topic Re: Sercurity in QlikView

Sercurity

Thu, 12 Feb 2015 07:58:35 GMT

I have a model which I need certain Users to only see specific data.

In the data I have a field called LoS which I want to use to configure my sercurity.

LoS values : Secttion 1

Section 2

Section 3

Section 4

I want certain User to only see Section 3 data in the LoS field

How can I do this?

Re: Sercurity

Colin-Albert — Thu, 12 Feb 2015 08:01:57 GMT

You need to implement Section Access.

Introduction to Section Access

Re: Sercurity

Peter_Cammaert — Thu, 12 Feb 2015 09:03:10 GMT

Add this to the front of your load script. First, make a backup of your document without section access. Just to be safe.

Section Access;

LOAD * INLINE [

ACCESS, USERID, PASSWORD, LOSLINK

USER, USER1, USER1, SECTION3

];

Section Application;

SALink:

LOAD * INLINE [

LOSLINK, LoS

SECTION3, Section 3

];

Then in Settings->Document Properties->Opening, enable "Initial Data Reduction based on Section Access" and "Strict Exclusion". Reload, save and reopen.

Again, make sure you have a backup copy of your document if you start experimenting with Section Access.

Good luck,

Peter

Re: Sercurity

Thu, 12 Feb 2015 13:25:36 GMT

Hi Peter

I tried to apply your solution but have been locking myself out...luckily I've been creating back ups .

Here is the currently implemented sercurity. It is using a SQL table to store Users details. Ho can I add your logic to this sercurity? I want ADMIN to see everything and USER to only see "Section 3" in the LOS field

section access;

LOAD * INLINE [
     ACCESS, NTDOMAINSID, USERID, PASSWORD,USERNAME, SERIAL, NTNAME, USERKEY, SECUREOFFICE, OMIT
     ADMIN, *, TSFORLIFE, TS23, TSFORLIFE, *, *,DEIXIS,*,
     ADMIN, *, TSFORLIFE, TS23, TSFORLIFE, *, *,DEIXIS,ALL,
     ADMIN,S-1-5-21-220523388-1326574676-725345543,*,*,*,*,za-server$,*,*,
     ADMIN,S-1-5-21-220523388-1326574676-725345543,*,*,*,*,za-server,*,*,
];

//NT AUTHENTICATION
LOAD
//IF(TYPE='QVE','ADMIN','USER') AS ACCESS,
upper([TYPE]) AS [ACCESS],
'S-1-5-21-220523388-1326574676-725345543' as NTDOMAINSID,
'*' AS USERID,
'*' AS PASSWORD,
upper(USERID) AS USERNAME,
'*' AS SERIAL,
upper(USERID) AS NTNAME,
upper(USERID) AS USERKEY,
UPPER([SEC_GROUP]) AS SECUREOFFICE,
OMIT;
SQL SELECT
USERID,
     "SEC_GROUP",
     "PASSWORD",
     "TYPE",
     "QV_NOT_SHEETS",
     OMIT,
     MODEL,
     COMMENTS
FROM QLIKVIEW.LVE."SECURITY_QLVADMIN"
WHERE MODEL = '$(vModel)';

section application;
star is ;

Re: Sercurity

Peter_Cammaert — Thu, 12 Feb 2015 14:00:45 GMT

Two questions:

Do you really need all those different authentication types & fields? On average, in an enterprise environment, NTNAME will do (fill it with domainname\accountname combinations).
Is this just an access table, or do you reduce already according to the security ID? To put it differently, does any of the fields USERNAME, USERKEY or SECUREOFFICE link through to the data model of your document? If yes, you'll have to create a composite key.

Don't forget that the Role = ADMIN does not exist in the AccessPoint. Overthere, everyone is treated as an ordinary USER.

Peter

Re: Sercurity

Thu, 12 Feb 2015 19:33:36 GMT

This Section Access script was done by another developer so I'm much clued here.

What I do know is the model owner wants the data automatically reduced for all USER access and yes there is a field on the table SECUREOFFICE linked through to the data model