I think you could just use a section access like this one:

Section Access;

star is *;

SectionAccessRegion:

LOAD upper(ACCESS) as ACCESS,

     upper(NTNAME) as NTNAME,

     upper(REGION) as __REGION

FROM [$(pInc@SA)SectionAccessRules.xlsx] ($(typXLSX) Region);

SECTION Application;

and in NTNAME are your users or usergroups listed from the active directory. If your dimensions like Segment, Country, Region a hierarchy you could just use the least granularity to connect them to your fact- or better dimension-table. Also possible is to make a combined key of these fields. In this case it's not a complex authorization else a quite straight ones.

If there are no real hierarchy it's more complicated because you will need to create something like a cartesian key of all possible combinations and remove the unwanted. Also if users should be able to access only their details but able to see consolidated overall results or the other data masked in some way or something similar.

I suggest just to start with a dummy-application with just a few inline-tables/records to simulate the later datamodel and developing it step by step and not within the final application. Very important is to have always backups of your applications because by some errors there is no way back and it will be loss.

Here you will find many informations about Section Access.

- Marcus

Оkay, I will loop through the files in your post, but in the meantime, its safe to say that my client has to make 3 groups in the ad
group 1. Segments

Group2. Countries

Group3. Regions

where Countries are offices of my client spread through 7 countries.

?

I'm not sure that 3 groups each related to a dimension will work in your scenario else I think you will need more groups, for example:

GroupCountry1:

User1

User2

User3

GroupCountry2:

User4

User5

User6

....

GroupRegion1:

GroupCountry1

GroupCountry2

....

- Marcus

I can't seem to understand this logic... ( GroupRegion1; has users from Groupcountry1 and groupcountry2)

GroupRegion1:

GroupCountry1

GroupCountry2

So, You are saying that for Each region I need group?
for example

Country1:

user1

user2

user3

country2:

user4

user5

user6

country3:

user7

user8

user9

country4:

user10

user11

user12
Region1:
user1
user6
user12

region2:

user7

user2

user4

region3:

user3

user8

user9;

Segment1:

user1

user2

user3

user4

user5

user6

Segment2:

user7

user8

user9

user10

user11

user12

?

It's not quite easy to explain - the aim of this grouping is mostly a hierarchy of nested usergroups and I think if you look on the already existing groups within the active directory you will see the logic behind it - and I wouldn't be surprised if most of your needed groups/logics are already there because the access-logic in Qlik is usually the same like the defined logic how users could access the ERP and file-storage in your company.

- Marcus

What can you suggest me to make this work?

At first you need to understand which user/usergroup should be allowed to access which data in your applications. This means there must be any rules to determine these access and with them to create some kind of access-matrix.

On this basis you could look to find some pattern within the access-rights to shortcut the matrix with some further usergroups and/or to nest them.

Very important on this point is also to recognize if there are any conflicts between the various access-rights because a denial on some data-parts couldn't be reversed with any allowance. In general there are workarounds possible but they require the use from certain settings and workflows and/or the generation of more data and rather quite complicated datamodels. Often it will be a better compromise to use two or several parallel applications each with a specialized secion access.

But like here and above mentioned you need to understand the logic of section access and user/usergroups within active directory very thoroughly - because it's always really critical and the least mistake made it vulnerable or prevent the right or each access.

- Marcus

Yes, this was my first suggestion towards my Client, to make several applications with different SA and different DATA loaded.

I understand your logic, but I got 1 more question.

IF i have connected through QMC to the AD,

can i use in section access just the following

section ACCESS:

GROUP,

COUNTRY

section application;

???