14 Replies Latest reply: Dec 3, 2014 1:54 PM by Borys Tyukin RSS

Publisher and NTFS mode

Bertrand HERARD

Hi,

I've a production server with Publisher and a test/server without Publisher.

 

I want to use NTFS security with Publisher, that is to say managing users with NTFS right on folders.

In Publisher you can still select NTFS security mode, but when you build a task, you're forced to overwrite existing security (If I don't add recipient in tasks settings, logs says : no recipients, skipping distribution).

 

So do you know how to workaround it ?

 

Best regards

  • Publisher and NTFS mode
    Bill Britt

    This is defeating the purpose of publisher. It will set the user and group rights on the QVW for you. This is a better way that just giving everyone rights to the folder.

    • Publisher and NTFS mode
      Bertrand HERARD

      I need Publisher to do other things than security,

      but I would like to set security on folders (I've severals reason to that).

      If you're forced to use DMS with Publisher, I don't understand why the NTFS option still exist in the QMC ?

       

      Best regards

      • Publisher and NTFS mode
        Bill Britt

        You are not forced to do DMS mode in publisher. It is set to NTFS by default.

        • Publisher and NTFS mode
          Bertrand HERARD

          Yep,

          but the mean difference, is in NTFS, you manage right in Windows, while in DMS, it's QlikView which controls file Access.

           

          So if you select NTFS and then you're forced to set security in task settings instead of managing it on system folders (rights inheritance is disabled), I don't really see the difference between DMS and NTFS.

           

          Regards

          • Publisher and NTFS mode
            Bill Britt

            Need to check the reference manual.

             

            The Security tab

            Authorization

            NTFS Authorization

            Windows controls the file access for all users. Security is set in the operating system.

            DMS Authorization

            DMS is used to enable QlikView Server authentication. Read more about DMS on "Document Metadata

            Service (DMS)" on page 181.

             

            Publisher will set the NTFS permission on the document if you have the Security set to NTFS and it will set the DMS security if it is set for DMS.

            • Re: Publisher and NTFS mode
              Rick Huebner

              Sorry for picking up an older thread, but this is a problem that I'm also running into. We must use NTFS permissions. NTFS permissions are setup on both the publisher source directory tree (limited to publisher admins only) and the target document directory (ACLs setup based on group permissions). All directories are setup to inherit permissions of the parent with addtional permission added as you go deeper into the directory tree.

               

              We are just now starting to test Publisher and find that it sets permissions on the target qvw. I guess I can see the use case for this, but I would think this would be the exception, not the rule. And, there seems to be no way to have Publisher write the target QVW into the target directory and just inherit the permissions of the folder.

               

              I must be missing something some place that toggles this behavior right? Why would an application default to not inheriting the target folder NTFS permissions?

               

              Rick

              • Re: Publisher and NTFS mode
                Bill Britt

                This is done for security. If you notice that it only applies permission to the file of the users you select in the distribution job. That way only those users have rights to the file and when that user hits the AccessPoint they only see the files they have rights to.

                • Re: Publisher and NTFS mode
                  Rick Huebner

                  Yes, but that pushes the responsiblity of the permissions to the application, not the file system. Now I need to document permissions at both the file system (added by the sysadmin) and the Publisher task level. We have many dashboards that are not distributed by Publisher and their permissions are inherited.

                   

                  Is there anyway to make Publisher do the equivalent of a windows copy where target permissions are inherited? If I hand copy a document from the source mount to the document folder, it inherits the target permission.

                   

                  Is this the way everyone using NTFS permissions and Publisher works? I guess I'm looking for the best practice here.

                  • Re: Publisher and NTFS mode
                    Bill Britt

                    If you are looking at best practices, then you never set secured objects at the folder level. That makes it to easy for someone to grab something they should not have. If you set them on the file level, I can only see items that I have rights to and not everything.

                     

                    However, that is the joy of managing a network. You have the rights to setup the system anyway you want to. You can always set publisher distribute to all Named Users , all autherticated users or all users and then set folder level. The the least rights(folder level) will be the one applied.

                     

                    Bill

                    • Re: Publisher and NTFS mode
                      Rick Huebner

                      Bill, I've made it a practice to avoid setting permissions at the object level if at all possible just like I avoid setting permissions by individual user when dealing with Windows and Unix servers in general. Setting permission for only usergroup1 read/write on c:\docs\foo\ will prevent any user not a member of usergroup1 from reading or writing to any file copied into c:\docs\foo\. I don't understand how setting folder permissions allows someone to grab something that they should not have access to.

                       

                       

                      All Users.jpg

                      This is a screen shot of the permissions from a document that Publisher distributed to a mount point to User Type "All Users". Again, NTFS inheritance was broken and unique permissions are added although I don't see any group representing All Users, only two individual accounts are given any access at all, the service account for QlikView and a disabled local account.  If I use windows copy and copy the file from the Source tree to the Docs tree, permissions are inherited and I get this:

                      Inherited Permissions.jpg

                       

                      The implied permissions granted through inheritance will have to be applied to each individual document distributed by Publisher.

                       

                      I could setup something like icacls or a Power Shell script to constantly go through and reset permissions to inherited from the parent folder.

                       

                      I have to say, I've never seen an application that over rode permissions and didn't have an option to just inherit permissions from the target folder.

  • Re: Publisher and NTFS mode
    Borys Tyukin

    I know this is an old post but the problem still exists. It is very very weird that QVS would overwrite NTFS permissions on a file and would not inherit them. This is first time I see that.