Almost every person I meet to talk about Qlik products and security bring up the concept of section access for discussion. I think section access is one of those things that you either love or hate, but as a company using Qlik products you can’t live without it. The great benefit of section access, in my view, is that it’s driven by the data model which makes it really powerful.
It would be great to get your comments on what you think are the strengths of section access.
As section access is a critical part of how we protect data, we carried over its capabilities from QlikView to Qlik Sense and adapted it to Qlik Sense architecture.
So what has changed?
In Qlik Sense the section access is different in that the names of the columns available have changed:
Column | Description |
ACCESS | Can be USER or ADMIN. The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data. |
USERID | The name of the user in the format of [User Directory]\[User ID] |
GROUP | Value of the attribute group on a user |
[REDUCTION] | Is the field on which the reduction is performed |
OMIT | Fields that should not be available to the GROUP or USERID |
In Qlik Sense, a script for section access could look like the following:
section access;
load * inline [
ACCESS, USERID, REDUCTION, OMIT
USER, QVNCYCLES\flp, 1, Region
USER, QVNCYCLES\kag, 2,
];
The example above would give the user QVNCYCLES\flp access to rows with a one in the field called REDUCTION without getting access to data in the Region field, and QVNCYCLES\kag would see the data with a two in the REDUCTION field.
In Qlik Sense section access is applied using strict exclusion, which means that if you are not explicitly granted access you will not be allowed to see any data.
My favourite improvement in section access for Qlik Sense is that it will be harder to lock yourself out of an app. In Qlik Sense you have the option to open an app without data. This means that if you have permissions to change the script you can open the app without data even if you don’t have access to any. This will allow you to change the section access part of the script instead of being locked out.
We have also introduced the capabilities to use attributes sent in at the time of the user authentication to be used with section access. This means that we now can base what data you get access to using the group attribute that can be inserted using SAML or tickets.
I hope that you found these tips on Section Access for Qlik Sense helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post