Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_Cammaert
Partner - Champion III
Partner - Champion III

DMS with AD & custom groups = empty accesspoint

At a customer of ours, we're building a specific authorization mechanism using QVS EE, QVP and DMS (all on same server running QV11IR). Users are authenticated using AD and recognized by way of the Active Directory DSC. A Configurable ODBC provides custom groups for all users that should have access to the documents in the portal.

We can query these users in the QMC Users tab. They appear to belong to both the correct AD groups AND the custom groups that were defined in an Oracle DB.

When we create a distribution task for reloading and distributing a single document to a custom group, the QMC confirms (via the same Users menu) that the document is reloaded and distributed to this custom group. Selecting a single member in the QMC->Users list produces confirmation that the user belongs to the distribution group (Groups tab), has access to the correct test document (Documents tab) and got the necessary rights from the correct task because of being a member of this custom group (Distribution tab).

However, when the same lucky user opens the portal, no documents are available. Just an empty list...

No error messages or warnings are present in the logs. All DSC activity is successful.

The QVWS log contains the only indicator that something is wrong. The GetAdminDocListForUser request consistently returns an empty list.

BTW this user has all necessary NTFS rights to folders and documents, but I don't think that matters when using DMS.

Is there a reason why QMC keeps telling everything's just fine when the published documents remain invisible in the AccessPoint?

Thnx,

Peter

17 Replies
danielrozental
Master II
Master II

No, I don't think that's the way it works. DSC queries de database every 15 minutes (or similar) and fetches information about groups.

Maybe that acts as a cache, not really sure what records does the DSC pull.

Sorry, I don't really know that but if you learn anything else please post it.

Bill_Britt
Former Employee
Former Employee

Peter, If you are not doing Windows Authentication you have to write a SSO application that will do the Authentication for you and then it will pass the Header information to QV.  Once that is passed to QlikView we will use the header information to see what you have rights two. Look at the attracted document on how to pass and setup QlikView to use Header.  I used Customer Users here because I didn't have access to anyother LDAP.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Peter_Cammaert
Partner - Champion III
Partner - Champion III
Author

Bill, I'm using only Windows authentication. See first sentence of msg 8. AD = Active Directory.

Users authenticate themselves by preference using IWA, so SSO leads them straight away to their AccessPoint document list. At that point authorizations kick in and those are returning empty or partial document lists. All rather unexpectedly.

Authentication is working just fine.

Peter

Bill_Britt
Former Employee
Former Employee

Then you can't use Custom LDAP. You have to use Windows. With any other you have to write a SSO to make it work.

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Peter_Cammaert
Partner - Champion III
Partner - Champion III
Author

I guess you mean Configurable LDAP? Then I'm not using a Custom LDAP.

I'm using Windows AD, consisting of the following DSP's:

- Active Directory (for domain accounts)

- Local Directory (for accounts on the server machine)

On top of that, I'm using Configurable ODBC just for group resolution. Configurable ODBC doesn't do anything else. These groups only match users from the Active Directory DSP (because of the required Directory Label)

I'm not using a Custom Directory, as that would cause a big malfunction.

Peter

Peter_Cammaert
Partner - Champion III
Partner - Champion III
Author

Wow.

It seems that QVS can manage users purely on customized ODBC.

By way of experiment, I assigned licenses to a few AD users. Then I dropped all DSPs except customized ODBC. Now there are just the users (& groups) defined in the ENTITY table.

  • The group membership resolution still doesn't work (no documents in portal)
  • But if I now authorize a Customized ODBC user to view a document in AccessPoint (User Docs->Authorizations), and this user has by any chance a correponding AD account, the document does appear in QlikView AccessPoint.

Is the communication between QVWS and QVS about who can see which documents based on text IDs only (like the string "DOMAIN\username") instead of some kind of secure token?

Peter

Peter_Cammaert
Partner - Champion III
Partner - Champion III
Author

Apparently, AD users and custom groups cannot be mixed. QMC has no problem resolving custom groups for AD users, but QVWS won't. So you won't get to your documents, unfortunately.

Those who want this to happen in a future release can vote for: http://community.qlik.com/ideas/1851

Thanks for your feedback

Peter

chriscammers
Partner - Specialist
Partner - Specialist

@Bill_Britt 

 

I know I am kicking a really old thread but I have a client trying to set up QlikView for  external users. They have a working odbc dsc, a working Ticket authentication solution with Okta as the IDP. We we attempt to set user permissions based on our groups in the ODBC dsc we don't get any apps if we assign permissions based on our users then we get apps.

 

Are permissions granted at the group level really not supported with an external IDP???

 

And yes, I am trying to convince them to move to Sense but my they hate it and have tons of development invested in their qlik apps. This would all be easier there.