Solved: Re: Section Access with Anonymous Users - Qlik Community

dselgo_eidex · ‎2021-10-12

Hello,

I have a Qlik Sense app that restricts data for specific users via Section Access. Recently though, we have elected to grant access to this app to Anonymous users. Users who connect via a specific virtual proxy are allowed access as Anonymous Users.

The issue is that these users were given access by the virtual proxy, but were denied access to the app because of the Section Access table. We could just get rid of the Section Access table, but we still want to limit the data for those specific users. Is there a way that I can set it up so that I restrict the data for authenticated users, but give unlimited access to anonymous users? I know that this seems backwards in terms of data security, but at this point we are mainly using Section Access as a way to limit data for our users for ease of access reasons.

I have tried adding adding this to the Section Access table:

Concatenate
Load * Inline [
    ACCESS, USERID
    ADMIN, *
    ADMIN, INTERNAL\SA_SCHEDULER
];

And that worked! But now this is basically just giving access to any user, when I specifically want to give it access to Anonymous Users.

I also tried:

Concatenate
Load * Inline [
    ACCESS, USERID
    ADMIN, NONE\*
    ADMIN, INTERNAL\SA_SCHEDULE
];

But that didn't end up working.

marcus_sommer · ‎2021-10-15

I assume the use of anonymous users will always cause troubles in regard to a full control of the data-access.

Therefore I suggest to consider to remove this access again and to enable a further authentication method. AFAIK multiple ones could be used in parallel and if I remember it correctly most companies are using a ticket authentication if they want to allow extern peoples the access. If those users aren't really extern else from other companie-parts there are ways that their domains are trusting each other. I don't think that this is trivial and you may need a professional support for it but in general it should be possible.

If you want to remain by the current approach you may bypass this challenge by providing not a single application else multiple ones. Of course it does cost some efforts and resources to maintain n applications ...

- Marcus

View solution in original post

marcus_sommer · ‎2021-10-13

I'm not sure how exactly the section access is implemented but by many security tools/measures you could set multiple entries for an user and the lowest set permission respectively any prohibition wins. Maybe you could adapt this logic within Qlik, too.

Beside this did you check what osuser() and/or qvuser() return for these anonymous users. Maybe there is a value which you could use within the section access.

Another approach may be to restrict the data with osuser() and/or qvuser() within the UI maybe within calculation-conditions or set analysis or similar measures.

- Marcus

dselgo_eidex · ‎2021-10-14

OSUser() returns "UserDirectory=NONE; UserId=anonymous{random GUID}".

I knew that the UserDirectory and UserId were like that, which is why I tried adding "NONE\*" to the Section Access table, but it appears that you can't use wildcards in the USERID column like this.

I do think that the set analysis is still limiting the data for users with entries in the table, so that is good. My worry is that if any non-anonymous users tries to access the app, they will get full access to the data (I realize what I just said sounds insane lol).

marcus_sommer · ‎2021-10-15

I assume the use of anonymous users will always cause troubles in regard to a full control of the data-access.

Therefore I suggest to consider to remove this access again and to enable a further authentication method. AFAIK multiple ones could be used in parallel and if I remember it correctly most companies are using a ticket authentication if they want to allow extern peoples the access. If those users aren't really extern else from other companie-parts there are ways that their domains are trusting each other. I don't think that this is trivial and you may need a professional support for it but in general it should be possible.

If you want to remain by the current approach you may bypass this challenge by providing not a single application else multiple ones. Of course it does cost some efforts and resources to maintain n applications ...

- Marcus

dselgo_eidex · ‎2021-10-20

Thanks for the help Marcus. I actually decided against using Anonymous Users after all because of the security issues. At first, I only pursued that as an option because we didn't have a way to identify and create those special users, but I figured out a way to do it. Thanks for your advice on this!

jp_golay · ‎2021-12-20

You can now test our new Product SAM that will fully automate Section Access Generation product.

It is no longer necessary to maintain a section access list in Excel or in your database, SAM offers you a complete web application that will secure all your data accesses.

A user can request access to an application with a simple form. Then administrators get notified and can assign the RESTRICTIONS and OMITS from the proposed fields values. User access are generated from on a single line per user, no need to generate tedious cartesian products and include all values to get a "*" value working correctly .

Moreover SAM is able to generate an automatic access section from the authorizations of the QMC, and Reverse Engineer existing section Access a time saving for simple cases.

More details on our website or contact me at jp.golay@ebiexperts.com

ebiexperts CTO
With WIP, Control everything!
Qlik Sense, QlikView and NPrinting Source control, Versioning and Deployment, Agile Lifecycle Management