
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to allow Anonymous Hub access in Qlik Sense Enterprise on Windows
Aug 11, 2022 6:13:32 AM
Oct 28, 2014 10:33:11 AM
Three requirements need to be met in order to allow Anonymous users access to the Hub:
- The product must not be Qlik Sense Business or Qlik Sense Enterprise SaaS.
- The license must support anonymous access, see Which Qlik Sense Enterprise licenses support anonymous access?
- Proxy must be configured to allow Anonymous users
- A Stream dedicated to anonymous users must be created
Useful information:
- Users who access Qlik Sense anonymously are identified as NONE\anonymousd9e61933-a7e5-4836-8540-5b137a600e69, where the GUID is a unique identifier.
- To create a license rule, granting login passes to anonymous users you can use two identifiers:
- userDirectory=NONE
- user.IsAnonymous()
Configure the Proxy to allow Anonymous users
By default, anonymous access is disabled. The steps provided require a restart of the Proxy service after completion.
- Open the Qlik Sense Management Console.
- Choose the Virtual Proxy to be used for anonymous access
- Click Edit.
- In the Properties menu (right side) choose Authentication
- From the Anonymous access mode drop-down select Allow anonymous users
Set up a license rule
Anonymous users will need to have a license rule available for them which gives them either an Analyzer Capacity License or a Login Access Token. The instructions in this article will focus on Analyzter Capacity Licenses.
- Open the Qlik Sense Management Console.
- Navigate to License Management
- Click Analyzer capacity rules
- Click Create new
- Give the new rule a Name (mandatory) and Description (optional)
- Create one of two possible rules:
- In the Basic settings, select
user: userDirectory =
value: NONE - In the Advanced settings (see Fig 2), provide the condition:
user.IsAnonymous()Fig 2
- In the Basic settings, select
- Click Apply
Set up a Stream for anonymous access
You can use the default Everyone stream, which has already been set up for anonymous access, or create your own.
We will create two rules. One to allow logged in (authenticated) users access and publishing permissions. One to allow anonymous user access, but no publishing permissons. Note that based on your requirements, this may need to modified.
- Go to the Qlik Sense Management Console
- Go to Manage Content and Streams
- Click Create New
- Name your new Stream
- Click Security Rules
- Click Create associated rule (see Fig 2)
This will be our "Everyone (anonymous) can read the stream." rule.Fig 3
- Provide a Name (mandator) and Description (optional)
- In Basic only select Read
- In Advanced define
Condition: user.IsAnonymous()
Context: Only in hub
See Fig 4.Fig 4
- Click Apply
- Click Create associated rule (see Fig 2)
This will be our "Everyone (logged in) can access this stream and publish." rule. - Provide a Name (mandator) and Description (optional)
- In Basic only select Read and Publish.
- In Advanced define
Condition: !user.IsAnonymous()
Context: Both in hub and QMC - Click Apply
Test!
We are now ready to test access.
- Go to the Qlik Sense Hub (hosted by the Virtual Proxy you have configured)
- If you are logged in, log out.
- Our new Anonymous stream is now avaiable.

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Sonja,
Thanks for the article, I also wanted to know what will be session timeout for Anonymous users. Can session Monitor give correct details for session analysis of anonymous users?
Is the session inactivity timeout on Virtual proxy applicable to anonymous users as well?
Ravi

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @RaviGinqo!
The same timeout applies for all users, regardless of whether or not they are logged in - and all sessions are recorded in the Session Monitor.
-Sonja

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Sonja,
Thanks for the helpful article.
Is it possible to have the same proxy (basically the same URL) for non-anonymous and anonymous users?
Right now, we have qlik.company.com for the hub. And users are basically SSO in. They can directly access the hub and the apps if they have access to.
We now have an app that everyone at the organization should be able to access. Ours is a huge organization, and we don't have like a huge AD group with everyone in it. So, the other option is to enable the anonymous user ability so that anybody can access the portal.
When we enable ALLOW ANONYMOUS users, all the users land on the everyone stream, and users who have access to other streams are having to click on the LOG IN button to sign in. So basically non-anonymous users have an extra step to click on the LOG IN button.
Is it possible that all non-anonymous users can see the streams they have access to and anonymous users see only the everyone stream, using the same URL, and no extra clicking for the non-anonymous users?
Sorry if my post is confusion. Just want to get an idea if this is even possible?
I understand the other solution will be to create a virtual proxy for the anonymous users, but then we would end up having two URL's; one of anonymous and other for non-anonymous.
Appreciate your thoughts.
Thanks,
Ilyas

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @ilyas393
Either way, a user will need to authenticate somehow. You may be able to build something with a single sign-on solution that will automatically login a user and then provide them seamless access to all the apps they have available, but even then there would need to have to be some trigger or button-click as how else would you make the decision between "I am going to log in" or "I am anonymous".
It might be worth dropping this question over in our forums to see if anyone has tailored a solution like that to their needs.
All the best,
Sonja

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Sonja,
Thanks for your response. I ended up removing the filters from the UDC and allowing everyone at our organization to access the application, opened up just the EVERYONE stream and locked other streams with specific AD Groups. This seemed to solve our requirement.
Thanks,
Ilyas

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
@ilyas393 That's a great use of streams and AD Groups!
Thank you for taking the time to leave the comment - I am sure other customers will find this useful.
-Sonja

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Sonja,
It looks like each user is identified as NONE\anonymous. Are there any logs in Qlik Sense or any other way to track who is access the application via anonymous access?
Thanks
McCutchan

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @Mccutchan1
This depends on where the users are coming from and if you have access to logs as well as if you have any means to identify them based on IP address. Sense will no be able to ID them for you, but you can fetch the IP address out of this log:
Directory: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace
File: QLIKSERVER3_Audit_Proxy
This is what a simplified example looks like (I stripped out some columns and dropped them into an Excel file):
Additional info can be fed into the logs if you enable Enhanced Security, but again, nothing that will help you ID the user directly. The IP address in the proxy log is your best bet.
All the best,
Sonja

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thank you for the information Sonja!

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Sonja,
We are planning on sending out an URL for the anonymous access application. Once the application is accessed is there anyway to hide the menu from being seen?