Programs

Hello Qlik Users!

I hope you are all having an amazing day!

We haven’t talked about a lot within the blog is Qlik DataTransfer. If you’re not familiar with Qlik DataTransfer, it is an on-premise tool that allows you to securely push your data to Qlik Sense SaaS. You select the data you want to transfer and Qlik DataTransfer will optimize the data, then send it where it should land. Set a refresh schedule or monitor a folder for changes to get the latest data.

You can download Qlik DataTransfer from your Qlik Sense Enterprise SaaS or Qlik Sense Business tenant. Go to your user profile menu > Profile settings > Tools > Qlik DataTransfer.

Release Notes can be found on the Qlik Downloads page.

I thought I would consolidate a few resources for learning more about the product, installation, how-to and troubleshooting.

Product Information

• Qlik DataTransfer
• Qlik DataTransfer Data Sheet
• Qlik DataTransfer – Quick Demo

Qlik Help

• Installing Qlik DataTransfer
• Installing Qlik DataTransfer - Video
• Uploading on-premises data with Qlik DataTransfer
• Uploading on-premises data with Qlik DataTransfer – Video

Webinar

• Do More with Qlik – Qlik Data Transfer (you must sign up for on-demand access and it’s session #7 on September 3rd)

Support Articles

• Qlik DataTransfer unable to connect to the tenant
• Qlik DataTransfer - Error: No data has been created for this dataset to upload
• Qlik DataTransfer with an internet proxy

What other resources would you like to see created for Qlik DataTransfer? One user said they would like to see a Talk to Expert Tuesday session on Qlik Data Transfer. Let us know your thoughts in the comments below.

If you found this blog useful, please give it a Like and share it with your peers!

Thank you for choosing Qlik!

Kind regards,

Qlik Digital Support

This session will address:
- How section access works
- Best Practices
- Troubleshooting issues

00:00​ - Intro

01:43​ - How Section Access works

03:25​ - The OMIT field

05:11​ - Turning Section Access On/Off

06:47​ - Demo app overview

07:56​ - Viewing with ADMIN access

08:59​ - Qlik's Data Associative Model

09:42​ - Viewing reduced USER access "Claire"

11:37​ - App Opening speed affected

12:09​ - Viewing reduced USER access "Lisa"

13:36​ - Viewing with Section Access Off

14:17​ - Show/Hide Conditions - Field-Level

16:04​ - Show/Hide Conditions with Container - Visualization-Level

16:56​ - Show/Hide Conditions - Sheet-Level

17:32​ - Section Access Script

20:19​ - Using Composit Keys / Link Tables

21:44​ - Using Include Script

22:29​ - Keywords

23:25​ - Q&A

Resources:

Community page with Example app

Help - Section Access

Help - Section Access with NPrinting

How to move Section Access from QlikView to Qlik Sense

Help - Include Script

Strict Exclusion explanation

On-Demand App Generation

Dynamic Views

Section Access in QlikView

Q&A:

Q: What is the difference between "*" and "ALL" in reduction field?

A: The wildcard character * in the data reduction column refers only to all values in the security table. If there are values in Section Application that are not available in the reduction column of the security table, they will be reduced.  ALL is just a value I created and reference in, which I have control over and use to help visualize the relationships.   

Q: Qhat is the best practices when we have a section access based on 5 fields?

A: Create a composite key in a link table or fact table. This is your junction box. 

Q: Sales person to see his sales plus sales for another departments of other Sales person? 

A: Create an aggregate set of facts in your fact table that all users would have access to. 

Q: Do you have to reference the long USER ID string in QS SaaS as the USER ID in Section Access, or can you use ADFS usernames? 

A: Yes -  Using Active Directory Federation Services (ADFS) as an IDP for Qlik Sense Enterprise SaaS

Q: Can we reduce data by numeric field that is a dimension? Can we reduce data using wilcard? For example by fields that begin with dim*? 

A: Any value can be used for data reduction, but wildcards are reserved so you will want to create a secondary table to map your strings. 

Q: Is there still a risk of locking yourself out of a qvf app like there was in QlikView?

A: No. You can always open without data. 

Q: Although section access works with NPrinting for Qlik Sense, show/hide columns don't work with NPrinting from what I have read. 

A: I have used the container show/hide on charts in NPrinting. You could also make your condition in the master item which should propagate correctly.

Q: Can i simply use multiple Reduction Fields? 

A: It could create a circular reference, which is generally not desirable or could create unintended results. A composite key is best practice. - Basics for Complex Authorization

Q: In data script: what's the best practice to build up temp section access table by combining different datasources (excel, qvd) before using that under section access? 

A: This is the same as building any other table.  There shouldn’t be any adverse impact by concatenating tables from multiple sources for the purposes of section access. 

Q: What condition did you use to show the Qlik logo vs. the section access data? 

A: It was just container similar to what I did with the scatter and distribution chart. I used a text object and a filter pane in a container. It was ‘count(USERID)= 0’ and ‘count(USERID) <> 0’ 

Transcript:

Hello everyone, and welcome to the April edition of Support Techspert Thursdays. Today's presentation is Troubleshooting Section Access and Qlik Sense Enterprise with Mike Reese. Mike, why don't you tell us a little bit about yourself?
Thanks Troy. I’m a senior solution architect with Qlik. My main focus is helping guide customers in their Qlik journey through pre-sales, and I actually have 14 years total experience with Qlik; over six now actually working for Qlik directly and eight in the partner space: consulting, wearing various hats, implementation, architecture design, development, project management, you name it.
Great. So, Mike, what are you going to be showing us today?
Today, I will be covering Section Access. So, what is Section Access? We'll go through a couple scenarios of role base Access. We'll do some impersonation. So, you'll get a kind of a good understanding of how you could get into an application as a different user; actually test their entitlements and easily flip between the different types of Access that you might need to implement in your security model. So, then we'll also see how that is applied through the load script. And then at the end, we'll go through some data modeling tips that help facilitate Section Access; and different levels of facts, different types of facts, multi-fact table and being able to set up security in a seamless way. And then also, we'll go through our takeaways and tips and tricks.
Great. So, how does Section Access work?
Good segue. I just have a couple slides to help frame the demo, and then a few more to reinforce what I show. Data authorization using Section Access is implemented using reserve words as field names and values for your entitlements table where Access levels aren't assigned to users within the Section Access part of the script. These tables must contain a minimum of two system fields; Access being one of them. As you come in, a user logs into the application; they're either designated as an ADMIN through this Access keyword, or a USER. And if you're an ADMIN, you have Access to all the data. And if you're a USER, then you have Access to reduce sets of data based on whatever is designated to you in this entitlements table that's set up in the load script.
Okay. So, it's all about controlling the data that's shown to the user based on their profile?
That's right. So, literally you're setting up an entitlements table and through the power of Qlik’s Associative Model; those associations designate what a user can see and what they cannot see.
That sounds like the basics of how Qlik works. What's the difference between the association of any table, and the Section Access table?
Perfect. So, to help visualize the mechanics, we have a Qlik data model accompanied by a Section Access table. And all we need to do is associate one field between the data model tables and the Section Access tables. So, in this case we have ‘Department.’ And this would work with any field, right? It doesn't have to be departments; whatever field you want to designate as your security field. And so, in this case, it does work exactly like the associative model. So, then the difference is mainly it's distinguishing between the security table and the application facing data model through the use of the reserve words that I mentioned; that I promised to talk about at least once more through this demo. One of the others that I’ll cover right now is the OMIT; which is used to designate the names of fields that users should not see. So, basically if you're looking at this “John;” he would not see the social security number field. And neither would “Steve.” And so, something unique to Qlik is that you're now you're seeing the benefit of data reduction. That's row level security through associations the way Qlik works natively. And then you're also seeing the ability to apply column level security through OMIT.
Okay. What if I have more than one field that I want to omit.
Yeah. So, that's actually perfect. So, this is what the data model looks like with the security table. So, if Section Access was turned on, the security tables wouldn't be visible in the data model. And they'd be hidden because they're security tables. But one of the things I’m going to cover in this demo is how you can easily test Section Access through the impersonation. What this example is showing you is Section Access is turned off, and that's simply by commenting out the Section Access declaration. And we'll see more of that as we go through it. What I’ve done is: I’ve created an ‘omit group’ and a secondary table to just list all the fields that I would need to omit for different users. So, basically it's a one to many, right? So, instead of having in the example I showed you before: one user and one omit field; this just gives me a secondary table to have that one-to-many relationship. So, if I have three fields that I have three rows in this table per user, as opposed to three rows in this table; now I could do it either way. I could have multiple rows per user for each field in this authorization table that I set up; and this would be my only Section Access table. But I just set it up as a second table just to make it easier to see, right? So, this is this would be one-to-one per user, and this would be one-to-many for all the omit fields.
Okay, and now when you talk about turning Section Access on and off; is that like a setting in the QMC, or how is that done?
That's actually done in the load script. So, you can see here I’ve added a couple screen captures of that Section Access declaration. Any script that falls below the Section Access declaration and before the Section Application declaration is all interpreted as data reduction and Section Access security. So, effectively all I need to do is: comment that declaration. You'll see those two tables are here. With it turned on, those two tables are now gone. This is what the user would see if they were in a published application with Section Access turned on. What I’m left with is this floating island that I use for some user-experience things related to what the users can and cannot see.
So, I understand you've got a demo set up for us. What version of Qlik Sense are you going to be demoing?
I’m actually going to be demonstrating Qlik Sense SaaS. Okay, there are some similarities. There are a couple differences that I’ll cover throughout this, but everything is moving towards the cloud, so I figured why not show that the latest and greatest that that Qlik has to offer.
Yeah.
What we're looking at now is just something that that we have set up it's called ‘sPortal.’ You could actually get it on Github. It's just a way to impersonate different user Access. Three roles that I’m going to demonstrate would be: like, myself; calling myself the CIO. I have Access to all the data. I develop things, I’m a tinkerer, I see the whole entire application, all the data, all the visualizations. The other person I’ll log into this with is ‘Claire,’ who's a marketing lead in the North. And she has visibility into a couple different territories and sales data. And then lastly, we'll log in as ‘Lisa Grisham,’ who is a sales director. And she has visibility into individual rep data in the South territory.
All right. So, here we have the Qlik Sense Hub. And what I’m going to do first is: get into a published copy where the security is already applied, right? So, here I have my published copy which is indicated by this red. This is published to the Everyone space, versus this one which is in my Personal space where I’m doing the development. And that's where I can do my role impersonation. So, we're going to start here.
Okay. Now yeah, can you walk us through this app a little bit?
So, I’ve got a few sheets to help demonstrate the security. I’ve got a Sales Op tab. I’ve got a tab to show the associations and the reduction. I really want to emphasize that the security in Qlik Sense, the Section Access Data Reduction is - it works the same way as the associative model. You're logging in, Sense is clicking on a value behind the scenes, and then it reduces that data set to everything that's related to that value.
Can you tell us what the colors indicate?
So, the OMIT groups that I had designated are encompassing the fields that would be hidden based on your access rights and your entitlements table. Remember that OMIT keyword? The Contact Info group is going to omit Phone and SSN for the users that are in the Contact Info group. If you're in the Office Group, you're going to lose visibility into Office City. And if you're in the Salary OMIT group, then you lose visibility into the Salary field.
All right. So, I’m going to jump into this Sales Ops tab. And as a user that can see everything, I see the total sales for the organization so that's $422,000. Note the logo here. That's going to change when I when I come in and do my testing with Section Access turned off, so I can do some impersonation. And then over here, you're going to notice this is a scatter table that lists all of my sales reps. Right. So, there's a number of different sales reps here. Down below, we have ‘revenue by territory and customers.’ So, these are all my territories. And then I can actually drill through to the different territories. And that's important, because when you see the data reduction, you're going to see how this this table is affected. In one instance, you're going to see it reduce down to two territories. And another, you're not going to see any territories. It's automatically going to be reduced to the customer level data, because a person only has visibility in one territory.
So, this is if we're logged in as an ADMIN, right?
That's right. Yeah, somebody has visibility to the total data set.
Okay.
And then, just as we were talking about the color-coded columns, these are the three that I’m actually applying: it's the Salary, Office City and Phone. That is the main thing here. And I just want to come into this Associations Tab. For those who aren't that familiar with Qlik Sense in the associative model: when I click on a value, all the associated values are in white, and anything that's not associated is grey. So, that's the secret sauce. So, security literally works the same way. So, if I login as a user, and all I can see is New England territory, I’m only going to see data for the city of Newton. I’m not going to see any of these cities. These are going to evaporate, and I would say “before my eyes,” but it would be actually before I even get to see anything. So, obvious that's security, right? I’m not going to see anything related to Reps that aren't in white. All these reps are not in my view, they disappear. But as somebody that can see the whole data set, I can see all these associations across all my data.
So, can we test this with one of the other users?
I’m going to go in as Claire. And Claire is a marketing lead in the North, so Claire has visibility into two territories.
Okay.
And now Claire sees this, right? So, same application but the difference is: with no selections applied, I’m only seeing $212,000 in sales.
Right, that's gone down, okay.
That's right. So, the data reduction is working. I still see all the visualizations; however, this visualization has changed. You might recall, in the previous application, we were looking at a scatter chart. Now we're seeing ‘Sales by Product and Territory-Distribution,’ and that's because she's a marketing manager. And this, products are more relevant to her than a scatter chart of sales reps. So, this demonstrates using Section Access to really drive what visualizations a user can see, right? So, you can do that at the object-level. You can do it at the field-level. You can also do it at the sheet-level. Notice now the territories have been reduced. We had a number of territories at the seven or eight or something like that. Now, we've been reduced to two territories: Canada and New England. Now, I can still drill through, right? And I can still get to the customer level, but I just don't see all the territories that I wouldn't have visibility into.
And I see that Salary field is missing as well.
Exactly right! So, now that green field is gone, because I shouldn't have visibility into Salary Data as a marketing manager. And so, that's it. That's actually data reduction and object-level security at work through Section Access. So, now they go into associations again. That green Salary column is gone, but on the right-hand side of the screen, we can also see that the reps have been reduced. To really emphasize that, let me jump back into my other example as the administrator. Here's all the City data, here's all the Territory data, right? Flipping back over here, you can see that those data is reduced. And I’m not seeing the gray.
Right.
Because I don't have visibility into it. So, that's what the data reduction is doing. It actually is removing that data from the application.
When you have Section Access turned on, does it actually affect the performance of opening the app?
Yeah. So, it could. If you have a very large application, and the reduced data set is much smaller than that, then the perception of the user is going to be: it's taking a, it could be taking a while to open. Effectively you're opening the application if it's large, and then you're reducing it; versus if you had a smaller application from the get-go, that opening time would be somewhat quicker. But and I would say in most cases it's negligible.
To be clear, that's just the first time the app is opened after reload, right? Not every time?
That's right.
And who's the third user we're going to test?
Yep, let's do it. So, the other user now that I want to get in as is Lisa. And Lisa is a sales director. So, she only has visibility into one territory. So when Lisa gets in, now we see a different picture, right? We only see $51,000 in sales. And instead of seeing that distribution chart that we were just looking at, we're still seeing, we're seeing the scatter that we saw originally. But now it's reduced to three reps instead of the whole sales force.
Yeah.
And down below, we're looking at ‘Revenue by a Territory and Customer,’ but it's only the Southeast territory. So, it's automatically drilled down to what territory Lisa can see, and just the customer review. So, that you're seeing what's relevant to Lisa. And over here, we no longer have visibility into the personal information of the employees. You can see that now: you have different levels of access for different users, and different columns are being hidden.
Great.
So, now I’ll go over to the associations to show the difference in what Lisa can see versus Claire.
Okay.
All right. And now you can see a much smaller set of data. You can see much fewer rows, and we're only looking at the Southeast territory now and the city of Raleigh. The reduction is doing exactly what it should be doing. Associations are still working, right? So, I can still see that, but it's only at the level that she has visibility into.
So, how are you able to manipulate the app to show and hide the different charts and fields?
So, let me go back out to my hub here, and go into my unpublished copy that's in my personal space. So, now we're actually opening this with Section Access turned off, and that's that that one Section Access declaration commented out.
Okay.
Instead of that Qlik logo that was in the corner here, I’ve got this this actual drop-down box. So, this is one object that's actually using the show and hides. Hiding the text box with the image in it and it's showing me a list box. And now I have actual visibility into user-level information. So, if I want to impersonate Lisa or Claire or myself, I can. All I need to do is click on these. This is working just like the associative model works.
Right. So, those tables are still in the data model, but now they're no longer Section Access tables; they're just a part of the regular data model?
That's exactly right. They're just regular old tables, right. So, you can see as I click it, I’m seeing the visibility that I would see as if I logged in and everything was being reduced.
So, how do you configure those show and hide settings?
Let me actually get into edit mode. I’ve got some sheets that I’ve duplicated here, and now I can actually edit the sheet and see what's actually driving those show conditions. So, I’ll start with the table here. This is the probably the easiest thing to look at first. So, we've got the Salary field, Office City and Phone. So, the one thing to keep in mind is when you're using Section Access with column-level security, if a column is omitted and it's in a visualization: the visualization won't render. It'll actually fail. You actually have to put in a little protection for that if you're going to omit the field for users that should see that visualization. So, one option is to hide the column or swap it with a different column, or you use a container with different visualizations in it; and I guess the third option would be: show them one sheet versus another. So, I’m going to start here at the field-level in a table, and we'll just look at the Salary expression. Here is your Show Conditions: ‘Show Column If,’ and what I’m actually checking is that OMIT group, the field that I created, and if the OMIT group is equal to Salary, then that means don't show Salary, otherwise show it (-1) is true.
Okay. So, that's how you hide it or show it based on the profile?
That's exactly right. So, just to reinforce that, if I look at Office; same evaluation, except we're looking at the Office OMIT group instead of Salary, right? So, that way when the Office field is eliminated, you won't get an error that the visualization can't render, because the field doesn't exist. You're telling it to disable the field knowing that it's already not there.
That's a great tip for hiding columns with a show condition. I did, I wasn't even familiar with that concept actually.
Yeah. It's actually, it's one of those things that, it's a best kept secret, I guess; which shouldn't be a secret.
Exactly.
So, and then, let's talk about it at the visualization-level. So, in this case, I wanted to drive the marketing manager Claire into a completely different visualization. Data reduction aside, I just wanted to see something else. So, instead of the scatter chart, we use a show/hide container. If those of you familiar with QlikView, it's very similar to that. Here's a Container Object, and the content would be the charts that are in it. So, it's actually the Scatter Chart and the Distribution Plot that we use to show different visualizations based on the access, right? So, in this case the distribution plot. What I’m checking in to see is: if the COUNT of Territories is = 2, then we know that's our marketing manager, and so she should see the distribution chart instead of the scatter plot.
Cool. So, it's a container that has multiple visualizations in it, and you just show it based whichever specific visualization based on the profile?
You got it. Right.
That's super cool.
And then just to tie that off here. Then I clicked on the sheet, and then the last one we have is the show condition for that. So, I’m not using that in this example, but this is something newer that was added so you have that ability. Again, to show different sheets based on whatever conditions you want to create, doesn't have to be security. It could be anything, and the same applies for the other things. I’m just using security as a way to drive show/hide conditions.
I love this concept of turning off Section Access and being able to cycle through the different users to help troubleshoot. Can you walk us through how the script is set up?
Yes. Yes, perfectly. So, the data load editor is what we have to get into, right here. And then I have one tab set up for Section Access. And so, like I was saying earlier, if I want to show my security tables in a data model, all I have to do is comment (//) that Section Access decoration, and now my authorization table and my OMIT fields table become part of the data model so that I can actually select them and impersonate who I want to impersonate without actually having to login as that user, right? And so, you can see this is it. These are my two security tables. I only technically need one, but like I was saying earlier, I created this OMIT group field to then show that one-to-many relationship between a user and the multiple fields that they might need omitted. So, Contact Info is an example: if you're in the Contact Info OMIT group, then you're not going to see Extension, Phone Number and Social Security. The keywords that I was talking about access that's either ADMIN or USER. If you're an ADMIN, you're going to have visibility into all the data. If you're a USER, then the data reduction is going to be applied based on whatever you're using as a reduction field. So, these are both keywords: ACCESS and USER ID. REDUCTION is not a keyword. It's just whatever name you designate for your security key which is going to link to your Application Section. So, this part right here, this Declaration; it’s where your underlying data model fields will begin to load.
Okay.
This link between REDUCTION in the Section Access script and REDUCTION in the data model is really where the actual reduction is happening. If I’m in a REDUCTION of 1, then I’m only going to see data related to Office ID 1. If I’m in 4, then I’m going to see Office ID 1 and 2. If I’m ALL, I’m gonna see 1-5.
Right. That makes sense.
Now, the one thing I want to point out here: ALL is something that I just use to help with the testing. Technically if you are an ADMIN user, you're going to have visibility on all the data. But using this this method of turning off Section Access and being able to test everything; if I didn't have this in here, then then the ADMIN actually wouldn't see everything. So, for testing purposes, you might want to have an IF condition to add these duplicate set of keys for the ADMIN; versus in production, you might want to just use the ADMIN. Does that make sense?
I understand, yeah. You're just recreating the ADMIN rights for data association for testing purposes, but otherwise you wouldn't need it.
Yeah, that's it. That's exactly right. So, that's everything that's behind it.
There's different layers of granularity. How would you manage a more complex reduction? For example: not just Office Location; what if it's Product and Department?
Yeah. So, that's a good question. Well in that case you, would just you would set up a Composite Key. And that actually helps segue into one of the slides that I that I wanted to show.
Okay.
Many of you may have already been working with the load script for a while. So, you might be familiar with star schemas and snowflake schemas and whatnot. I think most often when somebody's building a data model, they just bring in the tables as-is; and they don't create an explicit fact table or a link table, and that's fine. But when you're using security and you have these different levels of granularity; you would have to create a Composite Key for all those values. So, let's just use Department and Product as an example; you would have a field that would have Department (maybe separated by a pipe) and then the Product. And then you would link that into your Link Table. So here you have your multiple fact tables, and so that Link Table is going to operate as a junction box for all your access rights into those facts. So, that way, you're not having to duplicate facts. You're just managing all that through your security table, and so every value that should have visibility into: fact one or fact two, you're managing that here, right? In the same token, you can do that with a Combined Fact Table. This is all precipitated on having a security field that has all the values in your Composite Security Key that you would need to determine what facts you have visibility into and what dimensions you have visibility into. So, that way you're not managing a tangled mess of facts and aggregation. And I’ve seen a lot of different users try to manage this through really complex formulas, and the easiest thing is to create the Link Table when you have complex security.
Okay, that makes Sense. Is there a way so you can set up the same Section Access tables between multiple documents? So, you're sharing the same access across multiple apps?
Yeah, actually. So, you could use what's called an Include Script. So, you could actually store the script for Section Access in a file, in a separate file a text file or a qvs file, and reference that Include statement. Effectively, it's reading the code in as if it was part of the load script, but it's just reading it from a separate file. And any of you that have any web development experience would be familiar with using include files; but it simply is - it's the script that you would use for your Section Access, but you stored it in a separate file. And then, you're just picking that file up and it will interpret that as part of native script.
Just so everyone is aware, we'll include a link with the recording of this session on Qlik community to the same demo app that Mike was using today. So, you can reference that if you'd like. Mike, what are some key takeaways from today?
Yep, so perfect. One thing I promised earlier was: I wanted to cover some of the keywords. So, if you have some experience with Section Access with QlikView, you're familiar with NTNAME. In SaaS, you're using USERID. So, that's one of the bigger distinctions. And there's also a GROUP keyword that can be used in SaaS. There's a couple other things that I’m not going to get into in this, but we'll share this and along with some other resources that'll really get into some of the details. If you're, let's say, if you're coming from Qlik view and you're coming into Qlik Sense, and what changes you might need to consider when you're implementing Section Access in Sense. So, we'll include a lot of links and helpful information and tips and tricks that the Troy’ll package up and put out there for you guys to consume. And I think that should cover most of the things I wanted to touch on.
Yeah, we'll definitely include links to all the documentation where you can find more information and resources. Then it's time for Q and A. Please submit your questions in the Q&A panel on the left side of your On24 console. Mike - which question would you like to address first?
So, the question is: in Qlik view Section Access settings, there's the strict exclusion setting I’ve never understood what the check box does. Can you explain?
So, what that does is it implies that: if there's no values that match the fields you're reducing on, then you actually get to see everything (with strict exclusion unchecked). So, in QlikView you would always want to check that to ensure that somebody who didn't have matching values wouldn't then end up having visibility in all your data. Now in in Qlik Sense, there is no strict exclusion setting, because it's strict exclusion by default, right? So, for those of you that are actually migrating from QlikView to Qlik Sense, that's just one thing to be aware of when you're actually creating your Section Access or when you're doing the migration.
Okay, next question.
All right, let's see, okay. So, I’m using Section Access to limit the Access level the data for each department. Each department chief should only see the data of their department, but for some sheets I want them to see all the data. Is there a way to do that?
So, the sheets themselves don't have anything to do with the data. The data reduction is going to eliminate the data that they can't see. So that's something that you're going to have to determine in your data model: where the security should be applied and what value should be reduced. If the question is: I don't want them to see some sheets, then there's show conditions on the sheets. But if it's around the data, and you truly want to secure the data, then it should be reduced out. Otherwise, you just, you would have to manage it differently.
Okay.
Let's see. So, is it possible to restrict action to certain fields in a table to all users?
I’m not quite sure when we say “restrict action” what we're looking for, or if it's just visibility then. And if we're trying to restrict it from all users, then I just wouldn't load it in the data model. that would be the simplest. If there's for some reason it needed to be part of the data model, then I would use, I would apply that field to the omit keyword, the preserver that is in your entitlements table
Okay.
All right, let's see. So, is there a way to have global Section Access and Section application table that can be applied to multiple documents without having it in the script of each app?
Now that was something we covered when we were talking about “include.” So if you want to reference Include Script with Qlik Sense, you can you can find plenty of help on the community on that or in the help.
And let's see what else we have. So, is there a way to build the Section Access authentication based on their SaaS login, so it automatically limits the data based on who they are without having a separate password for each app?
Yes, that's exactly what we're doing with Section Access. So, we are we're taking that user login based on the subject id, and that's their user; and then they are being reduced based on the entitlements that you've already set up, so you don't actually have to have a separate password for each app.
Okay, next question.
When I develop the app using Qlik Sense locally everything seems to work, but after importing the app on the production server, only the Admin has Access.
I could probably help, but I don't know. I think I need a little more context to answer that. So, there might be some difference in the way, it sounds like there's difference in the, differences in the way that the user is being identified. So, that while it's working locally it's interpreting that USERID is something different, that would be my guess.
In Qlik view, I can use the loop and reduce within publisher instead of Section Access with large QVWs. Is there something similar in Qlik Sense, so that the data in the app is limited instead of limiting Access to the data?
There are techniques to do a loop and reduce. There isn't something specifically the same as loop and reduce in the Qlik Sense scheduler, but there are there are ways to manage that. You can do it through the API is one option. I know that there's a couple other examples out there if you look up “loop reduce for Qlik Sense” you'll see some alternate ways to accomplish that, but I also say the, I mean if it's a concern around the data size, we also have different techniques like “On-Demand App Generation” and also “Dynamic Views.” And what on-demand app generation is just level, is you have an aggregate app, you make some selections in it. It passes those selections to another app which reloads on the fly. And dynamic views is similar, except that you're working with one application, and then certain tables or certain objects are then are refreshing based on the selections in real time, so those are a couple different ways where you wouldn't have to necessarily apply loop and reduce. Kind of a different way of thinking.
These are great tips.
Yeah, thanks. So, let's see what else we have. So, Section Access reducing data on fields of numbers. Does that work or should the format be text in all reduction fields?
It doesn't really matter what the format is, if you have two values that are the same on both ends, then it's automatically going to reduce based on that. So, if it's numbers in one value and text and another value, and a combination of numbers in text, they'll all work if you have a match.
Okay, next question.
Okay, so what are some best practices to reduce access based on multiple field values in the same record line?
Composite Keys ultimately. So, you're gonna when we're talking about the data model, and using a Link Table as your junction box, or a Combined Fact Table, that's how you're gonna have to accomplish that. You're gonna create a Composite Key that ultimately strings together other every value that you want to be a part of that key, and that that is your security right there.
Okay. Can you apply Section Access using dates?
Yep, just another field. It could be a date by itself or it could be a combination of dates, but yeah; I guess that's the, I’d be curious to know a little bit more about how you would apply just a date as security, and what the use case is, but that's, but at the end of the day, it's just another field.
What are the limitations on granting Section Access for a specific sheets in Qlik?
So, that was the Show Condition that I had previously demonstrated in the demo. So, you'll have the ability to show hide the three places. Just to recap, you have it in the object, you have it at the field-level, and you also have it at the sheet-level.
And let's see, what else? There's also: is this available for Enterprise on-prem?
Yes, all our products, you can apply Section Access, except for local copies of Qlik Sense which aren't part of part of the Enterprise deployment.
Okay, the next one: how can I efficiently restrict access over multiple values, and where records are not present one table but are in another?
This is something I’ve encountered before. You're trying to create security on fields that exist in different tables, and so that goes back to that example I gave previously, where you want to use a Link Table. The Link Table solves a lot of problems, because again it is like a junction box. So, you can shove everything you need to in that security field to help drive what's in your fact table. In this case, it sounds like you have ultimately what would be a Combined Fact Table. You have facts coming from multiple tables.
Okay Mike, we have time for one last question.
Okay and let's see. So, is there a standard way to allow a user to see his own detailed data and only summary data for users?
Okay or for other users, I think that's a good question. Because this comes up a lot what you want to do in that case is actually, typically we say just bring everything at the detail level. Because we would then aggregate but if you're applying security, and you need somebody to see the aggregate information then it's not going to work. But what you could do is: actually add the summary data in as separate records, separate transactions, and you could put that in its own table or you could add it as part of your fact table if you're using a fact table
Great! Thank you so much Mike!
Again, thank you for everybody for your time. I appreciate this you know. I love being able to share the things that I’ve learned along the way. Section Access, I know when I first started working with it, just seemed like a black box and there wasn't a lot of information around some of the best practices, and all the things that you could do with it back in 2007 when I started working with it. So, happy to share the things I’ve picked up along the way and hopefully you've gained something from this, and you'll be able to be successful in implementing security in your organization. And so with that, again thank you, and you'll see me on the community.
Okay, great! Thank you everyone. We hope you enjoyed this session. Thank you to Mike for presenting. We appreciate getting experts like Mike to share with us. Here's our legal disclaimer. And thank you once again. Have a great rest of your day you.

Description:

This document explains the steps to configure the Qlik Sense Monitoring Applications (License Monitor, Operations Monitor, Etc) to use Certificate Authentication instead of default Windows Authentication.

Environment:

• Qlik Sense Enterprise on Windows # - All Version

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

1. Export Qlik Certificates via the QMC

• Use the FQDN of the central node for Machine name
• Use Certificate Password
• Check the box to Include secret key

2. Navigate to the path listed to obtain the exported certificates:

• C:\ProgramData\Qlik\Sense\Repository\Exported Certificates

3. Copy the folder that was created and paste it into Engine folder of ALL nodes that will be used to reload the Monitoring Applications

• C:\ProgramData\Qlik\Sense\Engine\Certificates

4. Create a security rule that allows a user to access all Data Connections within the HUB

1. Create rule from template = Data Connection Access
2. Name = Data Connection Access
3. Actions = Read / Update
4. user --> name --> value = <userID>

4. Modify all REST Data Connections that are used by the Monitoring Apps. (e.g. monitor_apps_REST_app, monitor_apps_REST_appobject, monitor_apps_REST_xxxxxx, etc)

1. Log into the HUB
2. Open any application within your workspace to access the Data Load Editor
3. Look for the Data Connections with the name monitor_apps_REST_xxxxxx
4. Edit the Data Connection (Example monitor_apps_REST_app)
   1. URL = https://FQDNofCentralNode:4242/app/full
   2. Authentication Schema = Anonymous
   3. Certificate validation = Skip Server Certificate Validation
   4. Use certificate = From file
   5. PFX file name = <FQDN>\client.pfx
   6. PFX file password = (password used during export of certificates)
   7. Query Headers:
      1. Delete User-Agent = Windows
      2. Add X-Qlik-User = UserDirectory=INTERNAL; UserID=sa_api
   8. Test Connection and Save
5. Log into QMC --> Data Connections --> Edit the Data Connection to remove the userID from the name.
   • e.g: Change from monitor_apps_REST_app (domain_administrator) to  monitor_apps_REST_app
6. Repeat steps for all Data Connections with monitor_apps_REST_xxxxxx

5. Another way to update the rest of the data connections would be to modify them via the QMC

1. Copy the Connection String from the one that was successfully updated via the HUB and paste into a notepad
   • CUSTOM CONNECT TO "provider=QvRestConnector.exe;url=https://QlikServer1.domain.local:4242/qrs/app/full;timeout=999;method=GET;sendExpect100Continue=true;autoDetectResponseType=true;keyGenerationStrategy=0;authSchema=anonymous;skipServerCertificateValidation=true;useCertificate=FromFile;certificateStoreLocation=LocalMachine;certificateStoreName=My;certificateFilePath=QlikServer1.domain.local\client.pfx;trustedLocations=qrs_proxy%2https://localhost:4244;queryParameters=xrfkey%20000000000000000;addMissingQueryParametersToFinalRequest=false;queryHeaders=X-Qlik-XrfKey%20000000000000000%1X-Qlik-User%2UserDirectory%%2INTERNAL%%1 %%userid%%2sa_api;PaginationType=None;"
2. Copy the Connection String from one that still needs to be updated and paste into a notepad
   • (monitor_apps_REST_appobject)
   • CUSTOM CONNECT TO "provider=QvRestConnector.exe;url=https://localhost/qrs/app/object/full;timeout=900;method=GET;autoDetectResponseType=true;keyGenerationStrategy=0;authSchema=ntlm;skipServerCertificateValidation=true;useCertificate=No;certificateStoreLocation=LocalMachine;certificateStoreName=My;trustedLocations=qrs-proxy%2https://localhost:4244;queryParameters=xrfkey%20000000000000000;addMissingQueryParametersToFinalRequest=false;queryHeaders=X-Qlik-XrfKey%20000000000000000%1User-Agent%2Windows;PaginationType=None;"
3. Update the next connection string with all of the information from the first one, BUT using the correct URL and paste into the Data Connection
   • CUSTOM CONNECT TO "provider=QvRestConnector.exe;url=https://QlikServer1.domain.local:4242/qrs/app/object/full;timeout=999;method=GET;sendExpect100Continue=true;autoDetectResponseType=true;keyGenerationStrategy=0;authSchema=anonymous;skipServerCertificateValidation=true;useCertificate=FromFile;certificateStoreLocation=LocalMachine;certificateStoreName=My;certificateFilePath=QlikServer1.domain.local\client.pfx;trustedLocations=qrs_proxy%2https://localhost:4244;queryParameters=xrfkey%20000000000000000;addMissingQueryParametersToFinalRequest=false;queryHeaders=X-Qlik-XrfKey%20000000000000000%1X-Qlik-User%2UserDirectory%%2INTERNAL%%1 %%userid%%2sa_api;PaginationType=None;"

6. Once all of the Data Connections have been modified, then you can attempt a Reload via the QMC of one of the Monitoring Applications (e.g: License Monitor)

PowerShell Script Option

Attached below is a zip file that includes a PowerShell Script that can preform all of the steps above. You can down and extract the script to your Central node.

(Nothing is deleted by running this script only renamed. If you would like to revert back prior to running the script, just swap the Data connections back in the QMC (they have -old appended to them)

1. Run the script as your Qlik Sense Service Account on the Central Node

2. Old Data connections used by the Monitoring Apps will be renamed: Example -  monitor_apps_REST_app --> monitor_apps_REST_app-old

3. The Operations Monitor and License Monitor will be imported to recreate the data connections named Operations Monitor-New & License Monitor-New

4. The Data Connections will be modified to use certificate authorization instead of Windows Authentication (This will create a password protected Certificate at [ProgramData]\Qlik\Sense\Engine\Certificates using the FQDN of the Central Node)

5. Additional considerations: In multi-node environments where the central node does not perform reloads, the certificate generated will have to be moved to the corresponding folders on the other nodes: By Default, [ProgramData]\Qlik\Sense\Engine\Certificates\Central Node Name (keep the folder name the same)

When editing a connection in Qlik Sense, the credentials are removed upon first clicking into the form. They will then need to be filled in again manually. 

This is working as designed. 

Environment

• Qlik Sense Enterprise on Windows 

Description

This short article explains how to use/ troubleshoot connection issue with the Qlik GBQ connector when trying to connect to the Google BigQuery High-Throughput API (https://cloud.google.com/bigquery/docs/reference/storage/).

Some customers reported the following errors when trying to connect via Qlik GBQ connector (within the Qlik ODBC connector package) to that mentioned GBQ API:

"Connection failed:

Please check the values for Username, Password, Host and other properties.

Details

Connection timeout expired"

Or also errors like (after increasing the timeout):

Environment

• All QlikView and Qlik Sense environments 

Resolution

a) If you are facing issues like this, the first step would be to verify if the connection to the GBQ High-Throughput API works via an ODBC System DSN (based on a Google BigQuery third party driver like for example from here https://www.simba.com/products/BigQuery/doc/ODBC_InstallGuide/win/content/odbc/bq/features/ht-api.htm)

b) Also it is helpful to verify if the reloads via ODBC System DSN are working outside of the Qlik product, here you can find detailed steps for a third party tool test: 

https://community.qlik.com/t5/Knowledge-Base/How-to-verify-ODBC-OLE-DB-connections-using-Excel/ta-p/1714871

c) If steps a) and b) were successfully verified please make sure on the Qlik GBQ connector side that the GBQ High-Throughput API is enabled, copy and paste the "HTAPI Minimum results size", the "HTAPI Minimum activation ratio" and "Trusted certificate path" from the ODBC system DSN settings (also try at the same time with "Allow Large Result Sets" option as well) :

d) If the Qlik GBQ connector is still not working, please enable the logging level of the Qlik ODBC connector package to "ALL" (https://support.qlik.com/articles/000043270), rename the current file "QLIKSERVER3_QvOdbcConnectorPackage.log" in C:\ProgramData\Qlik\Custom Data\QvOdbcConnectorPackage\Log so that a fresh log file gets created, reproduce the issue and contact Qlik Support.

Can the NPrinting repository database be installed on a separate PostgreSQL instance such as Amazon RDS PostgreSQL?

Resolution

NPrinting currently does not have to ability to install postgres on a different/separate platform. There is no built in or supported option for this. 

NPrinting server is installed as a single entity and cannot have components distributed to separate servers (except for the NP engine).

Requirements for deployment can be reviewed in Planning your Deployment. 

When we export data to Excel from a straight table, numeric fields have a 14 decimal format as opposed to the 0 decimal format in the original table. 

Environment

• Qlik Sense Enterprise on Windows 
• Qlik Sense Enterprise SaaS 
• Qlik Sense Business 

Resolution

This is working as designed. 

A workaround is to set the number format in the script: '### ### ### ###', '.', ' '

Example:

LOAD
RowNum,
num(GVM, '### ### ### ###', '.', ' ') as GVM
FROM [lib://xyz/Excel/MC_GVM (1).qvd]
(qvd);

Internal Investigation ID(s) 

QB-1835

This session will address:
- How section access works
- Best Practices
- Troubleshooting issues

Environment

• Qlik Sense SaaS

00:00​ - Intro

01:43​ - How Section Access works

03:25​ - The OMIT field

05:11​ - Turning Section Access On/Off

06:47​ - Demo app overview

07:56​ - Viewing with ADMIN access

08:59​ - Qlik's Data Associative Model

09:42​ - Viewing reduced USER access "Claire"

11:37​ - App Opening speed affected

12:09​ - Viewing reduced USER access "Lisa"

13:36​ - Viewing with Section Access Off

14:17​ - Show/Hide Conditions - Field-Level

16:04​ - Show/Hide Conditions with Container - Visualization-Level

16:56​ - Show/Hide Conditions - Sheet-Level

17:32​ - Section Access Script

20:19​ - Using Composit Keys / Link Tables

21:44​ - Using Include Script

22:29​ - Keywords

23:25​ - Q&A

Resources:

Community page with Example app

Help - Section Access

Help - Section Access with NPrinting

How to move Section Access from QlikView to Qlik Sense

Help - Include Script

Strict Exclusion explanation

On-Demand App Generation

Dynamic Views

Section Access in QlikView

Q&A:

Q: What is the difference between "*" and "ALL" in reduction field?

A: The wildcard character * in the data reduction column refers only to all values in the security table. If there are values in Section Application that are not available in the reduction column of the security table, they will be reduced.  ALL is just a value I created and reference in, which I have control over and use to help visualize the relationships.   

Q: Qhat is the best practices when we have a section access based on 5 fields?

A: Create a composite key in a link table or fact table. This is your junction box. 

Q: Sales person to see his sales plus sales for another departments of other Sales person? 

A: Create an aggregate set of facts in your fact table that all users would have access to. 

Q: Do you have to reference the long USER ID string in QS SaaS as the USER ID in Section Access, or can you use ADFS usernames? 

A: Yes -  Using Active Directory Federation Services (ADFS) as an IDP for Qlik Sense Enterprise SaaS

Q: Can we reduce data by numeric field that is a dimension? Can we reduce data using wilcard? For example by fields that begin with dim*? 

A: Any value can be used for data reduction, but wildcards are reserved so you will want to create a secondary table to map your strings. 

Q: Is there still a risk of locking yourself out of a qvf app like there was in QlikView?

A: No. You can always open without data. 

Q: Although section access works with NPrinting for Qlik Sense, show/hide columns don't work with NPrinting from what I have read. 

A: I have used the container show/hide on charts in NPrinting. You could also make your condition in the master item which should propagate correctly.

Q: Can i simply use multiple Reduction Fields? 

A: It could create a circular reference, which is generally not desirable or could create unintended results. A composite key is best practice. - Basics for Complex Authorization

Q: In data script: what's the best practice to build up temp section access table by combining different datasources (excel, qvd) before using that under section access? 

A: This is the same as building any other table.  There shouldn’t be any adverse impact by concatenating tables from multiple sources for the purposes of section access. 

Q: What condition did you use to show the Qlik logo vs. the section access data? 

A: It was just container similar to what I did with the scatter and distribution chart. I used a text object and a filter pane in a container. It was ‘count(USERID)= 0’ and ‘count(USERID) <> 0’ 

Transcript:

Hello everyone, and welcome to the April edition of Support Techspert Thursdays. Today's presentation is Troubleshooting Section Access and Qlik Sense Enterprise with Mike Reese. Mike, why don't you tell us a little bit about yourself?
Thanks Troy. I’m a senior solution architect with Qlik. My main focus is helping guide customers in their Qlik journey through pre-sales, and I actually have 14 years total experience with Qlik; over six now actually working for Qlik directly and eight in the partner space: consulting, wearing various hats, implementation, architecture design, development, project management, you name it.
Great. So, Mike, what are you going to be showing us today?
Today, I will be covering Section Access. So, what is Section Access? We'll go through a couple scenarios of role base Access. We'll do some impersonation. So, you'll get a kind of a good understanding of how you could get into an application as a different user; actually test their entitlements and easily flip between the different types of Access that you might need to implement in your security model. So, then we'll also see how that is applied through the load script. And then at the end, we'll go through some data modeling tips that help facilitate Section Access; and different levels of facts, different types of facts, multi-fact table and being able to set up security in a seamless way. And then also, we'll go through our takeaways and tips and tricks.
Great. So, how does Section Access work?
Good segue. I just have a couple slides to help frame the demo, and then a few more to reinforce what I show. Data authorization using Section Access is implemented using reserve words as field names and values for your entitlements table where Access levels aren't assigned to users within the Section Access part of the script. These tables must contain a minimum of two system fields; Access being one of them. As you come in, a user logs into the application; they're either designated as an ADMIN through this Access keyword, or a USER. And if you're an ADMIN, you have Access to all the data. And if you're a USER, then you have Access to reduce sets of data based on whatever is designated to you in this entitlements table that's set up in the load script.
Okay. So, it's all about controlling the data that's shown to the user based on their profile?
That's right. So, literally you're setting up an entitlements table and through the power of Qlik’s Associative Model; those associations designate what a user can see and what they cannot see.
That sounds like the basics of how Qlik works. What's the difference between the association of any table, and the Section Access table?
Perfect. So, to help visualize the mechanics, we have a Qlik data model accompanied by a Section Access table. And all we need to do is associate one field between the data model tables and the Section Access tables. So, in this case we have ‘Department.’ And this would work with any field, right? It doesn't have to be departments; whatever field you want to designate as your security field. And so, in this case, it does work exactly like the associative model. So, then the difference is mainly it's distinguishing between the security table and the application facing data model through the use of the reserve words that I mentioned; that I promised to talk about at least once more through this demo. One of the others that I’ll cover right now is the OMIT; which is used to designate the names of fields that users should not see. So, basically if you're looking at this “John;” he would not see the social security number field. And neither would “Steve.” And so, something unique to Qlik is that you're now you're seeing the benefit of data reduction. That's row level security through associations the way Qlik works natively. And then you're also seeing the ability to apply column level security through OMIT.
Okay. What if I have more than one field that I want to omit.
Yeah. So, that's actually perfect. So, this is what the data model looks like with the security table. So, if Section Access was turned on, the security tables wouldn't be visible in the data model. And they'd be hidden because they're security tables. But one of the things I’m going to cover in this demo is how you can easily test Section Access through the impersonation. What this example is showing you is Section Access is turned off, and that's simply by commenting out the Section Access declaration. And we'll see more of that as we go through it. What I’ve done is: I’ve created an ‘omit group’ and a secondary table to just list all the fields that I would need to omit for different users. So, basically it's a one to many, right? So, instead of having in the example I showed you before: one user and one omit field; this just gives me a secondary table to have that one-to-many relationship. So, if I have three fields that I have three rows in this table per user, as opposed to three rows in this table; now I could do it either way. I could have multiple rows per user for each field in this authorization table that I set up; and this would be my only Section Access table. But I just set it up as a second table just to make it easier to see, right? So, this is this would be one-to-one per user, and this would be one-to-many for all the omit fields.
Okay, and now when you talk about turning Section Access on and off; is that like a setting in the QMC, or how is that done?
That's actually done in the load script. So, you can see here I’ve added a couple screen captures of that Section Access declaration. Any script that falls below the Section Access declaration and before the Section Application declaration is all interpreted as data reduction and Section Access security. So, effectively all I need to do is: comment that declaration. You'll see those two tables are here. With it turned on, those two tables are now gone. This is what the user would see if they were in a published application with Section Access turned on. What I’m left with is this floating island that I use for some user-experience things related to what the users can and cannot see.
So, I understand you've got a demo set up for us. What version of Qlik Sense are you going to be demoing?
I’m actually going to be demonstrating Qlik Sense SaaS. Okay, there are some similarities. There are a couple differences that I’ll cover throughout this, but everything is moving towards the cloud, so I figured why not show that the latest and greatest that that Qlik has to offer.
Yeah.
What we're looking at now is just something that that we have set up it's called ‘sPortal.’ You could actually get it on Github. It's just a way to impersonate different user Access. Three roles that I’m going to demonstrate would be: like, myself; calling myself the CIO. I have Access to all the data. I develop things, I’m a tinkerer, I see the whole entire application, all the data, all the visualizations. The other person I’ll log into this with is ‘Claire,’ who's a marketing lead in the North. And she has visibility into a couple different territories and sales data. And then lastly, we'll log in as ‘Lisa Grisham,’ who is a sales director. And she has visibility into individual rep data in the South territory.
All right. So, here we have the Qlik Sense Hub. And what I’m going to do first is: get into a published copy where the security is already applied, right? So, here I have my published copy which is indicated by this red. This is published to the Everyone space, versus this one which is in my Personal space where I’m doing the development. And that's where I can do my role impersonation. So, we're going to start here.
Okay. Now yeah, can you walk us through this app a little bit?
So, I’ve got a few sheets to help demonstrate the security. I’ve got a Sales Op tab. I’ve got a tab to show the associations and the reduction. I really want to emphasize that the security in Qlik Sense, the Section Access Data Reduction is - it works the same way as the associative model. You're logging in, Sense is clicking on a value behind the scenes, and then it reduces that data set to everything that's related to that value.
Can you tell us what the colors indicate?
So, the OMIT groups that I had designated are encompassing the fields that would be hidden based on your access rights and your entitlements table. Remember that OMIT keyword? The Contact Info group is going to omit Phone and SSN for the users that are in the Contact Info group. If you're in the Office Group, you're going to lose visibility into Office City. And if you're in the Salary OMIT group, then you lose visibility into the Salary field.
All right. So, I’m going to jump into this Sales Ops tab. And as a user that can see everything, I see the total sales for the organization so that's $422,000. Note the logo here. That's going to change when I when I come in and do my testing with Section Access turned off, so I can do some impersonation. And then over here, you're going to notice this is a scatter table that lists all of my sales reps. Right. So, there's a number of different sales reps here. Down below, we have ‘revenue by territory and customers.’ So, these are all my territories. And then I can actually drill through to the different territories. And that's important, because when you see the data reduction, you're going to see how this this table is affected. In one instance, you're going to see it reduce down to two territories. And another, you're not going to see any territories. It's automatically going to be reduced to the customer level data, because a person only has visibility in one territory.
So, this is if we're logged in as an ADMIN, right?
That's right. Yeah, somebody has visibility to the total data set.
Okay.
And then, just as we were talking about the color-coded columns, these are the three that I’m actually applying: it's the Salary, Office City and Phone. That is the main thing here. And I just want to come into this Associations Tab. For those who aren't that familiar with Qlik Sense in the associative model: when I click on a value, all the associated values are in white, and anything that's not associated is grey. So, that's the secret sauce. So, security literally works the same way. So, if I login as a user, and all I can see is New England territory, I’m only going to see data for the city of Newton. I’m not going to see any of these cities. These are going to evaporate, and I would say “before my eyes,” but it would be actually before I even get to see anything. So, obvious that's security, right? I’m not going to see anything related to Reps that aren't in white. All these reps are not in my view, they disappear. But as somebody that can see the whole data set, I can see all these associations across all my data.
So, can we test this with one of the other users?
I’m going to go in as Claire. And Claire is a marketing lead in the North, so Claire has visibility into two territories.
Okay.
And now Claire sees this, right? So, same application but the difference is: with no selections applied, I’m only seeing $212,000 in sales.
Right, that's gone down, okay.
That's right. So, the data reduction is working. I still see all the visualizations; however, this visualization has changed. You might recall, in the previous application, we were looking at a scatter chart. Now we're seeing ‘Sales by Product and Territory-Distribution,’ and that's because she's a marketing manager. And this, products are more relevant to her than a scatter chart of sales reps. So, this demonstrates using Section Access to really drive what visualizations a user can see, right? So, you can do that at the object-level. You can do it at the field-level. You can also do it at the sheet-level. Notice now the territories have been reduced. We had a number of territories at the seven or eight or something like that. Now, we've been reduced to two territories: Canada and New England. Now, I can still drill through, right? And I can still get to the customer level, but I just don't see all the territories that I wouldn't have visibility into.
And I see that Salary field is missing as well.
Exactly right! So, now that green field is gone, because I shouldn't have visibility into Salary Data as a marketing manager. And so, that's it. That's actually data reduction and object-level security at work through Section Access. So, now they go into associations again. That green Salary column is gone, but on the right-hand side of the screen, we can also see that the reps have been reduced. To really emphasize that, let me jump back into my other example as the administrator. Here's all the City data, here's all the Territory data, right? Flipping back over here, you can see that those data is reduced. And I’m not seeing the gray.
Right.
Because I don't have visibility into it. So, that's what the data reduction is doing. It actually is removing that data from the application.
When you have Section Access turned on, does it actually affect the performance of opening the app?
Yeah. So, it could. If you have a very large application, and the reduced data set is much smaller than that, then the perception of the user is going to be: it's taking a, it could be taking a while to open. Effectively you're opening the application if it's large, and then you're reducing it; versus if you had a smaller application from the get-go, that opening time would be somewhat quicker. But and I would say in most cases it's negligible.
To be clear, that's just the first time the app is opened after reload, right? Not every time?
That's right.
And who's the third user we're going to test?
Yep, let's do it. So, the other user now that I want to get in as is Lisa. And Lisa is a sales director. So, she only has visibility into one territory. So when Lisa gets in, now we see a different picture, right? We only see $51,000 in sales. And instead of seeing that distribution chart that we were just looking at, we're still seeing, we're seeing the scatter that we saw originally. But now it's reduced to three reps instead of the whole sales force.
Yeah.
And down below, we're looking at ‘Revenue by a Territory and Customer,’ but it's only the Southeast territory. So, it's automatically drilled down to what territory Lisa can see, and just the customer review. So, that you're seeing what's relevant to Lisa. And over here, we no longer have visibility into the personal information of the employees. You can see that now: you have different levels of access for different users, and different columns are being hidden.
Great.
So, now I’ll go over to the associations to show the difference in what Lisa can see versus Claire.
Okay.
All right. And now you can see a much smaller set of data. You can see much fewer rows, and we're only looking at the Southeast territory now and the city of Raleigh. The reduction is doing exactly what it should be doing. Associations are still working, right? So, I can still see that, but it's only at the level that she has visibility into.
So, how are you able to manipulate the app to show and hide the different charts and fields?
So, let me go back out to my hub here, and go into my unpublished copy that's in my personal space. So, now we're actually opening this with Section Access turned off, and that's that that one Section Access declaration commented out.
Okay.
Instead of that Qlik logo that was in the corner here, I’ve got this this actual drop-down box. So, this is one object that's actually using the show and hides. Hiding the text box with the image in it and it's showing me a list box. And now I have actual visibility into user-level information. So, if I want to impersonate Lisa or Claire or myself, I can. All I need to do is click on these. This is working just like the associative model works.
Right. So, those tables are still in the data model, but now they're no longer Section Access tables; they're just a part of the regular data model?
That's exactly right. They're just regular old tables, right. So, you can see as I click it, I’m seeing the visibility that I would see as if I logged in and everything was being reduced.
So, how do you configure those show and hide settings?
Let me actually get into edit mode. I’ve got some sheets that I’ve duplicated here, and now I can actually edit the sheet and see what's actually driving those show conditions. So, I’ll start with the table here. This is the probably the easiest thing to look at first. So, we've got the Salary field, Office City and Phone. So, the one thing to keep in mind is when you're using Section Access with column-level security, if a column is omitted and it's in a visualization: the visualization won't render. It'll actually fail. You actually have to put in a little protection for that if you're going to omit the field for users that should see that visualization. So, one option is to hide the column or swap it with a different column, or you use a container with different visualizations in it; and I guess the third option would be: show them one sheet versus another. So, I’m going to start here at the field-level in a table, and we'll just look at the Salary expression. Here is your Show Conditions: ‘Show Column If,’ and what I’m actually checking is that OMIT group, the field that I created, and if the OMIT group is equal to Salary, then that means don't show Salary, otherwise show it (-1) is true.
Okay. So, that's how you hide it or show it based on the profile?
That's exactly right. So, just to reinforce that, if I look at Office; same evaluation, except we're looking at the Office OMIT group instead of Salary, right? So, that way when the Office field is eliminated, you won't get an error that the visualization can't render, because the field doesn't exist. You're telling it to disable the field knowing that it's already not there.
That's a great tip for hiding columns with a show condition. I did, I wasn't even familiar with that concept actually.
Yeah. It's actually, it's one of those things that, it's a best kept secret, I guess; which shouldn't be a secret.
Exactly.
So, and then, let's talk about it at the visualization-level. So, in this case, I wanted to drive the marketing manager Claire into a completely different visualization. Data reduction aside, I just wanted to see something else. So, instead of the scatter chart, we use a show/hide container. If those of you familiar with QlikView, it's very similar to that. Here's a Container Object, and the content would be the charts that are in it. So, it's actually the Scatter Chart and the Distribution Plot that we use to show different visualizations based on the access, right? So, in this case the distribution plot. What I’m checking in to see is: if the COUNT of Territories is = 2, then we know that's our marketing manager, and so she should see the distribution chart instead of the scatter plot.
Cool. So, it's a container that has multiple visualizations in it, and you just show it based whichever specific visualization based on the profile?
You got it. Right.
That's super cool.
And then just to tie that off here. Then I clicked on the sheet, and then the last one we have is the show condition for that. So, I’m not using that in this example, but this is something newer that was added so you have that ability. Again, to show different sheets based on whatever conditions you want to create, doesn't have to be security. It could be anything, and the same applies for the other things. I’m just using security as a way to drive show/hide conditions.
I love this concept of turning off Section Access and being able to cycle through the different users to help troubleshoot. Can you walk us through how the script is set up?
Yes. Yes, perfectly. So, the data load editor is what we have to get into, right here. And then I have one tab set up for Section Access. And so, like I was saying earlier, if I want to show my security tables in a data model, all I have to do is comment (//) that Section Access decoration, and now my authorization table and my OMIT fields table become part of the data model so that I can actually select them and impersonate who I want to impersonate without actually having to login as that user, right? And so, you can see this is it. These are my two security tables. I only technically need one, but like I was saying earlier, I created this OMIT group field to then show that one-to-many relationship between a user and the multiple fields that they might need omitted. So, Contact Info is an example: if you're in the Contact Info OMIT group, then you're not going to see Extension, Phone Number and Social Security. The keywords that I was talking about access that's either ADMIN or USER. If you're an ADMIN, you're going to have visibility into all the data. If you're a USER, then the data reduction is going to be applied based on whatever you're using as a reduction field. So, these are both keywords: ACCESS and USER ID. REDUCTION is not a keyword. It's just whatever name you designate for your security key which is going to link to your Application Section. So, this part right here, this Declaration; it’s where your underlying data model fields will begin to load.
Okay.
This link between REDUCTION in the Section Access script and REDUCTION in the data model is really where the actual reduction is happening. If I’m in a REDUCTION of 1, then I’m only going to see data related to Office ID 1. If I’m in 4, then I’m going to see Office ID 1 and 2. If I’m ALL, I’m gonna see 1-5.
Right. That makes sense.
Now, the one thing I want to point out here: ALL is something that I just use to help with the testing. Technically if you are an ADMIN user, you're going to have visibility on all the data. But using this this method of turning off Section Access and being able to test everything; if I didn't have this in here, then then the ADMIN actually wouldn't see everything. So, for testing purposes, you might want to have an IF condition to add these duplicate set of keys for the ADMIN; versus in production, you might want to just use the ADMIN. Does that make sense?
I understand, yeah. You're just recreating the ADMIN rights for data association for testing purposes, but otherwise you wouldn't need it.
Yeah, that's it. That's exactly right. So, that's everything that's behind it.
There's different layers of granularity. How would you manage a more complex reduction? For example: not just Office Location; what if it's Product and Department?
Yeah. So, that's a good question. Well in that case you, would just you would set up a Composite Key. And that actually helps segue into one of the slides that I that I wanted to show.
Okay.
Many of you may have already been working with the load script for a while. So, you might be familiar with star schemas and snowflake schemas and whatnot. I think most often when somebody's building a data model, they just bring in the tables as-is; and they don't create an explicit fact table or a link table, and that's fine. But when you're using security and you have these different levels of granularity; you would have to create a Composite Key for all those values. So, let's just use Department and Product as an example; you would have a field that would have Department (maybe separated by a pipe) and then the Product. And then you would link that into your Link Table. So here you have your multiple fact tables, and so that Link Table is going to operate as a junction box for all your access rights into those facts. So, that way, you're not having to duplicate facts. You're just managing all that through your security table, and so every value that should have visibility into: fact one or fact two, you're managing that here, right? In the same token, you can do that with a Combined Fact Table. This is all precipitated on having a security field that has all the values in your Composite Security Key that you would need to determine what facts you have visibility into and what dimensions you have visibility into. So, that way you're not managing a tangled mess of facts and aggregation. And I’ve seen a lot of different users try to manage this through really complex formulas, and the easiest thing is to create the Link Table when you have complex security.
Okay, that makes Sense. Is there a way so you can set up the same Section Access tables between multiple documents? So, you're sharing the same access across multiple apps?
Yeah, actually. So, you could use what's called an Include Script. So, you could actually store the script for Section Access in a file, in a separate file a text file or a qvs file, and reference that Include statement. Effectively, it's reading the code in as if it was part of the load script, but it's just reading it from a separate file. And any of you that have any web development experience would be familiar with using include files; but it simply is - it's the script that you would use for your Section Access, but you stored it in a separate file. And then, you're just picking that file up and it will interpret that as part of native script.
Just so everyone is aware, we'll include a link with the recording of this session on Qlik community to the same demo app that Mike was using today. So, you can reference that if you'd like. Mike, what are some key takeaways from today?
Yep, so perfect. One thing I promised earlier was: I wanted to cover some of the keywords. So, if you have some experience with Section Access with QlikView, you're familiar with NTNAME. In SaaS, you're using USERID. So, that's one of the bigger distinctions. And there's also a GROUP keyword that can be used in SaaS. There's a couple other things that I’m not going to get into in this, but we'll share this and along with some other resources that'll really get into some of the details. If you're, let's say, if you're coming from Qlik view and you're coming into Qlik Sense, and what changes you might need to consider when you're implementing Section Access in Sense. So, we'll include a lot of links and helpful information and tips and tricks that the Troy’ll package up and put out there for you guys to consume. And I think that should cover most of the things I wanted to touch on.
Yeah, we'll definitely include links to all the documentation where you can find more information and resources. Then it's time for Q and A. Please submit your questions in the Q&A panel on the left side of your On24 console. Mike - which question would you like to address first?
So, the question is: in Qlik view Section Access settings, there's the strict exclusion setting I’ve never understood what the check box does. Can you explain?
So, what that does is it implies that: if there's no values that match the fields you're reducing on, then you actually get to see everything (with strict exclusion unchecked). So, in QlikView you would always want to check that to ensure that somebody who didn't have matching values wouldn't then end up having visibility in all your data. Now in in Qlik Sense, there is no strict exclusion setting, because it's strict exclusion by default, right? So, for those of you that are actually migrating from QlikView to Qlik Sense, that's just one thing to be aware of when you're actually creating your Section Access or when you're doing the migration.
Okay, next question.
All right, let's see, okay. So, I’m using Section Access to limit the Access level the data for each department. Each department chief should only see the data of their department, but for some sheets I want them to see all the data. Is there a way to do that?
So, the sheets themselves don't have anything to do with the data. The data reduction is going to eliminate the data that they can't see. So that's something that you're going to have to determine in your data model: where the security should be applied and what value should be reduced. If the question is: I don't want them to see some sheets, then there's show conditions on the sheets. But if it's around the data, and you truly want to secure the data, then it should be reduced out. Otherwise, you just, you would have to manage it differently.
Okay.
Let's see. So, is it possible to restrict action to certain fields in a table to all users?
I’m not quite sure when we say “restrict action” what we're looking for, or if it's just visibility then. And if we're trying to restrict it from all users, then I just wouldn't load it in the data model. that would be the simplest. If there's for some reason it needed to be part of the data model, then I would use, I would apply that field to the omit keyword, the preserver that is in your entitlements table
Okay.
All right, let's see. So, is there a way to have global Section Access and Section application table that can be applied to multiple documents without having it in the script of each app?
Now that was something we covered when we were talking about “include.” So if you want to reference Include Script with Qlik Sense, you can you can find plenty of help on the community on that or in the help.
And let's see what else we have. So, is there a way to build the Section Access authentication based on their SaaS login, so it automatically limits the data based on who they are without having a separate password for each app?
Yes, that's exactly what we're doing with Section Access. So, we are we're taking that user login based on the subject id, and that's their user; and then they are being reduced based on the entitlements that you've already set up, so you don't actually have to have a separate password for each app.
Okay, next question.
When I develop the app using Qlik Sense locally everything seems to work, but after importing the app on the production server, only the Admin has Access.
I could probably help, but I don't know. I think I need a little more context to answer that. So, there might be some difference in the way, it sounds like there's difference in the, differences in the way that the user is being identified. So, that while it's working locally it's interpreting that USERID is something different, that would be my guess.
In Qlik view, I can use the loop and reduce within publisher instead of Section Access with large QVWs. Is there something similar in Qlik Sense, so that the data in the app is limited instead of limiting Access to the data?
There are techniques to do a loop and reduce. There isn't something specifically the same as loop and reduce in the Qlik Sense scheduler, but there are there are ways to manage that. You can do it through the API is one option. I know that there's a couple other examples out there if you look up “loop reduce for Qlik Sense” you'll see some alternate ways to accomplish that, but I also say the, I mean if it's a concern around the data size, we also have different techniques like “On-Demand App Generation” and also “Dynamic Views.” And what on-demand app generation is just level, is you have an aggregate app, you make some selections in it. It passes those selections to another app which reloads on the fly. And dynamic views is similar, except that you're working with one application, and then certain tables or certain objects are then are refreshing based on the selections in real time, so those are a couple different ways where you wouldn't have to necessarily apply loop and reduce. Kind of a different way of thinking.
These are great tips.
Yeah, thanks. So, let's see what else we have. So, Section Access reducing data on fields of numbers. Does that work or should the format be text in all reduction fields?
It doesn't really matter what the format is, if you have two values that are the same on both ends, then it's automatically going to reduce based on that. So, if it's numbers in one value and text and another value, and a combination of numbers in text, they'll all work if you have a match.
Okay, next question.
Okay, so what are some best practices to reduce access based on multiple field values in the same record line?
Composite Keys ultimately. So, you're gonna when we're talking about the data model, and using a Link Table as your junction box, or a Combined Fact Table, that's how you're gonna have to accomplish that. You're gonna create a Composite Key that ultimately strings together other every value that you want to be a part of that key, and that that is your security right there.
Okay. Can you apply Section Access using dates?
Yep, just another field. It could be a date by itself or it could be a combination of dates, but yeah; I guess that's the, I’d be curious to know a little bit more about how you would apply just a date as security, and what the use case is, but that's, but at the end of the day, it's just another field.
What are the limitations on granting Section Access for a specific sheets in Qlik?
So, that was the Show Condition that I had previously demonstrated in the demo. So, you'll have the ability to show hide the three places. Just to recap, you have it in the object, you have it at the field-level, and you also have it at the sheet-level.
And let's see, what else? There's also: is this available for Enterprise on-prem?
Yes, all our products, you can apply Section Access, except for local copies of Qlik Sense which aren't part of part of the Enterprise deployment.
Okay, the next one: how can I efficiently restrict access over multiple values, and where records are not present one table but are in another?
This is something I’ve encountered before. You're trying to create security on fields that exist in different tables, and so that goes back to that example I gave previously, where you want to use a Link Table. The Link Table solves a lot of problems, because again it is like a junction box. So, you can shove everything you need to in that security field to help drive what's in your fact table. In this case, it sounds like you have ultimately what would be a Combined Fact Table. You have facts coming from multiple tables.
Okay Mike, we have time for one last question.
Okay and let's see. So, is there a standard way to allow a user to see his own detailed data and only summary data for users?
Okay or for other users, I think that's a good question. Because this comes up a lot what you want to do in that case is actually, typically we say just bring everything at the detail level. Because we would then aggregate but if you're applying security, and you need somebody to see the aggregate information then it's not going to work. But what you could do is: actually add the summary data in as separate records, separate transactions, and you could put that in its own table or you could add it as part of your fact table if you're using a fact table
Great! Thank you so much Mike!
Again, thank you for everybody for your time. I appreciate this you know. I love being able to share the things that I’ve learned along the way. Section Access, I know when I first started working with it, just seemed like a black box and there wasn't a lot of information around some of the best practices, and all the things that you could do with it back in 2007 when I started working with it. So, happy to share the things I’ve picked up along the way and hopefully you've gained something from this, and you'll be able to be successful in implementing security in your organization. And so with that, again thank you, and you'll see me on the community.
Okay, great! Thank you everyone. We hope you enjoyed this session. Thank you to Mike for presenting. We appreciate getting experts like Mike to share with us. Here's our legal disclaimer. And thank you once again. Have a great rest of your day you.

Azure blob storage connector throws the following error:

AuthorizationPermissionMismatch Error 403 

Environment

• Qlik Sense Enterprise SaaS 
• Qlik Sense Business 

Resolution

The error is caused by a configuration mismatch in Azure. Review the following documentation for the correct settings: 

• Azure Storage
• Configuring Azure Blob Storage in Qlik SaaS (Qlik Cloud Services, Qlik Sense Business)

More details about the needed roles here:

• Assign Azure roles using the Azure portal

Please bear in mind that when assigning roles in azure it might take some time (5 min approx) to deploy those changes and during this time gap, the error "AuthorizationPermissionMismatch Error 403" might still be appearing.

Qlik NPrinting is not honoring Qlik Sense custom theme.

Environment

• Qlik NPrinting 
• Qlik Sense Enterprise on Windows 

Resolution

Prerequisites: 

• Qlik NPrinting, from June 2020 and later versions, supports Qlik Sense custom themes on objects exported as images.
• The minimum supported Qlik Sense version is February 2019

How to resolve the issue:

• The chart title color is referenced in the wrong way in the theme.json. "object.title.color"
• The color should be set on the path "object.title.main.color" where "main" is likely missing in the the theme .json file.

See the following documentation for correctly formatting your .json custom theme file for creating custom themes:

• Custom theme JSON properties
• Extended object styling

​
NOTE:  

• To ensure success, please follow the documentation mentioned above accurately to ensure the expected results meet actual results.
• If you would like assistance with developing your custom theme, please reach out to your Qlik Account manager who can put you in touch with our Professional Services Group.

Internal Investigation ID(s) 

QB-2137

This is a sample of how to call a REST API in Qlik Sense Enterprise SaaS with PowerShell.

Environment

• Qlik Sense Enterprise SaaS 

Resolution

To begin, an API key needs to be created which will be used to call the API, see the following tutorial:
https://qlik.dev/tutorials/generate-your-first-api-key

All API endpoints available can be found at https://qlik.dev/apis

The URL used when calling the API should be https://{tenant name and region}.qlikcloud.com/api/v1/{endpoint}

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$hdrs = @{}
$hdrs.Add("Authorization","Bearer eyJhbGciOiJFUzM4NCIsImtpZ....moMC2G")
$url = "https://mytenant.eu.qlikcloud.com/api/v1/apps/adf40cb9-ecbf-41c0-bfd5-cdcfe89e0ae9"
Invoke-RestMethod -Uri $url -Method Get -Headers $hdrs

Qlik Sense Desktop can authenticate against Qlik Sense Enterprise Client-Managed, Qlik Sense Enterprise SaaS and Qlik Sense Business.  This is how customers can continue to use Qlik Sense Desktop, and it provides a very economical option when paired with Qlik Sense Business. 

The following requirements need to be met:

• A functioning network connection to the Qlik Sense Enterprise Client-Managed Server or Enterprise SaaS/Business tenant.
• Use of a Professional license. Analyzer licenses do not support Desktop Authentication
  For legacy token license: User and Login Passes allow Desktop Authentication
• No TEST license. Test licenses disallow the use of authentication links 

Environment

• Qlik Sense Desktop 
• Qlik Sense Enterprise SaaS 
• Qlik Sense Enterprise on Windows 
• Qlik Sense Business 

Related Content 

Configuring Qlik Sense Desktop authentication link 
How to authenticate Qlik Sense Desktop against SaaS editions 
How to authenticate Qlik Sense Desktop against a Qlik Sense Enterprise on Windows server  

When trying to migrate Qlik from a newer version you might have the below error message:

Environment

• Qlik Sense any release

Resolution

Depending of the environment there is several possible solution:

1. Be sure the below file is not locked (by an antivirus for example) and be sure you do have full right permission on this file. If this file is locked you would have the above error message.
   
   C:\Program Files\Qlik\Sense\Repository\Repository.exe.config
   
   
   
   
2. Try a Qlik Sense Repair: Repair in Control Panel Programs 
   
   
   
3. If solution 1 and 2 aren't working then you would need to perform the upgrade as below:
   
   

1. Uninstall the current Qlik Sense WITHOUT removing the certificates and data folders - checkbox NOT checked.
2. Install the new version of Qlik Sense on top of what is left from step 1 - make sure to point to the existing database in the installer's UI.

Pretty much what is described in article How to uninstall and reinstall Qlik Sense without loosing settings and data, but instead of installing the same version in step 4 (from article), we want them to move directly to the new Qlik Sense version (the one you are trying to migrate to). 

OR

1. Make a full backup - database, certificates etc. See Backup article 
2. Uninstall your current Qlik Sense version WITH removing the certificates and data folders - checkbox CHECKED.
3. Restore Qlik Sense with the new version.

Please see here for complete steps on how to create a full backup and restore it later on.

NOTE: If you have a multi-node environment, it would be needed to stop all the services on all the rim nodes before conducting any of the scenarios above. Once you got the new Qlik Sense version successfully installed on the central node, you can directly upgrade one node after another to the new version.

Related Content 

How to uninstall and reinstall Qlik Sense without loosing settings and data 
Backup and restore Qlik Sense Enterprise on Windows 

Repair in Control Panel Programs 

Internal Investigation ID(s) 

Jira QB-4056

Hello Qlik Users!

Did anyone see the new update in Qlik Sense SaaS?

Updated appearance and location for Navigation menus, panel buttons and toolbars

The Prepare, Analyze and Narrate menus were relocated from the toolbar's middle to the left side.

The Assets panel and Properties panel toggles now appear on the left side, where before they were on the bottom toolbar.

You’ll find the menu next to the Qlik logo. Click the ellipsis (…) to expand the menu to see the App Overview, make the sheet public, toggle the touch screen mode and more!

Improved Workflow Management

You can now republish an existing app! Make changes to the unpublished app in your space and push the changes to a published app in a managed space.

PDF WYSIWYG Exports

Exported sheets will retain themes, margins, presentation headers and other visual elements. The output will closely resemble what you see on the screen.

What do you think about the new improvements? Let us know in the comments below! For more information on the updates, be sure to check out the Qlik Sense SaaS in 60 video here or within the Connect & Learn button in your Qlik Sense SaaS hub.

Thank you for choosing Qlik!

Kind regards,

Qlik Digital Support

A mashup visualization with a container using CSS  zoom has the cursor in the wrong position when interacting with the visualization.

Environment

• Qlik Sense Enterprise on Windows 

Resolution

CSS zoom is a non-standard feature. See zoom. Therefore it is not a supported transform in Qlik Sense and is not recommend to be used in production.

 This video is part of the Qlik Fix Video series. If you found this video useful, check out the other Qlik Fix Videos.

This video will demonstrate how to synchronize users from multiple domains that are members of an Active Directory Universal group with Qlik Sense Enterprise on Windows.

Here is a link to more information in the Support Knowledge Base:

Qlik Fix: Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Entreprise on Windows 

Video Transcript:

Hi and Welcome to Qlik Fix!
This video will demonstrate how to synchronize users from multiple domains that are members of an Active Directory Universal group.
Since the September 2020 release of Qlik Sense, it is now possible to sync users belonging to multiple domains with a single User Directory Connector, which simplifies administration.
Let’s start by opening “Active Directory Domains and Trust” and check our current setup.
Here we have the root forest domain called “domain.local” and a trusted domain2.local domain. Each domain has its own set of users that need to be synchronized with Qlik Sense.
An important requirement for Qlik Sense to work with multiple domains is the full bidirectional trust enabled between the domains.
Here we create an Active Directory Universal Security Group called “Qlik_Sense_Users”, and add users from both domain.local and domain2.local.
Next on this newly installed Qlik Sense server without any synchronized users or a Directory Connector, we’ll create a new Advanced LDAP connector.
In this example we’ll name it “Domain” to match the domain name where our group was created.
Uncheck the box “Sync user data for existing users” so that we can import new users into Qlik Sense.
Then, for Host set it to the domain that hosts the Global Catalog server containing the AD group. We will use the default Global Catalog LDAP port 3268. <annotation> Note port for LDAPS is 3269. If you point to the default LDAP port 389, the sync will only be able to import users belonging to domain.local.
Make sure to setup with a Windows account that has proper permission to access directory information in Activity Directory.
The base DN here is important, and should include both domains. Otherwise, only users under the DN specified will be retrieved. In this example we set it to “dc=local” which both domains are found under. <Annotation> e.g: setting to “dc=domain2,dc=local” would retrieve users from domain2 only.
We’ll pick the default Page size of 2000 results per synch request.
Then set an LDAP filter to load users from the specific Active Directory group we created earlier. For more information on setting LDAP filters take a look at this knowledge base article in Qlik Community.
As our final step, change in the Directory entry attribute for “User identifier” from the general LDAP standard “inetOrgPerson” to Active Directory standard “person”, as the identifier for users.
Apply the settings and start the Sync task.
We see that the new users are imported from both example domains.
If you’d like more information,
Take advantage of the expertise of peers, product experts, and technical support engineers
by asking a question in a Qlik Product Forum on Qlik Community.
Or search for answers using the new SearchUnify tool.
It searches across our Knowledge Base, Qlik Help, Qlik Community, Qlik YouTube channels and more, all from one place.
Also check out the Support Programs space.
Here you can learn directly from Qlik experts via a Support webinar, like Techspert Thursdays.
And don’t forget to subscribe to the Support Updates Blog.
Thanks for watching.
Nailed it!

Attached is a downloadable .mp4 video file for those who cannot view YouTube videos.

#QlikSupport

Hello Qlik Users!

Are you interested in hearing directly from our Product Managers on the future of Qlik Data Analytics? Would you like to hear more about the features that are coming?

If you answered “Yes!” to either question, register for the Qlik Product Portfolio Strategy and Roadmap webinar! You will get to hear about all the fantastic things to come on the Data Analytics side of the house, plus have a chance to ask our Product Management Leadership questions.

The session is on June 3rd, 2021 at 11 am EDT. For more information and to register, please see:

Qlik Product Portfolio Strategy and Roadmap

You must be a Qlik customer, partner or luminary and provide a company email address to register for the event.

Thank you for choosing Qlik!

Kind regards,

Qlik Digital Support

Partial menu appears when right clicking on the objects.
For example- in the bar chart below 'Open Snapshot Library', 'Take a snapshot' , 'Full screen' and 'Open Exploration menu' options are not present, when right clicking.

Environment

• Qlik Sense any version

Resolution

Turn OFF 'Touch screen mode'.

Cause 

'Touch screen mode' was ON.

Note: Attached qvf for reference.