Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Community Office Hours - Bring your Ideation questions- May 15th, 11 AM ET: REGISTER NOW
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2017-02-14 04:42 PM

section access "leaking" or bookmark

Hi

Scenario A

Person A logs in and is limited to seeing Branch A through section access, and then person B logs in and is not limited to seeing Branch A through section access but is being shown only Branch A. IF the second person logs in when the first person has not logged in they can see everything (as expected).

On opening the same bookmark is applied to both users, which is Branch NOT G and this is locked.

This has become an issue since some changes were made to the server settings but I am not sure which change has caused the problem.

Any help would be greatly appreciated.

475 Views
0 Likes
5 Replies
marcus_sommer
MVP
MVP
‎2017-02-15 06:11 AM

Is "strict exclusion" within the document properties in tab open enabled? Which releases are used within the developemnt and the server?

- Marcus

337 Views
0 Likes
Not applicable
‎2017-02-15 06:20 AM
Author

In response to marcus_sommer

Hi Marcus,

"Initial Data Reduction Based on Section Access" is enabled

"Strict exclusion" is not enabled


The server is 11.20.12904.0

Development is 11.20.13206.0 SR13

337 Views
0 Likes
marcus_sommer
MVP
MVP
‎2017-02-15 07:18 AM

In response to

To enable a valid security you need to enable the option of strict exclusion than otherwise your section access is more a kind of usability and not really secure. See for this: Section Access: Strict Exclusion.

Further differences between the used releases causes potential problems of incompatibilities - therefore I suggest to up- or downgrade one or both of your environments to get the same release.

- Marcus

337 Views
0 Likes
Not applicable
‎2017-02-16 02:59 AM
Author

In response to marcus_sommer

Hi Marcus

I enabled the strict exclusion and now users who do not have any restrictions on the data they can see are unable to access the document so I will be switching it back off again. I have never had an issue with security it seems to work fine - users who have restrictions through section access are unable to see data they are restricted from seeing. The access to the document is controlled through named cals so i am unsure of why it would need to be "really secure"?

Thanks

Tom

337 Views
0 Likes
marcus_sommer
MVP
MVP
‎2017-02-17 04:43 AM

In response to

Without strict exclusion you have the situation that a change on the key-values from the key-fields which you had connected with the section access will lead to invalid matchings between the data and the section access and this meant that those user will get access to all included data - which is not really secure if you are dealing with confidential data.

This isn't a theoretical risk else it happens - by us several times in the last years, for example by renaming a sales-channel about two years ago and more often by other changes on ours structures and it could just happens by small mistakes by maintaining the core-data - one accidently entered white-space or a typo is enough to break your matching.

From an administrative point of view I couldn't ensure to adapt to each of this changes or potential mistakes even if I would spend a lot of time on it to check them - therefore the suggestion to enable strict exclusion. If your main-goal isn't to ensure that only certain people could see certain data else you want to offer a special kind of usability it's ok to use section access without this option.

- Marcus

337 Views
0 Likes