Re: End user leases user cal rather than doc cal - Qlik Community

Permalink · ‎2016-05-29

Our deployment uses a combination of ntfs and section access for security. all except one app has section access in the script.

For a new app (MDR.qvw) I've deployed i stipulate define 'mdr-user' ad group as having user access in section access. User A and B are both members of the 'mdr-user' ad group.

On QMC I've limited the doc cal to one but with dynamic cal assignment.

So user A opens MDR.qvw in chrome and I see in QMC that he has consumed a doc cal.

Couple of days later I ask user B to open MDR.qvw from AccessPoint using chrome. I was hoping to see User B has now consumed that doc cal. instead I see he has leased a user cal (user B was not previously in the list of Assigned CALs on QMC>>System>>Licenses>>Client Access Licenses(CALs)>>Assigned CALs) but once he opened MDR.qvw suddenly his account appeared.)

Upon further investigation I see that a couple months ago he used another application - AssetsAndLiabilities.qvw. I review this app and see that there is no section access in the script.

Does the lack of section access in AssetsAndLiabilities.qvw mean anyone with a windows account and password could see the AssetsAndLiabilities.qvw?
I have checked the security on windows file explorer - for source doc version of AssetsAndLiabilities.qvw there is a list of ad groups listed with read access (User B is in on of these ad groups) - so are those members carried over into the list of 'authenticated users' I see on the user doc version of AssetsAndLiabilities.qvw?
Is the absence of section access in AssetsAndLiabilities.qvw the reason he consumes a user cal rather than a doc cal
What governs the list of apps a user see's when opening AccessPoint? I suspect if is governed by section access (must have ADMIN or USER permission) but i want to be 100% sure.

Thanks

Ross

Anonymous · ‎2016-05-29

Hi Ross,

As an FYI I have forward this to CS Australia to reach out with you. I would recommend we look at this from a health check perspective.

Personally I believe using DMS and having publisher maintain permissions is preferable to NTFS. This provides a single place for an audit trial. Also I thought that is what we setup a few years ago.

My thoughts on your points.

1. Access point permissions has changed a little bit, however I am fairly certain that the ability to view a document is controlled by either the NTFS or DMS permissions. In your case it is the NTFS permissions. Section Access should limit who can open the document.

2. Security should not be on the Source Documents version of the application. It should be the permissions on the User Documents version. Again assuming that the environment is as it was a number of years ago. However I would recommend using publisher to specify the permission with the DMS permissions. This will allow you to verify authorisation via just the QMC rather than the QMC, NTFS and also the Access Control List.

3. I am not sure on this. However I believe the highest available license is assigned with Dynamic Assignment on.

4. Refer to point 1. Note that hte concept of ADMIN or USER is not applicable for Access Point. This is only applied to the Desktop Client.

If you have any questions then please contact me directly.

Damian

swuehl · ‎2016-05-29

Hi Damien,

I believe there is an (optional, off by default) option on QMC to hide a document in AP when section access restricts access to this document to the user (to avoid showing the document, but then denying access).

Best,

Stefan

Permalink · ‎2016-05-30

Hi Damian.

wow, quick response - on the ball hey?

Send me your email address if you'd like me to respond directly.

thanks,

Ross.