Solved: Re: Sheet Security with Section Access - Page 2 - Qlik Community

Carlos_Reyes · ‎2013-09-23

Hi,

I'm developing an app that needs to constraint the access to certain sheets/tabs to some users, and, since this application is being published through a publisher distribution task, I decided to use Section Access in order to fulfill that requirement. However I've encountered a problem I've been unnable to solve.

So, I created a small inline table with the user profiles, which is loaded within the Section Access part of the script, and after that I load the profile information, outside of the Section Access part, so that it'll be filtered per user during the distribution task. Theorically this should work, but only the first user (which is the same that runs the qlikview services) can enter the app through the Access Point or the Open in Server option in the Desktop. The remaining users are not allowed to go in the application and get the classical Section Access error that indicates that they don't have the right to see that app.

At first I thought it was a problem of incorrect user names (NTAME) but I've tested the same users, and inline load method, with other apps, that do filter the data model and not only sheets, and it works perfectly fine.

I've attached a small example of my requirement with the Section Access script commented and the Document Properties "Initial Data Reduction Based on Section Access" and "Strict Exclusion" disabled so you can open the file.

Section Access;

SECURITY:
LOAD * INLINE [
    ACCESS, NTNAME, USER
    ADMIN, EVOLCON-CR\CARLOSREYES, CARLOSREYES
    ADMIN, EVOLCON-CR\PRUEBA1, PRUEBA1
];

Section Application;

SHEET_ACCESS:
LOAD * INLINE [
    USER, SHEET_A, SHEET_B
    CARLOSREYES, 0, 1
    PRUEBA1,  1, 0
];

I hope you can help me to solve or get around this issue. I already know about the MATCH(OsUser(), 'User1', 'User2', 'UserN') option and although it works I would like to know why this doesn't. if this approach is incorrect and will never work I need to get an efficient alternative, since this app will be distribuited to more than 50 users so it'll be cumbersome to use the MATCH() method.

Thanks in advance.

Carlos_Reyes · ‎2013-09-26

Bill,

All QlikView services run under EVOLCON-CR\CARLOSREYES.

I changed the Section Access code in order to enable CARLOSREYES to see all sheets, and also I added a new user in order to see if the sheets are correctly enabled or disabled:

Section Access;

SECURITY:

LOAD * INLINE [

   ACCESS, NTNAME, USER

    ADMIN, EVOLCON-CR\CARLOSREYES, CARLOSREYES

    ADMIN, EVOLCON-CR\PRUEBA1, PRUEBA1

    ADMIN, EVOLCON-CR\PRUEBA2, PRUEBA2

];

Section Application;

SHEET_ACCESS:

LOAD * INLINE [

    USER, SHEET1, SHEET2

    CARLOSREYES, 1, 1

    PRUEBA1, 1, 0

    PRUEBA2, 0, 1

];

So, I ran the distribution task again, which by the way distributes to NAMED USERS list (PETER), and I still have the same problem.

If I keep "Strict Exclusion" disabled all users can go into the app but the three use the CARLOSREYES profile, so the three users are able to see SHEET1 and SHEET2:

CARLOSREYES

PRUEBA1

PRUEBA2

IF I replace the CARLOSREYES profile to use " * " instead of " 1 " , all users, including CARLOSREYES can only see SHEET1:

Section Access;

SECURITY:

LOAD * INLINE [

   ACCESS, NTNAME, USER

    ADMIN, EVOLCON-CR\CARLOSREYES, CARLOSREYES

    ADMIN, EVOLCON-CR\PRUEBA1, PRUEBA1

    ADMIN, EVOLCON-CR\PRUEBA2, PRUEBA2

];

Section Application;

SHEET_ACCESS:

LOAD * INLINE [

    USER, SHEET1, SHEET2

    CARLOSREYES, *, *

    PRUEBA1, 1, 0

    PRUEBA2, 0, 1

];

CARLOSREYES

PRUEBA1

PRUEBA2

And If I enable "Strict Exclusion" , in both scenarios with " * " or " 1 ", only CARLOSREYES can go into the app. The users PRUEBA1 and PRUEBA2 get the "YOU DON'T HAVE ACCESS TO THIS DOCUMENT" window.

By the way... the condition for sheets to be enabled are the next:

SHEET1 : =Sum(SHEET1)=1

SHEET2: =Sum(SHEET2)=1

So I have no idea of what's wrong...

Thanks a lot for your help !

Bill_Britt · ‎2013-09-26

Carlos,

Sent you a private email

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Carlos_Reyes · ‎2013-09-26

Bill,

Your document works as expected, so I don't know why mine isn't working. The only doubt/difference I have regarding your scenario is that it is based on USERID and not in NTNAME. Also, I don't know if you distribuited your app with publisher... I suspect that my problem comes from the distribution but I don't why...

Thanks.

Peter_Cammaert · ‎2013-09-27

Well the funny thing is that everything is working as expected (even "strict exclusion") if we assume that the application is correctly configured but QVS has problems identifying the user for Section Access.

If I look at all those screenshots, it seems that section access always comes up with the same profile CARLOSREYES, whether OSUser() reports some other user or not. And that means that the application, upon being opened, is always presented by QVS with the same account, probably the service account.

Could this be an entirely different problem? With AD Queries or with the configured DSC?

If you post the last version of the application here, I'll test it with our own publisher. Just to make sure that it isn't application-design-related.

Peter

Bill_Britt · ‎2013-09-27

Hi Carlos,

If you tested on my server it is using both NTname and UserID. Attached is the document and you will have to user admin to get into it. I did change the script from what you had. When you look at the script my service account for publisher is qvpub.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Carlos_Reyes · ‎2013-09-27

Bill and Peter,

After reviewing my document based on Bill's document I realized my horrible mistake. It was right in front of me but it seems my mind was blind to the obvious. So, I realized that, as both said, everything was working as expected and I had to put a blank value into CARLOSREYES profile for Section Access and delete CARLOSREYES record from the data table. So, this is the code that worked:

Section Access;

SECURITY:

LOAD * INLINE [

ACCESS,    NTNAME,                    USER

    ADMIN,    EVOLCON-CR\CARLOSREYES,

    USER,    EVOLCON-CR\PRUEBA1,        PRUEBA1

    USER,    EVOLCON-CR\PRUEBA2,        PRUEBA2

];

Section Application;

SHEET_ACCESS:

LOAD * INLINE [

    USER,            SHEET1,    SHEET2

    PRUEBA1,          1,            0

    PRUEBA2,          0,            1

];

I want to thank you both for helping to me to realize this dumb error.

Although, this message is the real asnwer to what I needed, Bill's document taught to me another and more complete method to do this kind of requiriment. So, the answer goes to him.

Thanks a lot !