Almost every person I meet to talk about Qlik products and security bring up the concept of section access for discussion. I think section access is one of those things that you either love or hate, but as a company using Qlik products you can’t live without it. The great benefit of section access, in my view, is that it’s driven by the data model which makes it really powerful.
It would be great to get your comments on what you think are the strengths of section access.
As section access is a critical part of how we protect data, we carried over its capabilities from QlikView to Qlik Sense and adapted it to Qlik Sense architecture.
So what has changed?
In Qlik Sense the section access is different in that the names of the columns available have changed:
Column
Description
ACCESS
Can be USER or ADMIN. The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data.
USERID
The name of the user in the format of [User Directory]\[User ID]
GROUP
Value of the attribute group on a user
[REDUCTION]
Is the field on which the reduction is performed
OMIT
Fields that should not be available to the GROUP or USERID
In Qlik Sense, a script for section access could look like the following:
section access;
load * inline [
ACCESS, USERID, REDUCTION, OMIT
USER, QVNCYCLES\flp, 1, Region
USER, QVNCYCLES\kag, 2,
];
The example above would give the user QVNCYCLES\flp access to rows with a one in the field called REDUCTION without getting access to data in the Region field, and QVNCYCLES\kag would see the data with a two in the REDUCTION field.
In Qlik Sense section access is applied using strict exclusion, which means that if you are not explicitly granted access you will not be allowed to see any data.
My favourite improvement in section access for Qlik Sense is that it will be harder to lock yourself out of an app. In Qlik Sense you have the option to open an app without data. This means that if you have permissions to change the script you can open the app without data even if you don’t have access to any. This will allow you to change the section access part of the script instead of being locked out.
We have also introduced the capabilities to use attributes sent in at the time of the user authentication to be used with section access. This means that we now can base what data you get access to using the group attribute that can be inserted using SAML or tickets.
I hope that you found these tips on Section Access for Qlik Sense helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post
I think you have to be a little more specific in what you mean with "it's not working anymore"? Section Access works fine in ver. 3.1, so maybe you have made an error in your script?
I implemented section access with data reduction , the access to user is working properly but the data reduction is not working ,it is showing all the data for the user, i wanted to show only data related to particular member name to that user.
please find the below script, is there anything wrong in my script??
Have you tried to close the app after you have reloaded data? I quite often see, that if you don't close the app completely then it doesn't refresh properly.
You say that you have implmented it with data reduction, so I'm wondering if that's because you are using QlikView?
If so, then keep in mind that you have to "enable" is in the document properties. I don't have a Qlikview installation at hand, but I think it's some where in the Security properties sheet or so that you have to "enable" it.
Please also keep in mind, that the example data you have supplied wont give the users access to the application. None of the Section Access records will match the data you have in your MEMBERNAME table so all users will be denied access to the application.
According to my script User1 and User2 should only see data related to Member Name "AFFORDABLE HOUSING" , but the user can see all the member names now
The above script, give my user account access to Membername "AFFORDABLE HOUSING" and "AFFORDABLE HOUSING 5" as expected.
What I need to do though, is to completely close down the app (both the Load Editor and App Overview) and start it from the hub. Actually if I have the app open as well as the Load Editor then when I switch from the load editor tab to the App tab, I see all Membernames in the table I have in the app. I think this is a bug, but under normal circumstances this shouldn't be a problem.
You can try to create a new app and then add the above script and then see if it works when you close the app completely after each data reload.
