Change in QMC Reload Permissions

fish417913 — Wed, 16 Aug 2023 12:42:20 GMT

I'm on a team that supports a customer on QlikSense Enterprise. For months, we've been using an automated reload task that occurs every 24 hours. Unless a problem occurs on the connection with Databricks (which would be evident in the logs), we rarely have issues.

Recently, we were told that reload tasks created in the QMC would no longer run as the sa_scheduler user. Rather, they would be run as the app owner.

In the past 24 hours, the app we have published in the Production stream is no longer accessible. The reload task is still successfully executing, according to QMC. However, when we try to view the app, a box pops up that says "Error Occurred: Access Denied".

We have section access on this app and have utilized it for several months without any problems. The app owner is already in the section access list with full access.

Has anyone encountered such a problem before? If so, how did you solve this problem?

Re: Change in QMC Reload Permissions

Lisa_Sun — Mon, 21 Aug 2023 01:00:31 GMT

By default, the internal system account, SA_SCHEDULER, is used to run reload tasks. This account has elevated privileges and, technically, can use any data source. There is a setting, however, in the QMC that uses impersonation to run reload tasks with the permissions of the app owner instead of the internal system account. By configuring this setting, the app owner and not SA_SCHEDULER is used for reloads, meaning that you do not add SA_SCHEDULER in the Section Access table but instead add the app owner. Within a task chain, apps can have different owners with permissions to sources dependent on each owner's access rights. See Service cluster for more information.

Managing data security with Section Access | Qlik Sense on Windows Help

topic Re: Change in QMC Reload Permissions in Management & Governance

Change in QMC Reload Permissions

Re: Change in QMC Reload Permissions