Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 
fish417913
Contributor
Contributor

Change in QMC Reload Permissions

I'm on a team that supports a customer on QlikSense Enterprise.  For months, we've been using an automated reload task that occurs every 24 hours.  Unless a problem occurs on the connection with Databricks (which would be evident in the logs), we rarely have issues.

Recently, we were told that reload tasks created in the QMC would no longer run as the sa_scheduler user.  Rather, they would be run as the app owner.

In the past 24 hours, the app we have published in the Production stream is no longer accessible.  The reload task is still successfully executing, according to QMC.  However, when we try to view the app, a box pops up that says "Error Occurred: Access Denied".

We have section access on this app and have utilized it for several months without any problems.  The app owner is already in the section access list with full access.  

Has anyone encountered such a problem before?  If so, how did you solve this problem?

 

Labels (1)
1 Solution

Accepted Solutions
Lisa_Sun
Support
Support

By default, the internal system account, SA_SCHEDULER, is used to run reload tasks. This account has elevated privileges and, technically, can use any data source. There is a setting, however, in the QMC that uses impersonation to run reload tasks with the permissions of the app owner instead of the internal system account. By configuring this setting, the app owner and not SA_SCHEDULER is used for reloads, meaning that you do not add SA_SCHEDULER in the Section Access table but instead add the app owner. Within a task chain, apps can have different owners with permissions to sources dependent on each owner's access rights. See Service cluster for more information.

Managing data security with Section Access | Qlik Sense on Windows Help

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

View solution in original post

1 Reply
Lisa_Sun
Support
Support

By default, the internal system account, SA_SCHEDULER, is used to run reload tasks. This account has elevated privileges and, technically, can use any data source. There is a setting, however, in the QMC that uses impersonation to run reload tasks with the permissions of the app owner instead of the internal system account. By configuring this setting, the app owner and not SA_SCHEDULER is used for reloads, meaning that you do not add SA_SCHEDULER in the Section Access table but instead add the app owner. Within a task chain, apps can have different owners with permissions to sources dependent on each owner's access rights. See Service cluster for more information.

Managing data security with Section Access | Qlik Sense on Windows Help

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!