Re: Security question - Qlik Community

datanibbler · ‎2013-11-28

Hi,

I want to have a directory created where only few people have access and where I can, for performance reasons, store qvd files with highly sensitive personell data.

=> I have a security question rgd. this so I can find the best arguments with the global_IT guys who have to do that:

=> There is a local group (on the QV server) "QlikView administrators" - these people have access to the mgmt_console. This group currently encompasses three people and a generic_user that is used by IT - that can't be helped.

=> My question is: Can all the people in that group access all the directories where the QlikView_user (one that we created) has access_rights or can they only open the mgmt_console and start tasks - which would not give them access to the raw data, just the app.

Backgr.: That QlikView_user we created - the password is currently known only to three people in the dpt., but I doubt if the others even remember it 😉 - has access_rights to all the base_data that needs to be displayed in QlikView so the automatic reload can work.

Thanks a lot!

Best regards,

DataNibbler

Peter_Cammaert · ‎2013-11-28

IMHO Membership of "QlikView Administrators" is only used to verify if you have access to the QMC. All other (internal) stuff is done by the QMC service account. And as QA member, you won't get any service account permissions on filesystem objects.

Answers to your question: NO (directory access) and YES (open QMC and launch tasks, define tasks, see documents lists, change sttings and the likes)

For example, on the QlikView Enterprise system I'm currently looking at, the group "QlikView Administrators" has no rights to any of the directories that were created to harbour documents, QVD's, script files, batch jobs or anything else. However, since most IT guys belong to both Domain Administrators and QlikView Administrators at the same time, they will be able to access all QlikView files anyway.

BTW the QMC gives you permission to control only few QlikView objects, mostly documents, tasks, users and settings. But not QVD's for example.

Good luck,

Peter

datanibbler · ‎2013-11-28

Hi Peter,

thank you!

that will help me in my argumentation with the IT_folks. So the fact that they are necessarily part of that local group "QlikView administrators" does not give them any access rights - so I guess it's okay that, in addition to that group, the IT_folks also have security access to that directory.

Best regards,

DataNibbler

Peter_Cammaert · ‎2013-11-28

Almost correct. What I'm saying is that whether or not those IT guys are member of local group QlikView Administrators (which indeed gives them almost no rights at all, only access to QMC and maybe some installation folders), they will have access to all directories in any case because they usually are member of the global group Domain Administrators as well. And the Domain Administrators group has access to everything.

It's difficult to give you good advice because every environment is slightly different. Don't hesitate to discuss this with your IT administrators before finalizing your requirements. They know the details of your infrastructure.

Peter

datanibbler · ‎2013-11-28

Hi Peter,

now our IT_guys have created just the directory that I wished for for this purpose: Only myself and the QlikView-user (which we created for the automatic reload to work) have access.

Best regards,

DataNibbler