solve our requirement.

Thanks,

Ilyas

Sonja_Bauernfeind
Digital Support
Digital Support

@ilyas393 That's a great use of streams and AD Groups! 

Thank you for taking the time to leave the comment - I am sure other customers will find this useful. 

-Sonja 

Mccutchan1
Contributor III
Contributor III

Hi Sonja, 

It looks like each user is identified as NONE\anonymous. Are there any logs in Qlik Sense or any other way to track who is access the application via anonymous access?

Thanks

McCutchan

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Mccutchan1 

This depends on where the users are coming from and if you have access to logs as well as if you have any means to identify them based on IP address. Sense will no be able to ID them for you, but you can fetch the IP address out of this log:

Directory: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace
File: QLIKSERVER3_Audit_Proxy

This is what a simplified example looks like (I stripped out some columns and dropped them into an Excel file):

ip address in log.png

 

Additional info can be fed into the logs if you enable Enhanced Security, but again, nothing that will help you ID the user directly. The IP address in the proxy log is your best bet.

 

All the best,

Sonja 

 

Mccutchan1
Contributor III
Contributor III

Thank you for the information Sonja!

Mccutchan1
Contributor III
Contributor III

Hi Sonja,

We are planning on sending out an URL for the anonymous access application. Once the application is accessed is there anyway to hide the menu from being seen? 

Menu.PNG

Contributors
Version history
Last update:
‎2022-08-11 06:13 AM
Updated by: