Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
Fredrik_Lautrup
Employee
Employee
‎2014-01-07 04:46 AM

Authentication and Authorization

Authentication and Authorization are two important concepts in securing any application.  Let’s start with some simple definitions.  Authentication makes sure that the person accessing the system is the person he says he is.  Authorization only lets you access information and complete actions that you are allowed to, based on your identity.

In QlikView, these are two distinct activities performed independent of each other.  This often creates some confusion and configuration errors, so let me explain how it works.  When a user gets access to QlikView it is always done in these four steps:

Flow.png

One of the most common misunderstandings around this is what services are part of what step in the process.

The first two steps covering authentication are handled by the web layer (i.e. QVWS or IIS).  The third step is achieved by the web layer transferring the identity to the QlikView Server using the QVP protocol.  The fourth step is authorization and is handled by the QlikView Server using groups resolved by the Directory Service Connector.

There are some big benefits to this approach:

  1. QlikView does not have to store passwords; these are stored by an identity provider such as LDAP or AD.
  2. Normal procedures for user management can be applied, which enables that adherence to security policies are maintained.
  3. It is possible to customize authentication without affecting authorization, which gives us the option to use external identify providers such as Google and Salesforce.
  4. All Authorization is done in the backend, making it easier to protect.

The role of the Directory Service Connector in the flow is somewhat blurred by the fact that almost all QlikView components use it. The web layer, QlikView Server, QlikView Management Service, and the QlikView Publisher all use the Directory Service Connector for different things.

Most QlikView components use the Directory Service Connector for authorization or to get information about users except if custom users are used.  If you use custom users, these  get authenticated towards the Directory Service Connector, which in this special case stores identity and passwords for the users.

Achitecture.png

Remember, as a rule of thumb: the front end components handle authentication and the backend components handle authorization.  I hope this help gives you a clearer picture of how QlikView handles authentication and authorization and which components are used in which part of the flow.

Have further questions you’d like me to answer?  Leave me a comment!

35,721 Views
38 Comments
rajeshvaswani77
Specialist III
Specialist III
‎2014-01-07 11:05 AM

Hi Fredrik, thanks for the blog. Has been helpful.

5,450 Views
rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2014-01-07 11:41 AM

Hi Fredrik,

Consider a QV11 WebTicket user. If the user clicks the Ajax "Close" button on a document, can they reconnect using the same ticket/cookie? Or do they have to obtain a new ticket for the restore.

-Rob

5,450 Views
Fredrik_Lautrup
Employee
Employee
‎2014-01-08 03:46 AM

The ticket is only valid for a short period of time and can only be used once. So the same ticket can not be used to re-authenticate.

The session could be used if it is still valid. If you just click close the session is still valid and you will not have to re-authenticate using a ticket.

If you close the browser or the session time out then you would need to re-authenticate using a new ticket.

I hope this answers your question?

5,450 Views
MK_QSL
MVP
MVP
‎2014-01-08 08:30 AM

Hi Fredrik, Thanks for sharing this useful information.

0 Likes
5,450 Views
Not applicable
‎2014-01-13 12:38 AM

Hi Fedrik,

Thanks for Info, We have purchased the QW SBE server license, but we don't have AD in our organization.

I have requested our partner to implement QW SBE Server with LDAP. Partner did some R & D but failed to integrate the QW SBE with LDAP for User Authentication and authorization. Request you to kindly provide some solution on implementing with QW SBE with LDAP. I hope you will surely have solution on the implementing QW with LDAP.

Regards,

Akiv Kandlekar.

0 Likes
5,450 Views
Anonymous
Not applicable
‎2014-01-13 02:55 AM

SBE does not support "DMS"-Mode (you can see this in your LEF file).

As SBE only works with file based NTFS Authentication you can only use:

- Active Directory

- local Windows users&groups

For NON-Windows Authentication (== LDAP) you need an QlikView Enterprise Server.

0 Likes
5,450 Views
Not applicable
‎2014-01-13 04:05 AM

Dear RVA,

Thanks for your quick response.

Do you mean to say that i can install and implement QW SBE with the help of local users & Groups on the same local server as well, since we don't have  AD. Is it possible?

0 Likes
4,393 Views
Anonymous
Not applicable
‎2014-01-13 05:00 AM

HI!

Yes, local user should work.

-Create a local administrator that run the QlikView Services.

-Create a local user for each of your QlikView users.

Drawback:

You don't get a single sign on for your endusers (they always have to type their local user+ password to enter QlikView Accesspoint).

4,393 Views
Not applicable
‎2014-01-14 03:21 AM

Thanks for this very clear explanation. It is a topic that seems obvious when you understand it but often causes confusion so I will keep a note of your page to refer others to it.

4,393 Views
Not applicable
‎2014-01-14 05:14 AM

Thanks RVA.

I was initially thinking about the same, but here people are creating unnecessary confusion that Without AD, QW SBE Server cannot authenticate or authorize.

Now, i will try the option suggested by you i.e. local users and revert. I hope it works for sure ...!!

Regards,

Akiv Kandlekar

0 Likes
4,393 Views
Subscribe by Topic