Solved: Re: Section Access : is this normal ? - Qlik Community

pierreguss1 · ‎2020-08-12

Hi community

I'm wondering about the behaviour of Section Access (Qlik Sense November 2019)

To illustrate the questions, let's load a table with two fields and two rows :

And now, playing with Section Access

Comments :

KEY is associating authorizations and data.
Reload is always performed through the QMC (user SA_SCHEDULER)

Here the different tests, and the results (green = seems ok to me / orange = strange)

It looks like:

- Wild character (*) relies on authorizations that are specifically defined for other users (case 4). Impact : a USERID with ACCESS * will not have access to all data, but only data that are provided to other restricted users (case 2) - It might have a huge impact on designing app and their integration.

- If a user has an access "ADMIN" and there is a mistake in the KEY field, he will have access to all data (case 6)

I would like to know if these behavior

Are considered as bugs : in this case...what is the difference between ADMIN and USER in ACCESS mode ?
OR "working as designed" : in this case, is there a documentation on this topic ?

Thanks

tresesco · ‎2020-08-13

If I am the only user & I set ADMIN / *=> I get all data
If I add a user with access to A, and I'm still ADMIN / *, I have access to A only
Weird, isn'it ?

No it's not. The qlik behavior is as designed, so it's not weird. But may be it is weird that, our explanation is not clear enough and every time we find a behavior that can't be justified with explained the previous discussion. Let me try to explain this '*' and ADMIN combination in a better term.

For ADMIN, '*' means all the values that other users have access to (.i.e - all the values mentioned in the section access table). Given the fact that, if there is no access for other users, then it's ALL access for ADMIN.

For USER, '*' means all the values that are mentioned in the section access table. And no access here means, no access. That means, the meaning of '*' is NOT ambiguous, it's always 'all the values in the section access table'. Only fact to consider, is that for ADMIN, it can't be no access (for obvious reason) at any point of time - if it's becomes so implicitly, it would become ALL access.

Also to note:

in QlikView, there is a difference between desktop and server environment behavior. In server environment ADMINs are also USERs. That means, there is no additional benefits for even ADMIN. ADMINs section access would be treated in the same line as of a USER.
'*' and empty string/no match value are NOT same (in QlikView desktop). They are same in meaning only when there is no field value mentioned in section access table and user is ADMIN. In fact, empty string is not applicable for USER. Empty string or no match value for ADMIN always mean ALL values.
In Qlik Sense, the behavior of '*' and empty string or no match value are similar to that of QlikView desktop.

Hope, this covers all possible scenarios.

View solution in original post

tm_burgers · ‎2020-08-12

Based on your example it is working as designed; any user with Admin access will see all data fields regardless of what is in the "Key/Reduction" field.

It is a known and documented case about * meaning all available key fields defined within the Section Access table.

See the below documentation:

https://community.qlik.com/t5/Qlik-Design-Blog/A-Primer-on-Section-Access/ba-p/1465766

https://community.qlik.com/t5/Qlik-Design-Blog/Tips-and-tricks-for-section-access-in-Qlik-Sense-2-0/...

tresesco · ‎2020-08-12

This is "working as designed". Two important points to understand:

- ADMIN user has access to all data

- '*' in field means (for USER) all the values of the field that are mentioned in section access and not necessarily ALL from the field itself.

There are many good articles on section access you can refer, like:

A-Primer-on-Section-Access

https://support.qlik.com/articles/000004090

pierreguss1 · ‎2020-08-12

Thanks for your reply and for the links (that are Qlikview oriented, not Qlik Sense)

I don't understand your answer "ADMIN user has access to all data" 🤔

If I have an authorization "ADMIN" and KEY = 'A', I see only A, and not B (even if another user has access to B - i.e. the KEY 'B' exists in the section access)
If I have an authorization "ADMIN" and KEY = 'C' (illustration of a mistake, as C does not exist in the set of data), I see everything

This is confusing, isn't it ?

tm_burgers · ‎2020-08-12

If you have an ADMIN user, leave the Key field blank. By stating that they are admin, you are implying that they have access to the full data set.

pierreguss1 · ‎2020-08-12

Thanks

Yes ok, this is a "best practice" and it helps me for a better integration. 🙂

But it does not explain the behavior of the tool...

ADMIN + * = all data
ADMIN + [Specific value] = access to this specific value
ADMIN + [Mistake] = all data

Does this make sense ?

I could understand :

ADMIN + anything = all data
OR
ADMIN + [values] = access to these values

But here, there is a strange mix (?)

tresesco · ‎2020-08-12

For ADMIN,

No match in value/ '*' / nothing (i.e. - no value in the reduction field) -> All values

Specific value->Specific value.

tm_burgers · ‎2020-08-12

I would guess since for ADMIN it evaluates 'C' as null, since it doesn't exist; and null as Admin gives access to all data?
Just a hypothesis.

tresesco · ‎2020-08-12

You are right. As I already mentioned above that nothing (null - your hypothesis) gives access to all data.

pierreguss1 · ‎2020-08-12

Mmmm next step in the process...

If I am the only user & I set ADMIN / *=> I get all data

If I add a user with access to A, and I'm still ADMIN / *, I have access to A only

Weird, isn'it ?

Section Access : is this normal ?

Advanced Authoring