Qlik Sense allows managing data security at group level by configuring Section Access with Active Directory groups. See Managing security with section access for details.
If Section Access with groups doesn't work (i.e users got "Access Denied" even though they are a member of an AD group that is already included in Section Access table), troubleshooting steps are as follows:
1. In Qlik Sense QMC > Users, click the ( i ) icon next to a user name. Make sure the necessary AD groups are listed in the user properties dialogue. If some groups are missing in the list:
- Verify that user has been added to the group on AD side
- Sync the relevant User Directory Connector (UDC) in Qlik Sense. After users are added to an AD group, Qlik Sense is only notified of the change of group membership once the UDC is synced.
2. If the AD group already exists, make sure that the group name is listed in Section Access table exactly as it shows up in user properties. Sometimes the UDC syncs full distinguished group name string instead of only group name.
For example: group name = ACCOUNTING, distinguished name string = CN=ACCOUNTING,OU=FINANCE,DC=DOMAIN,DC=LOCAL. In this example, if only the group name ACCOUNTING is provided in Section Access table, then users of this group has no access.
Section Access;
LOAD * INLINE [
ACCESS, USERID, GROUP, COUNTRY
ADMIN, DOMAIN\ADMINISTRATOR,*,
USER ,*,ACCOUNTING, ENGLAND //This doesn't work
USER ,*,'CN=ACCOUNTING,OU=FINANCE,DC=DOMAIN,DC=LOCAL', FRANCE //This works
];
Section Application;
SalesData:
LOAD * INLINE [
COUNTRY, Sales
ENGLAND, 5000
FRANCE, 6000
];
Environment:
Qlik Sense Enterprise on Windows
Qlik Cloud