Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi all,
Does somebody know if it is possible to grant user access on app level based on AD attribute 'Department'? The idea is that based on the AD group, access is granted on stream level. Group name and stream name are alike. The security rule will be something like ((user.group = resource.name)). --> resource = stream
Within a stream there will be different app's. Based on the attribute 'Department' in the AD we want to grant access on app level. I am aware of the existence and use of custom properties but for this case i'm looking for a more automated solution. So what I'm imagining is the following:
1. IT add's a new group 'new customer' to the AD
2. Within this group there are several users from different "departments" , user1 | attribute "department"=management, user2 | "department"=sales and user3 | "department"=finance.
After adding the necessary information to the AD we want to use this information to create a security rule on app level, something like
((user.department like resource.name)) --> resource = app
Somebody any idea?
Thank you in advance for thinking along with me!
Kind regards,
Tamarah
there's no direct way to do this but I have worked on a work around to do this in the past.
using your qlik app you may connect to ad and import your needed data:
user name, departement and other fields:
(OLE DB connection to Active directory)
AD_Users:
load
division AS [Division],
displayName AS [Display Name],
department AS [Department],
company AS [Company],
co AS [Country],
cn AS [Name],
sql select
accountExpires,
assistant,
badPasswordTime,
badPwdCount,
c,
cn,
co,
company,
createTimeStamp,
department,
description,
directReports,
displayName,
distinguishedName,
division,
employeeID,
facsimileTelephoneNumber,
generationQualifier,
givenName,
homeDirectory,
homeDrive,
homePhone,
homePostalAddress,
info,
initials,
internationalISDNNumber,
ipPhone,
l,
lastLogoff,
lastLogon,
lockoutTime,
logonCount,
logonHours,
mail,
manager,
memberOf,
middleName,
mobile,
modifyTimeStamp,
msExchHideFromAddressLists,
objectCategory,
objectGUID,
objectSid,
objectClass,
otherFacsimileTelephoneNumber,
otherHomePhone,
otherIpPhone,
otherMailbox,
otherMobile,
otherPager,
otherTelephone,
pager,
personalTitle,
physicalDeliveryOfficeName,
postalCode,
postOfficeBox,
primaryInternationalISDNNumber,
primaryTelexNumber,
pwdLastSet,
sAMAccountName,
sAMAccountType,
scriptPath,
sn,
st,
streetAddress,
telephoneNumber,
telexNumber,
title,
url,
userAccountControl,
userPrincipalName,
userSharedFolder,
userWorkstations,
whenChanged,
whenCreated
from 'LDAP://domain.local' where objectClass = 'User' and objectCategory = 'Person';
(check AD user attributes for details)
then you can construct your section access using this table.
hope it's helpfull.
regards,
there's no direct way to do this but I have worked on a work around to do this in the past.
using your qlik app you may connect to ad and import your needed data:
user name, departement and other fields:
(OLE DB connection to Active directory)
AD_Users:
load
division AS [Division],
displayName AS [Display Name],
department AS [Department],
company AS [Company],
co AS [Country],
cn AS [Name],
sql select
accountExpires,
assistant,
badPasswordTime,
badPwdCount,
c,
cn,
co,
company,
createTimeStamp,
department,
description,
directReports,
displayName,
distinguishedName,
division,
employeeID,
facsimileTelephoneNumber,
generationQualifier,
givenName,
homeDirectory,
homeDrive,
homePhone,
homePostalAddress,
info,
initials,
internationalISDNNumber,
ipPhone,
l,
lastLogoff,
lastLogon,
lockoutTime,
logonCount,
logonHours,
mail,
manager,
memberOf,
middleName,
mobile,
modifyTimeStamp,
msExchHideFromAddressLists,
objectCategory,
objectGUID,
objectSid,
objectClass,
otherFacsimileTelephoneNumber,
otherHomePhone,
otherIpPhone,
otherMailbox,
otherMobile,
otherPager,
otherTelephone,
pager,
personalTitle,
physicalDeliveryOfficeName,
postalCode,
postOfficeBox,
primaryInternationalISDNNumber,
primaryTelexNumber,
pwdLastSet,
sAMAccountName,
sAMAccountType,
scriptPath,
sn,
st,
streetAddress,
telephoneNumber,
telexNumber,
title,
url,
userAccountControl,
userPrincipalName,
userSharedFolder,
userWorkstations,
whenChanged,
whenCreated
from 'LDAP://domain.local' where objectClass = 'User' and objectCategory = 'Person';
(check AD user attributes for details)
then you can construct your section access using this table.
hope it's helpfull.
regards,
Nice, thank you for sharing!
I think it will help us figuring it out.
Hi Khalil,
I'm getting back to you on this issue and maybe you have another idea.
Your provided solutions will work if you have one app and want to add restrictions on data access within that same app. But what I'm looking for is full app access based on AD attribute 'Department'.
As far as I know you can restrict access on AD group level:
But that is the only attribute from the AD i can select. So what I'm looking for is a way to use another attribute from the AD instead of 'group'.
Any ideas are welcome 🙂
Kind regards, Tamarah