Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik and ServiceNow Partner to Bring Trusted Enterprise Context into AI-Powered Workflows. Learn More!
hic
Former Employee
Former Employee
‎2014-05-27 02:41 AM

A Primer on Section Access

Section Access is a QlikView feature that is used to control the security of an application. It is basically a part of the load script where you can define an authorization table, i.e. a table where you define who gets to see what. QlikView uses this information to reduce data to the appropriate scope when the user opens the application.

This function is sometimes referred to as Dynamic Data Reduction, as opposed to the loop-and-reduce of the Publisher, which is referred to as Static Data Reduction.

 

Data Model.png

 

For example, above you have the authorization table in Section Access to the left, linking to the field COUNTRY. (In a real application, the authorization table is not visible in the data model.) This means that when a user opens the application, QlikView uses the user name (NTNAME) to establish which countries this user is allowed to see, and then makes the corresponding selection in the Customers table.

The selection propagates to all the other tables in the standard QlikView manner, so that the appropriate records in all tables are excluded, whereupon QlikView reduces the scope for this user to only the possible records. This way, the user will only see data pertaining to the countries to which he is associated.

 

Selection.png

 

A good way to debug your Section Access is to temporarily remove the Section Access statement and run the script. The authorization table will then be visible in the data model and you can make selections in NTNAME.

Within Section Access you should define at least three fields: ACCESS, NTNAME and a third reducing field that links the authorization table with the real data. You may have additional fields also, like user roles or departments.

 

Some points around Section Access:

  • All fields in Section Access must be upper case. Hence, the reducing field must be in upper case also in the data. Use the Upper() function and name the fields in upper case.
  • Don’t use the fields USERID and PASSWORD, unless it is for testing or debugging. Proper authentication is achieved through NTNAME.
  • NTNAME is the field used to match an authenticated user – also if you set up ticketing using other authentication mechanisms than Windows integrated security.
  • NTNAME may contain names of groups as well as individual users.
  • Make sure "Initial Data Reduction..." and "Strict Exclusion" are checked (Document properties - Opening). If the field value of the reducing field in Section Access doesn't exist in the real data, the will be no data reduction unless Strict Exclusion is used.
  • If your users work off-line, i.e. download the physical qvw file, the security offered by Section Access has limited value: It does keep honest people honest, but it will not prevent a malicious user from seeing data which he shouldn't have access to, since the file is not encrypted. So for off-line usage I instead recommend the static data reduction offered by the Publisher, so that no files contain data the user isn't allowed to see.
  • In most of our examples, an inline Load is used in Section Access. This is of course not a good place to keep an authorization table. Store it in a database and load it using a SELECT statement instead!

 

And finally

  • Always save a backup copy when making changes to Section Access. It is easy to lock yourself out...

 

Section Access is a good, manageable and flexible way of allowing different access scopes within one document. And when used on a server, it is a secure authorization method.

 

HIC

 

Further posts related to this topic:

Data Reduction – Yes, but How?
Data Reduction Using Multiple Fields
Tips and tricks for section access in Qlik Sense (2.0+)
https://youtu.be/ObuetXgk2R8

92,500 Views
51 Comments
Anonymous
Not applicable
‎2014-05-27 08:00 AM

Hi Henric,

My concern is Publisher will cost me extra licenses.

I would prefer solution you have mentioned. 

If you can share any demo example would really appriciate

Thanks & Regards

Kiran Kokade

0 Likes
13,385 Views
Anonymous
Not applicable
‎2014-05-27 09:31 AM

Thanks Steve.

0 Likes
13,385 Views
michael_solomon
Partner - Contributor III
Partner - Contributor III
‎2014-06-01 08:46 PM

Thanks HIC, can you confirm for me that all the data of the document is loaded into memory and then some hidden? ie. the amount of memory needed to load the document is still the same as if there was no data reduction?

0 Likes
13,303 Views
hic
Former Employee
Former Employee
‎2014-06-02 04:50 AM

On the server, all data is loaded into memory and some data is hidden. So you need memory for the complete document.

On the desktop, data is removed from the memory when you open the document. But you will still need memory enough to load the entire document, since QlikView needs to load the file before the reduction is made.

HIC

13,303 Views
sfatoux72
Partner - Specialist
Partner - Specialist
‎2014-07-04 04:01 PM

Hi Henric,

What you expained about Strict Exclusion On is only true for "User" ACCESS type. For "Admin" ACCESS type, the user will see the unreducted data set if there are no matches.

Regards

0 Likes
13,303 Views
hic
Former Employee
Former Employee
‎2014-07-04 05:00 PM

@ Sébastien Fatoux

That is correct. There are many factors in the logic for data reduction... You need to have

   - ACCESS = USER

   - Strict exclusion = ON

   - A match in the reducing field

to get the proper reduction.

On the other hand - all users are USER and not ADMIN when they open the document on the server, which is the most common way.

HIC

0 Likes
13,303 Views
arieidel
Partner - Creator II
Partner - Creator II
‎2014-07-18 03:48 PM

Hello Henric,

Thanks for everything.

You talk about the risks that exist with users working off-line (downloading the physical qvw file to their desktop machine).

How a malicious user could see data which he shouldn't have access?

How could we prevent that, still using Section Access -instead of Publisher reduction?

Thanks again,

Ariel

0 Likes
13,303 Views
hic
Former Employee
Former Employee
‎2014-07-19 09:46 AM

The file isn't encrypted, and that opens for a number of possibilities to circumvent Section Access. The most obvious one is to write your own exe that opens the file and exports the tables. There are other, easier ways to "crack" a qvw file, but I am not going to explain that on the official Qlik web page...

The bottom line is anyway that a qvw isn't really safe if you have access to the physical file. There is no way around it. So, you should instead distribute files that contain exactly what the user is allowed to see, and not more. I.e., you should use the Publisher loop-and-reduce.

HIC

0 Likes
13,303 Views
Not applicable
‎2014-07-23 04:57 AM

Very useful post, thanks a lot !

0 Likes
13,167 Views
Not applicable
‎2014-10-14 02:26 PM

Hi Henric,

Very useful post. I have a question on section access and loop and reduce.

I have qvw where I have applied section access and loop and reduce together. when the file got reduced the script go away. Does the section access code still works in datamodel?

In other way - can i reduce file on departments and still do dynamic reduction further based on employees?

Do i need to set up something else in task properties apart from loop and reduce?

Thanks in advance,

Anosh

0 Likes
13,167 Views
Subscribe by Topic