topic Re: Security issue in QlikView

Security issue

datanibbler — Mon, 26 Jan 2026 18:19:17 GMT

Hi,

I have one app - with personell data - that is of course password-protected. There are two logon_tickets:

- One for myself and the developers (granting full access)

- One for the rest of the world (granting only viewing)

<=> This app (the figures contained in this app that is) are talked of every day at 8am in a special meeting that takes place every day.

=> The manager leading this meeting seemed to be not altogether happy with the fact that they have to enter a password, however
simple, to access that data.

<=> I won't sacrifize security altogether just for a little bit more comfort.

=> My question is: When the app for this meeting is opened, it contains a link opening the HR_app - could I pass the
logon_information in some form from this app to the HR_app so entering the username and password is not necessary? (there
would be no damage in that since the "regular" users can only view the data)?

((=> Alternatively, I will copy that app and in the copy (intended for everybody and specifically for that meeting), I'll just use
AutoNumber() to replace all sensitive information so that that app does not have to be protected - but that is tricky and will take a
while since the sensitive info should then not be in the DataModel in the first place, so it has to be well thought thru.))

Thanks a lot!

Best regards,

DataNibbler

Re: Security issue

Bill_Britt — Wed, 09 Apr 2014 14:09:36 GMT

Hi,

So you are using section access. Are you publishing the application using QV server are they user opening it with the desktop Client?

You can solve this by using NTNAME in section access and not USERID

Bill

Re: Security issue

datanibbler — Wed, 09 Apr 2014 14:15:08 GMT

Hi Bill,

yes and yes and no:

- I am using SECTION_ACCESS.

- I donÄt have the QV_Publisher, only a QV_Server

- The users are opening the app in the Browser.

NTNAME would be the Windows logon?

Hmm... could I simplify that a bit and just specify my own NTNAME for ADMIN access and just imply that all others have USER access, without explicitly stating every NTNAME?

Thanks a lot!

Best regards,

DataNibbler

Re: Security issue

Bill_Britt — Wed, 09 Apr 2014 14:22:38 GMT

Hi,

One thing to remember that anytime a document is open in server everyone is a "User" and no one is an "Administrator".

Yes, that would be the Windows login

Yes, You would use something like this.

Access;
LOAD * INLINE [
ACCESS, NTNAME
ADMIN, YOURUSER
USER, ME
USER, BOSS
];

Section Application;

Re: Security issue

Roop — Wed, 09 Apr 2014 15:39:41 GMT

I have had a similar problem to this and used a totally different method that provides you with security and availabilty:

You create additional columns on the Access table that can be used.

Create one called SECURE_ACCESS and set it to Y for yourself and N for all others.

You then put a conditional statement on the sheet of SECURE_ACCESS = 'Y'. This means that those people who allowed to see the sheet will do so and all others will not.

You can then go further to give access to a number of sheets by using buttons that would only appear if SECURE_ACCESS = 'Y' and these then make other sheets appear/disappear.

I hope that this helps - I have used it successfully in the past.

Re: Security issue

datanibbler — Thu, 10 Apr 2014 08:25:56 GMT

Hi Rupert,

of course that would be a possible method.

<=> My goal is not to have additional info in the SECTION ACCESS, but to somehow automatically fill the logon_data required by the SECTION ACCESS in the first place - but ONLY when the app is opened via document_chaining from that "morning_meeting_app".

@ Bill

The idea of using NTNAME for the SECTION ACCESS is good, that would avoid the logon_window. Only it is not sure that morning_meeting is always going to be held using the same user. - Well, I guess that would just be a question of "educating the users" 😉

I'll try that out on a non_sensitive app.

Best regards,

DataNibbler

Re: Security issue

Bill_Britt — Thu, 10 Apr 2014 11:12:51 GMT

HI,

I would guess education is the key here. You would have to put everyone in Section Access that might need to open the document.

Bill

Re: Security issue

datanibbler — Fri, 11 Apr 2014 06:54:16 GMT

Hi Bill,

I guess you are right. Educating the users is both very sensible and even necessary - we are now "going Germany" with QlikView and we're probably going to build everything centrally here. There is necessarily going to be a certain personell_buildup, but that is not going to happen between soo soon, so I just cannot afford any unnecessary spending of time.
Yesterday I spent a few hours actually duplicating the app and hiding personell_numbers with the AutoNumber() fct. and deleting SECTION_ACCESS from
the copy - but tonight I thought, why duplicate an app - that means double work, should any KPI come along to be implemented - which is more than probable.
So I will take the copy where I have already used AutoNumber() everywhere and delete the original and then put in SECTION_ACCESS again with NTNAME
=> I will test this first and make a copy so I cannot by mistake lock myself out 😉 That is one of the mistakes everyone makes once and hopefully not again ...

I also want to use the names - but to be included even in the DataModel ONLY for the HR dpt, so I'll include an OMIT field based on the NTNAME - matching the names to personell_numbers should be no problem since the AutoNumber() is as a rule only used in the very last and final table - all temp_tables are dropped again.

Best regards,

DataNibbler

Re: Security issue

datanibbler — Fri, 11 Apr 2014 09:59:04 GMT

Hi Bill,

I have one more problem:

=> I just tried to switch my SECTION_ACCESS from Username and password to NTNAME

<=> Though I have, in the document_properties, on the "security" tab, strictly limited what those persons classified
as USER can do - they cannot save nor edit the script, for instance - they seem to be able to do just that.

(since I don't know any other user who has a Client SW (except my colleague who is not here), I have added
myself as USER (after creating a backup copy)

<=> when opening the qvw in the client SW, I can still edit the script, save and "save as".

=> I have written SECTION_ACCESS like

ACCESS, NTNAME

USER, DOMAIN\[name].[family_name]

(most users will view the apps in the browser so that their access_rights don't matter anyway, but there might be someone with a client installed)

Thanks a lot!

Best regards,

DataNibbler

Re: Security issue

Bill_Britt — Fri, 11 Apr 2014 14:09:24 GMT

Hi,

You have to set the restrictions in the document properties.

Bill

Re: Security issue

datanibbler — Fri, 11 Apr 2014 14:59:04 GMT

Hi Bill,

I thought of that. Still doesn't work.

Well, I'll just give it a few nights' sleep and tell my colleague to test it again. It should work - there are regularly things on my machine that should actually work, with the correct syntax and all, but they don't - and then suddenly they do.

Thanks anyway!

Best regards,

DataNibbler