Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Save $600 on Qlik Connect registration! Sign up by Dec. 6 to get an extra $100 off with code CYBERSAVE: REGISTER
cancel
Showing results for 
Search instead for 
Did you mean: 
pierreguss1
Partner - Contributor II
Partner - Contributor II

Section Access : is this normal ?

Hi community

I'm wondering about the behaviour of Section Access (Qlik Sense November 2019)

To illustrate the questions, let's load a table with two fields and two rows :

pierreguss1_0-1597238474469.png

And now, playing with Section Access

Comments :

  • KEY is associating authorizations and data.
  • Reload is always performed through the QMC (user SA_SCHEDULER)

Here the different tests, and the results (green = seems ok to me / orange = strange)

pierreguss1_1-1597238526050.png

 

It looks like:

- Wild character (*) relies on authorizations that are specifically defined for other users (case 4). Impact : a USERID with ACCESS * will not have access to all data, but only data that are provided to other restricted users (case 2) - It might have a huge impact on designing app and their integration.

- If a user has an access "ADMIN" and there is a mistake in the KEY field,  he will have access to all data (case 6)

 

I would like to know if these behavior

  • Are considered as bugs : in this case...what is the difference between ADMIN and USER in ACCESS mode ?
  • OR "working as designed" : in this case, is there a documentation on this topic ?

Thanks

Labels (1)
1 Solution

Accepted Solutions
tresesco
MVP
MVP


If I am the only user &  I set ADMIN / *=> I get all data

If I add a user with access to A, and I'm still ADMIN / *, I have access to A only

Weird, isn'it ?


No it's not. The qlik behavior is as designed, so it's not weird. But may be it is weird that, our explanation is not clear enough and every time we find a behavior that can't be justified with explained the previous discussion. Let me try to explain this '*' and ADMIN combination in a better term.

For ADMIN, '*' means all the values that other users have access to (.i.e - all the values mentioned in the section access table). Given the fact that, if there is no access for other users, then it's ALL access for ADMIN. 

For USER, '*' means all the values that are mentioned in the section access table. And no access here means, no access. That means, the meaning of '*' is NOT ambiguous, it's always 'all the values in the section access table'. Only fact to consider, is that for ADMIN, it can't be no access (for obvious reason) at any point of time - if it's becomes so implicitly, it would become ALL access.

Also to note: 

  • in QlikView, there is a difference between desktop and server environment behavior. In server environment ADMINs are also USERs. That means, there is no additional benefits for even ADMIN. ADMINs section access would be treated in the same line as of a USER.
  • '*' and empty string/no match value are NOT same (in QlikView desktop). They are same in meaning only when there is no field value mentioned in section access table and user is ADMIN. In fact, empty string is not applicable for USER. Empty string or no match value for ADMIN always mean ALL values. 
  • In Qlik Sense, the behavior of '*' and empty string or no match value are similar to that of QlikView desktop.

Hope, this covers all possible scenarios.

  

View solution in original post

12 Replies
tm_burgers
Creator III
Creator III

Based on your example it is working as designed; any user with Admin access will see all data fields regardless of what is in the "Key/Reduction" field.

It is a known and documented case about * meaning all available key fields defined within the Section Access table. 

 

See the below documentation:

https://community.qlik.com/t5/Qlik-Design-Blog/A-Primer-on-Section-Access/ba-p/1465766

https://community.qlik.com/t5/Qlik-Design-Blog/Tips-and-tricks-for-section-access-in-Qlik-Sense-2-0/...

tresesco
MVP
MVP

This is  "working as designed". Two important points to understand:

 - ADMIN user has access to all data

-   '*' in field means (for USER) all the values of the field that are mentioned in section access and not necessarily ALL from the field itself.

There are many good articles on section access you can refer, like:

A-Primer-on-Section-Access 

https://support.qlik.com/articles/000004090 

pierreguss1
Partner - Contributor II
Partner - Contributor II
Author

Thanks for your reply and for the links (that are Qlikview oriented, not Qlik Sense)

I don't understand your answer "ADMIN user has access to all data" 🤔

  • If I have an authorization "ADMIN" and KEY = 'A', I see only A, and not B (even if another user has access to B - i.e. the KEY 'B' exists in the section access)
  • If I have an authorization "ADMIN" and KEY = 'C' (illustration of a mistake, as C does not exist in the set of data), I see everything

This is confusing, isn't it ?

tm_burgers
Creator III
Creator III

If you have an ADMIN user, leave the Key field blank. By stating that they are admin, you are implying that they have access to the full data set.

pierreguss1
Partner - Contributor II
Partner - Contributor II
Author

Thanks

Yes ok, this is a "best practice" and it helps me for a better integration. 🙂

But it does not explain the behavior of the tool...

  • ADMIN + * = all data
  • ADMIN + [Specific value] = access to this specific value
  • ADMIN + [Mistake] = all data

Does this make sense ?

I could understand :

  • ADMIN + anything = all data
  • OR
  • ADMIN + [values] = access to these values

But here, there is a strange mix (?)

tresesco
MVP
MVP

For ADMIN,

No match in value/ '*' / nothing (i.e. - no value in the reduction field) -> All values

Specific value->Specific value.

tm_burgers
Creator III
Creator III

I would guess since for ADMIN it evaluates 'C' as null, since it doesn't exist; and null as Admin gives access to all data?
Just a hypothesis.

tresesco
MVP
MVP

You are right. As I already mentioned above that nothing (null - your hypothesis) gives access to all data.

pierreguss1
Partner - Contributor II
Partner - Contributor II
Author

Mmmm next step in the process...

If I am the only user &  I set ADMIN / *=> I get all data

If I add a user with access to A, and I'm still ADMIN / *, I have access to A only

Weird, isn'it ?