Example: How NTFS authorization works

Yoichi_Hirotake — Fri, 21 Aug 2020 11:51:27 GMT

QlikView Server has two types of Authorization. NTFS and DMS. This article explains how NTFS authorization works by using an example.

In short, QlikView follows this method when validating if a user has access to a document or is allowed to open it:

Is the user authenticated? Do I know who they are? This step is usually performed by Windows or a Single Sign on System.
Does the user have file access? With NTFS mode, this step is performed by Windows on disk. The document needs to have the correct Windows file permissions to allow the user to see the document.
Does the user have file access (Section Access)? A second step and a secondary security measure. Section Access is done directly in the document.
Does the user have a license? Checks if the user has a CAL assigned.

Steps:

In this example, we are using a domain named domain.local
Three users were created:

Domain\User1
Domain\User2
Domain\User3

This example uses Section Access as well. Section Access is not required.

We have a document named SectionAccess.qvw.
The document is secured with a Section Access script allowing access to Domain\User1 and Domain\User2 exists in section access. Domain\User3 doesn’t exist in section access.

The document has "Initial Data Reduction Based on Section Access" Option enabled.

We store SectionAccess.qvw in the AccessPoint document folder \\dc1\share\Front-end\UserDocuments.

The folder is configured to grand access to Everyone. This can be changed to give access to specific users or groups, such as User1 or a group that all of our users belong to.
NTFS permissions rely on Windows permissions given on disk.

SectionAccess.qvw is stored in the document folder:

Ensure that the Directory Service Connector is correctly connected to the user directory. In our cases, it is the Active Directory named domain.local. This is necessary for managing CALs and distribution tasks. It does not affect the permissions on disk.

Verify that the QlikView Server is set up to use NTFS authorization.

Open the QlikVIew Management Console
Navigate to System > Setup > QVS@yourserver
Switch to the Security tab
Check NTFS in the Authorization section.

With the above shown example, User1 and User2 will be able to open the document SectionAccess.qvw, as they are in the Section Access Table and have access on disk to open the document.

To test, log on to a system using User1.
You can verify the logged on user with the command line whoami.

Opening the AccessPoint with this user will show that the userID matches the one in the Section Access table and the Everyone permissions on the file allow file access.

User2 will also be able to open the document.
User3 will not be able to see or open it.

article Example: How NTFS authorization works in Official Support Articles

Example: How NTFS authorization works

Steps: