Solved: DMS Authorization: restrict on "region" based on L... - Qlik Community

Report Inappropriate Content · ‎2012-10-24

Hi all,

I have read all documentation regarding the server and authorization. But one thing remains unclear. How can you dynamically restrict what a user can see if you are using DSC (directory service) like LDAP or a custom authorization table (username, password, region).

Question: is it just like section access, in the sense that if you both have this "region" field in LDAP table and in your application datamodel, that Qlikview QVS will dynamically restrict access?

Or do you need to have a section access table in each QVW with colums (NT username, Region) in which you make te restriction? Can you also make use of groups?

Situation:

Single Sign on from portal to Qlikview apps, authentication is done via webtickets

•Dashboard needs to show only the data associated with the logged in user from the portal (group/region data is stored in the portal authentication system)

•Access to reporting portal is needed by:

–Customers from outside the company network (not in active directory)

–internal users (analysis)

–Developers (maintenance)

Thank you very much

Bill_Britt · ‎2012-10-25

Here is a sample of section access based on a field in the document call Country. The Group column is only to tie things together.

Sam can see every thing.

Steve can see Canada and France

User1 and Batman can see USA

Section Access;

LOAD * INLINE [

ACCESS, NTNAME, GROUP

ADMIN, SAM, AGRP

ADMIN,STEVE, CGRP

ADMIN,USER1, BGRP

ADMIN, Batman, BGRP

];

Section Application;

star is *;

LOAD * INLINE [

GROUP, Country

AGRP, *

BGRP, USA

CGRP, Canada

CGRP, France

];

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

View solution in original post

Bill_Britt · ‎2012-10-25

Here is a sample of section access based on a field in the document call Country. The Group column is only to tie things together.

Sam can see every thing.

Steve can see Canada and France

User1 and Batman can see USA

Section Access;

LOAD * INLINE [

ACCESS, NTNAME, GROUP

ADMIN, SAM, AGRP

ADMIN,STEVE, CGRP

ADMIN,USER1, BGRP

ADMIN, Batman, BGRP

];

Section Application;

star is *;

LOAD * INLINE [

GROUP, Country

AGRP, *

BGRP, USA

CGRP, Canada

CGRP, France

];

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Report Inappropriate Content · ‎2012-10-25

Yeah, this seems to be the solution, but I am not very happy with it (this approach by QV ). I hoped that you could have done it without specifying the usernames and "region restriction" in section access for each user.

You can't directly couple the NT group (or some custom directory group) dynamically to a section application field? E.g. you can read NTNAME but not NTGROUP?
in this solution you only use DMS for authentication... (not field value authorization)

Bill_Britt · ‎2012-10-25

Martijn,

This will work with groups. just use the group name under the tag of NTNAME.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Report Inappropriate Content · ‎2012-10-26

Thank you very much

DMS Authorization: restrict on "region" based on LDAP field?