Solved: Section Access disregards reduction fields when th... - Qlik Community

dselgo_eidex · ‎2021-06-17

Hello,

We have been using Section Access in our app to restrict access from our users for some time now, but today I actually noticed something that threw me for a bit of a loop.

We limit access to our users by including data reduction fields for STATE_CODE and REGION_ID in our Section Access load:

Section Access;
Load
    [ACCESS],
    [USERID],
    [STATE_CODE],
    [REGION_ID];
SQL SELECT 
    [ACCESS],
    [USERID],
    [STATE_CODE],
    [REGION_ID]
FROM SourceTable;

Section Application;

Below is an example of the table containing the reduction fields:

STATE_CODE	REGION_ID
MI	1
MI	2
MI	3

We recently acquired data for Indiana, but hadn't loaded it in to our datamodel yet. I modified SourceTable by adding the following row:

ACCESS	USERID	STATE_CODE	REGION_ID
ADMIN	USERS\dselgo	IN	3

After reloading, my expectation was that I would be denied access into the app because there was no data in our datamodel that had a combination of STATE_CODE = 'IN' and REGION_ID = 3, however I was given access and quickly discovered that my access had instead been restricted to the 3rd region in MI. This is a huge problem because it means that someone could be given access to a region they are not supposed to see if the STATE_CODE does not exist in the data.

My theory is that QlikSense applies the Section Access data reduction like selecting values in the app. First, it tried to select the value 'IN' on the field STATE_CODE, but because there wasn't any value in that field no selection was made. Next, it tried to select the value '3' on the field REGION_ID, and since the previous selection hadn't been made it did make the selection.

Could anyone tell me if the behavior I described above is how Qlik Sense reduces the data via the Section Access table? And if so, is there a way that I can set up Section Access to enforce all of the reduction field values?

Or · ‎2021-06-17

You are correct in that section access row-level permissions are done via a selection process. This is explained, albeit not very clearly, in the documentation:

After user login, Qlik Sense matches the selections in reduction fields in the access section to any fields in the application section with exactly the same field names (the field names must be written in uppercase). After the selections have been made, Qlik Sense permanently hides all data excluded by these selections from the user.

If no selection is made (because the value doesn't match anything in the data), all data will be shown for this field because no values are excluded.

View solution in original post

Or · ‎2021-06-17

You are correct in that section access row-level permissions are done via a selection process. This is explained, albeit not very clearly, in the documentation:

After user login, Qlik Sense matches the selections in reduction fields in the access section to any fields in the application section with exactly the same field names (the field names must be written in uppercase). After the selections have been made, Qlik Sense permanently hides all data excluded by these selections from the user.

If no selection is made (because the value doesn't match anything in the data), all data will be shown for this field because no values are excluded.

dselgo_eidex · ‎2021-06-18

That's unfortunate, I will have to keep that in mind going forward. It is strange that this is the behavior though since one of the ideas behind using section access is for data security. If this issue arises, it could give someone access to data they are not allowed to see.

In any case, the documentation for Section Access should be updated to be clearer on this matter. Thanks for your confirmation!

Section Access disregards reduction fields when the value isn't present in the table