Qlik Community

Ask a Question

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Announcements
QlikWorld Online 2021, May 10-12: Our Free, Virtual, Global Event REGISTER TODAY
Henric_Cronström

Section Access is a QlikView feature that is used to control the security of an application. It is basically a part of the load script where you can define an authorization table, i.e. a table where you define who gets to see what. QlikView uses this information to reduce data to the appropriate scope when the user opens the application.

This function is sometimes referred to as Dynamic Data Reduction, as opposed to the loop-and-reduce of the Publisher, which is referred to as Static Data Reduction.

 

Data Model.png

 

For example, above you have the authorization table in Section Access to the left, linking to the field COUNTRY. (In a real application, the authorization table is not visible in the data model.) This means that when a user opens the application, QlikView uses the user name (NTNAME) to establish which countries this user is allowed to see, and then makes the corresponding selection in the Customers table.

The selection propagates to all the other tables in the standard QlikView manner, so that the appropriate records in all tables are excluded, whereupon QlikView reduces the scope for this user to only the possible records. This way, the user will only see data pertaining to the countries to which he is associated.

 

Selection.png

 

A good way to debug your Section Access is to temporarily remove the Section Access statement and run the script. The authorization table will then be visible in the data model and you can make selections in NTNAME.

Within Section Access you should define at least three fields: ACCESS, NTNAME and a third reducing field that links the authorization table with the real data. You may have additional fields also, like user roles or departments.

 

Some points around Section Access:

  • All fields in Section Access must be upper case. Hence, the reducing field must be in upper case also in the data. Use the Upper() function and name the fields in upper case.
  • Don’t use the fields USERID and PASSWORD, unless it is for testing or debugging. Proper authentication is achieved through NTNAME.
  • NTNAME is the field used to match an authenticated user – also if you set up ticketing using other authentication mechanisms than Windows integrated security.
  • NTNAME may contain names of groups as well as individual users.
  • Make sure "Initial Data Reduction..." and "Strict Exclusion" are checked (Document properties - Opening). If the field value of the reducing field in Section Access doesn't exist in the real data, the will be no data reduction unless Strict Exclusion is used.
  • If your users work off-line, i.e. download the physical qvw file, the security offered by Section Access has limited value: It does keep honest people honest, but it will not prevent a malicious user from seeing data which he shouldn't have access to, since the file is not encrypted. So for off-line usage I instead recommend the static data reduction offered by the Publisher, so that no files contain data the user isn't allowed to see.
  • In most of our examples, an inline Load is used in Section Access. This is of course not a good place to keep an authorization table. Store it in a database and load it using a SELECT statement instead!

 

And finally

  • Always save a backup copy when making changes to Section Access. It is easy to lock yourself out...

 

Section Access is a good, manageable and flexible way of allowing different access scopes within one document. And when used on a server, it is a secure authorization method.

 

HIC

 

Further posts related to this topic:

Data Reduction – Yes, but How?
Data Reduction Using Multiple Fields
Tips and tricks for section access in Qlik Sense (2.0+)
https://youtu.be/ObuetXgk2R8

42 Comments
stevedark
MVP & Luminary
MVP & Luminary

Hi Henric,

Thanks for this - nice to see a very simple introduction to what Section Access is and can do.  Glad to see you mentioned the perils of locking yourself out - I dedicated a whole blog post to this subject a while back:

http://www.quickintelligence.co.uk/help-ive-locked-myself-out/

Steve

18,529 Views
kirankkk
Creator II
Creator II

Thanks Henric for simple and help full article.

Could you please elaborate at offline mode how security breach can be there ?

What I  understand if section access information is coming from database or from inline table which mostly we can put in hidden script  so how can it can break?

Thanks & Regards

Kiran Kokade.

0 Likes
18,529 Views
Henric_Cronström

The file isn't encrypted, so of course it is possible to get to the hidden data - one way or another. That's why I think you should use static data reduction when the files go off-line, so that there is no hidden data. Or keep the files on a server, so that no unauthorized data leaves the server.

HIC

0 Likes
18,529 Views
kirankkk
Creator II
Creator II

Is there any alternative for publisher for static reduction?

Thanks & Regards

Kiran Kokade.

0 Likes
18,529 Views
sudeepkm
Specialist III
Specialist III

Hi Henric,

Thanks a lot for a nice article. I've a quick question related to the below given statement.

"If the field value of the reducing field in Section Access doesn't exist in the real data, the will be no data reduction unless Strict Exclusion is used."

Assume that the field for data reduction is "REGION" and there is a value as "CA" present in the Section Access table however the value "CA" does not exist in the real data table.

1. When the Strict Exclusion is enable

    Will the end user be able to open the QVW itself ?

2. The Strict Exclusion is disable

     Will the end user be able to open the QVW itself ? if yes then will he be able to see all the values of field Region?

Thanks and Regards,

Sudeep

0 Likes
18,529 Views
stevedark
MVP & Luminary
MVP & Luminary

Hi Kiran,

I have used a driver file with the ID's of the allowed records in, which is then loaded first and used as a WHERE EXISTS for the rest of the data.  The same empty QVW is then copied into a number of folders, each with a different file of ID's in it, and then each QVW is reloaded - picking up the correct data.  This is then all tied together with a batch file to do the copy and the reloads.  Windows Scheduler can then be used to fire the .bat file.

This works okay, but Publisher is the far better way of achieving this - from a logging and resilience point of view.

Steve

18,529 Views