Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Save $600 on Qlik Connect registration! Sign up by Dec. 6 to get an extra $100 off with code CYBERSAVE: REGISTER
cancel
Showing results for 
Search instead for 
Did you mean: 
pierreguss1
Partner - Contributor II
Partner - Contributor II

Section Access : is this normal ?

Hi community

I'm wondering about the behaviour of Section Access (Qlik Sense November 2019)

To illustrate the questions, let's load a table with two fields and two rows :

pierreguss1_0-1597238474469.png

And now, playing with Section Access

Comments :

  • KEY is associating authorizations and data.
  • Reload is always performed through the QMC (user SA_SCHEDULER)

Here the different tests, and the results (green = seems ok to me / orange = strange)

pierreguss1_1-1597238526050.png

 

It looks like:

- Wild character (*) relies on authorizations that are specifically defined for other users (case 4). Impact : a USERID with ACCESS * will not have access to all data, but only data that are provided to other restricted users (case 2) - It might have a huge impact on designing app and their integration.

- If a user has an access "ADMIN" and there is a mistake in the KEY field,  he will have access to all data (case 6)

 

I would like to know if these behavior

  • Are considered as bugs : in this case...what is the difference between ADMIN and USER in ACCESS mode ?
  • OR "working as designed" : in this case, is there a documentation on this topic ?

Thanks

Labels (1)
12 Replies
tresesco
MVP
MVP


If I am the only user &  I set ADMIN / *=> I get all data

If I add a user with access to A, and I'm still ADMIN / *, I have access to A only

Weird, isn'it ?


No it's not. The qlik behavior is as designed, so it's not weird. But may be it is weird that, our explanation is not clear enough and every time we find a behavior that can't be justified with explained the previous discussion. Let me try to explain this '*' and ADMIN combination in a better term.

For ADMIN, '*' means all the values that other users have access to (.i.e - all the values mentioned in the section access table). Given the fact that, if there is no access for other users, then it's ALL access for ADMIN. 

For USER, '*' means all the values that are mentioned in the section access table. And no access here means, no access. That means, the meaning of '*' is NOT ambiguous, it's always 'all the values in the section access table'. Only fact to consider, is that for ADMIN, it can't be no access (for obvious reason) at any point of time - if it's becomes so implicitly, it would become ALL access.

Also to note: 

  • in QlikView, there is a difference between desktop and server environment behavior. In server environment ADMINs are also USERs. That means, there is no additional benefits for even ADMIN. ADMINs section access would be treated in the same line as of a USER.
  • '*' and empty string/no match value are NOT same (in QlikView desktop). They are same in meaning only when there is no field value mentioned in section access table and user is ADMIN. In fact, empty string is not applicable for USER. Empty string or no match value for ADMIN always mean ALL values. 
  • In Qlik Sense, the behavior of '*' and empty string or no match value are similar to that of QlikView desktop.

Hope, this covers all possible scenarios.

  

pierreguss1
Partner - Contributor II
Partner - Contributor II
Author

Tresesco, Tm_burgers, 

Many thanks for your explanations and the time you spent for them. You explained the rule very clearly, and it perfectly covers the different cases I can imagine.

I still do not understand the reason why the rule has been designed that way (usually, any Qlik's design is cristal clear to me). I think the best explanation is the sentence "for ADMIN, it can't be no access (for obvious reason)", even if I do not find any "obvious" reason. I will think about it in the future 😉 

I give the solution to the previous post of Tresesco, as the summary of the rule should be helpfull for all members of the community. But thanks to both of you 🙂

tresesco
MVP
MVP

"obvious reason" - 

Section access is actually legacy concept that is coming from qlikview. And in qlikview desktop (strict exclusion - enabled) if you don't have access to data of the application you are locked out. And admin being locked out means the application is lost. However, in qlik sense you still can open the file with no-data and modify your script.