topic Re: DMS security using NT users and local security groups in QlikView

DMS security using NT users and local security groups

abm_trevor — Mon, 26 Jan 2026 18:19:17 GMT

For various reasons around client AD security rules I am trying to implement a document access regime using the following:

DMS security
Local security groups on the QlikView server
Domain (NTFS) users only within the local security groups

From a physical standpoint this works fine - the right users are getting access to the right documents via the local security groups. The issue I have is that when I look at a User in the QMC it does not reflect any of the local groups that they belong to or any of the documents they can access via the local groups. This makes it very cumbersome to establish who has access to what.

Is there a setting or something in QlikView that will allow me to display this information correctly? It will work perfectly if I use Domain security groups, but there are some logistical internal reasons that this will become very inefficient.

Thanks

Trevor

Re: DMS security using NT users and local security groups

marcus_sommer — Wed, 01 Jun 2016 09:31:56 GMT

For me it's not quite clear what do you mean with local security groups and if you used the NT- or the DMS-mode for the authentication?

- Marcus

Re: DMS security using NT users and local security groups

abm_trevor — Wed, 01 Jun 2016 09:38:39 GMT

Hi Marcus

As per above, I am using DMS authentication. I have created local security groups (not Domain security groups) on the QlikView server, and added domain users to those local security groups.

Hope that clarifies it.

Thanks

Trevor

Re: DMS security using NT users and local security groups

awhitfield — Wed, 01 Jun 2016 10:10:15 GMT

Hi Trevor,

can you upload a couple of screen shots from QMC, to better illustrate the issue?

Andy

Re: DMS security using NT users and local security groups

Peter_Cammaert — Wed, 01 Jun 2016 12:09:37 GMT

Did you create a DSC for the "Local Directory"? QMC doesn't know anything if it cannot connect by itself to the various directory services.

Re: DMS security using NT users and local security groups

syukyo_zhu — Wed, 01 Jun 2016 12:26:12 GMT

Hi,

why didn't you try to create account directly in your serveur and use NTFS authorization? it will work better than create local accounts in QMC.

Re: DMS security using NT users and local security groups

abm_trevor — Wed, 01 Jun 2016 12:26:39 GMT

Hi Andrew

Unfortunately it's a client's server, so I have to be discreet about what I publish. Essentially the QMC recognises the local security groups, allows me to authorise them for a document, and allows access to the users in those local groups. What it doesn't do is reflect that access in the Users section. I have access to 20 documents but the QMC says I have none.

Hope that makes sense.

Re: DMS security using NT users and local security groups

abm_trevor — Wed, 01 Jun 2016 12:27:39 GMT

Hi Peter

Yes, and the QMC recognises the local security groups. It just doesn't reflect the document access granted via those groups.

Thanks

Trevor

Re: DMS security using NT users and local security groups

abm_trevor — Wed, 01 Jun 2016 12:38:26 GMT

I am not creating users in the server, I am assigning domain (NT) users to local server security groups.

In this instance DMS authorisation works better for me than NTFS authorisation.

Thanks

Trevor

Re: DMS security using NT users and local security groups

marcus_sommer — Wed, 01 Jun 2016 12:42:02 GMT

The question from syukyo_zhu is a good one. Beside them AFAIK there is no way to look within the qmc who had access to which application. By using the NT mode or a local NT directory you will need to query the directory which groups have where access and which users belong to them. By using the DMS with a custom directory the access-informations are stored within the meta-files (which could be read from sharedfile-viewer: Re: Reading .meta file into Qlikview).

- Marcus

Re: DMS security using NT users and local security groups

syukyo_zhu — Wed, 01 Jun 2016 12:57:44 GMT

Hi marcus,

But you can also get access information from file pgo if you use NFTS.

Re: DMS security using NT users and local security groups

marcus_sommer — Wed, 01 Jun 2016 13:09:44 GMT

That's good to know - I haven't never used NT and with DMS those informations aren't there.

- Marcus

Re: DMS security using NT users and local security groups

marcus_sommer — Wed, 01 Jun 2016 13:11:55 GMT

What "works better" - what are the benefits?

- Marcus

Re: DMS security using NT users and local security groups

Peter_Cammaert — Wed, 01 Jun 2016 13:26:26 GMT

(Sorry for being late, someone rang at the door)

Marcus & xia, I don't think Trevor is using anything from the Custom Directory area. Simply because in QlikView it is still impossible to mix for instance AD accounts and Custom groups and vice versa.

Local (machine) directory groups and AD accounts on the other hand offer one very important advantage: the QlikView Administrator is usually boss on his/her own QlikView server and can add/remove/manage users easily by putting them in local groups that are under his/her control. Instead of having to ask a company sysadmin every time a user needs to be granted/deneied access to a document (and getting a service ticket and an unknown completion time).

So IMHO all of this is already happening in a Windows NTFS & AD environment, with only one catch: QMC doesn't know how to properly display group membership between two directory providers.

Peter

Re: DMS security using NT users and local security groups

Peter_Cammaert — Wed, 01 Jun 2016 13:31:10 GMT

Then I think this is pretty much unavoidable. See my other (late) answer.

OTOH it's just the QMC that is having problems with displaying the correct info.

Best,

Peter

Re: DMS security using NT users and local security groups

abm_trevor — Wed, 01 Jun 2016 14:18:31 GMT

Thanks Peter

Yes, your previous reply hit the nail on the head. Everything is working as expected except the QMC recognising the local group membership and document access in the Users tab.

Normally I use domain groups and it works perfectly, but in this case the process of adding and changing domain group access is quite cumbersome and slow so I was trying to get around that by using local groups which are under our own control.

So my options appear to be follow the slower process through domain groups or use local groups and pull the missing security information into a QlikView document.

Thanks all for your assistance.

Trevor