Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
hic
Former Employee
Former Employee
‎2014-05-27 02:41 AM

A Primer on Section Access

Section Access is a QlikView feature that is used to control the security of an application. It is basically a part of the load script where you can define an authorization table, i.e. a table where you define who gets to see what. QlikView uses this information to reduce data to the appropriate scope when the user opens the application.

This function is sometimes referred to as Dynamic Data Reduction, as opposed to the loop-and-reduce of the Publisher, which is referred to as Static Data Reduction.

 

Data Model.png

 

For example, above you have the authorization table in Section Access to the left, linking to the field COUNTRY. (In a real application, the authorization table is not visible in the data model.) This means that when a user opens the application, QlikView uses the user name (NTNAME) to establish which countries this user is allowed to see, and then makes the corresponding selection in the Customers table.

The selection propagates to all the other tables in the standard QlikView manner, so that the appropriate records in all tables are excluded, whereupon QlikView reduces the scope for this user to only the possible records. This way, the user will only see data pertaining to the countries to which he is associated.

 

Selection.png

 

A good way to debug your Section Access is to temporarily remove the Section Access statement and run the script. The authorization table will then be visible in the data model and you can make selections in NTNAME.

Within Section Access you should define at least three fields: ACCESS, NTNAME and a third reducing field that links the authorization table with the real data. You may have additional fields also, like user roles or departments.

 

Some points around Section Access:

  • All fields in Section Access must be upper case. Hence, the reducing field must be in upper case also in the data. Use the Upper() function and name the fields in upper case.
  • Don’t use the fields USERID and PASSWORD, unless it is for testing or debugging. Proper authentication is achieved through NTNAME.
  • NTNAME is the field used to match an authenticated user – also if you set up ticketing using other authentication mechanisms than Windows integrated security.
  • NTNAME may contain names of groups as well as individual users.
  • Make sure "Initial Data Reduction..." and "Strict Exclusion" are checked (Document properties - Opening). If the field value of the reducing field in Section Access doesn't exist in the real data, the will be no data reduction unless Strict Exclusion is used.
  • If your users work off-line, i.e. download the physical qvw file, the security offered by Section Access has limited value: It does keep honest people honest, but it will not prevent a malicious user from seeing data which he shouldn't have access to, since the file is not encrypted. So for off-line usage I instead recommend the static data reduction offered by the Publisher, so that no files contain data the user isn't allowed to see.
  • In most of our examples, an inline Load is used in Section Access. This is of course not a good place to keep an authorization table. Store it in a database and load it using a SELECT statement instead!

 

And finally

  • Always save a backup copy when making changes to Section Access. It is easy to lock yourself out...

 

Section Access is a good, manageable and flexible way of allowing different access scopes within one document. And when used on a server, it is a secure authorization method.

 

HIC

 

Further posts related to this topic:

Data Reduction – Yes, but How?
Data Reduction Using Multiple Fields
Tips and tricks for section access in Qlik Sense (2.0+)
https://youtu.be/ObuetXgk2R8

83,064 Views
51 Comments
hic
Former Employee
Former Employee
‎2014-11-21 05:08 AM

Section Access is per application, and if a user isn't authorized to see the application, it shouldn't show up in the Accesspoint.

0 Likes
574 Views
SunilChauhan
Champion
Champion
‎2015-07-30 12:13 AM

I am using both ad group and individual id's. but its not working for individual id's.

suppose a user in assigned level L1 through  FM\Adgrp1 and same user has been assigned to L2 by his individual Id's.

then when open using qlikview devloper/desktop then showing both but at access point it showing through only Group . Earlier both was working but its not working since last 2-3 days. i dont understand the root cause of this?

0 Likes
574 Views
SunilChauhan
Champion
Champion
‎2015-08-04 04:51 AM

Hi Henric,

have you ever faced situation like my above post.could you please reply on this?

0 Likes
574 Views
Not applicable
‎2015-08-05 12:06 PM

‌How do you deal with an this situation in section access.

example

sales person can see all sales records associated to their employee id where every sales record contains their employee id and a customer id

And they can see any consignment record associated with their customers

The consignment record does not have an employee Id but does have a customer id

ibhave tried a few ways and so far none are producing the correct results

0 Likes
574 Views
stevedark
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2015-08-05 12:41 PM

Need to go offline now, but you may want to investigate P() ...

0 Likes
574 Views
Not applicable
‎2015-08-05 12:44 PM

Yes I did use that but the problem is the data is Reduced by Section Access

BEFORE it gets into QlikView so there is no consignment data for those

Employees after reduction given Consignment does not have Employee ID

Thank you

Debbie Pyykkonen

Insights Unlimited LLC

Business Intelligence Consultant

(303) 304-6425

Dpyykkonen@insightsunlimitedllc.com

www.linkedin.com/in/debbiepyykkonen

0 Likes
574 Views
hic
Former Employee
Former Employee
‎2015-08-19 01:12 AM

You need to create an authorization key that contains both the employee id:s and the customer id:s. Your requirement is really to use the union between the two possible ways to reduce data. See more on

Generic keys and Basics for complex authorization

HIC

744 Views
Not applicable
‎2015-10-20 01:02 PM

‌Hic,

Great blog, its really helped.

Any suggestions on how to use section access across an Enterprise level implamentation of Qlik?

I'm investigating how to use Section Access to control multiple QVW's across 51 countries (as simply as possible) without the need for hunderds of excel files

AD groups are being used to control access to each QVW, but there is a requirement to reduce the data. So Section Access looks to be the best way forward, providing it doesnt have a massive cost to maintain.

Thanks, Si

0 Likes
744 Views
hic
Former Employee
Former Employee
‎2015-10-22 01:21 AM

If you have a reducing field that appears in multiple apps, e.g. Region, you can use the same Section Access for all these apps. Store this table in a database or in a central Excel file, and it will be easy to manage.

Further, to base it on AD groups sounds like an excellent idea.

HIC

0 Likes
744 Views
Not applicable
‎2017-02-14 08:29 AM

HI Henric,

Thanks for nice blog.We have one Top customers Dashboard for LA countries (South American Countries).

We have maintained section access with Country , NTNAME & access.

We created separate dashboard for APAC region and maintained user list in same excel but after moving these changes to prod.LA dashboard was getting hanged upon selection of country and APAC dashboard was working fine.

We were using same section access excel file for different QVWs.One for ASIA and other for  LA region.

I am not sure why we are facing this issue.Can you please suggest on this.

0 Likes
744 Views
Subscribe by Topic