Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
hic
Former Employee
Former Employee
‎2012-10-03 02:44 AM

Basics for complex authorization

Authorization is about determining which data a user is allowed to see. QlikView has several different ways by which you can reduce the data so that the user only gets to see the data he is allowed to see.

In the simplest case, the authorization table defining who-gets-to-see-what is just a two column table linking user names to e.g. regions. But sometimes you need a more complicated logic. It could be that you have users that are allowed to see all products but just within one region, and at the same time all regions but just for one product. In other words, you want to make the reduction in several fields with the possibility of OR-logic.

 

QlikView can do this and here’s how you do it:

 

  1. Create an authorization table by loading the authorization data into QlikView after concatenating the reducing fields into one single generic authorization key:

         Load USER, REGION &'|'& PRODUCT as %AuthID From AuthTable ;

    Authorization table.png

  2. Create an authorization key in the table with the most detailed transactions:

         Load *, Region &'|'& Product as AuthID From OrderDetails ;

    If you don’t have all the necessary keys in the table, you can fetch fields from other tables using Applymap. See more about Applymap here:

  3. Create an authorization bridge table linking the two above tables. Since the %AuthID field can contain generic symbols such as '<ANY>', several load statements are needed to create the bridge table:

         Load     Region &'|'& Product as AuthID, Region &'|'& Product as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, Region &'|'&'<ANY>' as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, '<ANY>'&'|'& Product as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, '<ANY>'&'|'&'<ANY>' as %AuthID  From OrderDetails ;

    Authorization bridge.png

  4. Reduce the file on the USER field using either Section Access or QlikView Publisher.

 

Using the above method you can create quite complex security models. For instance, you can use generic symbols also for product groups. Read more about generic keys in this Technical Brief.

 

Good luck!

 

HIC

 

Further reading related to this topic:

A Primer on Section Access

Data Reduction Using Multiple Fields

Authorization using a Hierarchy

71,430 Views
39 Comments
YoussefBelloum
Champion
Champion
‎2017-09-15 05:02 AM

Thank you. very useful, very clear !

0 Likes
11,278 Views
vchuprina
Specialist
Specialist
‎2017-11-28 10:35 AM

Henric,

Thanks for solution its very useful. What you can recommend to do in case if we should reduce data based on ten fields.

0 Likes
11,278 Views
mpbtejada
Contributor III
Contributor III
‎2018-03-13 05:33 AM

Can I get some help with this implementation of NTNAME as well.

Encountered the same case where I can open in Desktop but could not in Accesspoint.

Already tried adding STAR is * and checked that there are no blanks in the section access column but still could not make it to work in Accesspoint.

0 Likes
11,278 Views
jgarciaf106
Creator
Creator
‎2018-03-20 10:01 PM

Hi hic,

Do you have any real example of this type security?

I would like also to know how can this be applied with a third reduction field?

Thanks in advance

0 Likes
11,278 Views
rammuthiah
Creator III
Creator III
‎2018-05-25 03:31 AM

Hi,

Can you explain on how to implement Data Reduction using 4 fields in Qlik Sense?

Region,

pbu,

division and

empcode

0 Likes
11,249 Views
nesawant
Contributor II
Contributor II
‎2018-06-01 03:51 AM

Hi Luca,

I am facing same issue. My complex authorization with bridge table works on desktop but when I run it from server it says you do not have access.

How do I resolve this using single section access file?

Best Regards,

Neha

0 Likes
11,249 Views
Anonymous
Not applicable
‎2018-07-02 08:52 AM

Hi Henric,

My question is how can i use this complex authorization with more than 2 fields in section access. And with one field having condition of "All except one" like you explained in this thread Section access - exclude just one value!

So, i need combination of both of these solutions: Section access on 4 fields and 1 field with exclude just one value.

Appreciate your help here. Thanks

0 Likes
11,249 Views
krishgk_ispot
Partner - Contributor III
Partner - Contributor III
‎2018-08-23 10:11 PM

@Henric Cronström@cesaraccardi Did you figure out the solution for excluding the data using <NOT A>  or <NONE> (as shown below) ?

section access;

load * inline [

ACCESS, USERID, CUSTOMERID_ORDER,CUSTOMERID_SALES, OMIT

USER, USER1, 1, 2,

USER, USER2, 2,<NONE>,

USER, USER3,<NONE>,3

];


Also i would like implement the security on a CustomerID field from dimension  table but restrict different CustomerID's from Order and Sales Tables.

Note: CUSTOMERID_ORDER and CUSTOMERID_SALES are alias of CustomerID field from Customer table.


Is it possible to restrict the data this way using single dimension filed on multiple fact tables differently?

0 Likes
11,249 Views
ansarikashif2017
Creator
Creator
‎2020-03-23 11:28 AM

This is a brilliant article. Thanks @hic 

I have  question.

 

In case your dashboard has 2 entry point for authorization. Data model has two reference data set.Lets say Ref1 and Ref2.

The user can be given access to the dashboard based on field1, field2 and field3 of Ref1 and field1, field2 and field3 of Ref2.

We can combine fields of ref1 as single authorization key but what do we do with the Ref2 fields?

 

Regards,

Kashif

 

 

0 Likes
2,154 Views
axnvazquez
Contributor III
Contributor III
‎2021-10-18 04:24 AM

[DELETE PLEASE]

691 Views
Subscribe by Topic