Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

Qlik Sense - Security for data stored in QVDs

Hey all,

So we've run into a bit of a snag in our Qlik Sense Enterprise setup surrounding data security (yes, we should have thought about it sooner - we didn't). So far in our Qlik journey it's just been me and another developer working in our Qlik environment, treating it as a sandbox more or less learning about best practices and developing standards before we integrate the rest of he organization.

We have a SQL Data Warehouse where our data is stored, and have created a Data Loader app that loads, prepares, and saves each table into a QVD into a directory on the server. We have a data connector linked to that directory so that all QVDs are available for use. This setup works well - we like. Our problem: Not all QVDs should be available for all users. For instance, we have 5 or 6 QVDs (tables) that contain sensitive HR data that only a select few people should be able to access.

We've look at section access and I feel that's probably the best route - we would like to keep all QVDs in a central location (everyone could see the Employee QVD, but only some can actually access the data). We can't figure out how to actually implement this though - how do we apply section access to whole tables. The example for section access we've found seem to be hard to apply to our situation / we don't full understand how it works.


In the QMC we've created a custom property "QlikUser", applied to user types, and added a value "HR Data Access".... now what? Are we are the right track? Is our setup feasible? Or are we totally wrong with our approach. Would really love your feedback!!!

1 Solution

Accepted Solutions
oknotsen
Master III
Master III

I fear you will have to let go of your current idea.

There is no security possible on QVDs. Everyone with the (freely downloadable) latest version of either QlikView or Qlik Sense can read the content if they have access to those QVDs.

The solution is easy:

Don't give people access to the folder that contains QVDs of which they should not have access.

To my knowledge, that is the only (and relatively easy) solution.

May you live in interesting times!

View solution in original post

4 Replies
oknotsen
Master III
Master III

I fear you will have to let go of your current idea.

There is no security possible on QVDs. Everyone with the (freely downloadable) latest version of either QlikView or Qlik Sense can read the content if they have access to those QVDs.

The solution is easy:

Don't give people access to the folder that contains QVDs of which they should not have access.

To my knowledge, that is the only (and relatively easy) solution.

May you live in interesting times!
Anonymous
Not applicable
Author

Thanks for you help Onno - you're solution is probably the easiest one and the one we'll go with most likely. It's not as clean as I'd like it to be (we'll end up with many QVD directories eventually), but it's easy enough to manage.

flaurntiu
Partner - Contributor III
Partner - Contributor III

As far as i know it is not possible to do so using section access.


Your best option would be to separate the data in the QVD files by using a separate folder and allow only certain people from certain groups access to that connector.
Another option might be to use the NTFS security from Windows and restrict access to the folder using that security layer. Users within Qlik can't access those files without appropriate rights.

sc305495
Contributor
Contributor

I might sugest useing the QMC controlls and setting up folder connections, this way you can control who has access to the HR data by way of granting / revoking access to the folder connection.

It's important to remember that when on the server, it's never the independent users actually accessing the data... but the Qlik service account (the account running the Qlik Sense Enterprise services on the server).  So the service account can access ANYTHING on the server, you need to make sure the QMC is setup to only allow the appropriate users to have the service account go get that data on their behalf.