Qlik Community

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Authorization is about determining which data a user is allowed to see. QlikView has several different ways by which you can reduce the data so that the user only gets to see the data he is allowed to see.

In the simplest case, the authorization table defining who-gets-to-see-what is just a two column table linking user names to e.g. regions. But sometimes you need a more complicated logic. It could be that you have users that are allowed to see all products but just within one region, and at the same time all regions but just for one product. In other words, you want to make the reduction in several fields with the possibility of OR-logic.

 

QlikView can do this and here’s how you do it:

 

  1. Create an authorization table by loading the authorization data into QlikView after concatenating the reducing fields into one single generic authorization key:

         Load USER, REGION &'|'& PRODUCT as %AuthID From AuthTable ;

    Authorization table.png

  2. Create an authorization key in the table with the most detailed transactions:

         Load *, Region &'|'& Product as AuthID From OrderDetails ;

    If you don’t have all the necessary keys in the table, you can fetch fields from other tables using Applymap. See more about Applymap here:

  3. Create an authorization bridge table linking the two above tables. Since the %AuthID field can contain generic symbols such as '<ANY>', several load statements are needed to create the bridge table:

         Load
    Region &'|'& Product as AuthID, Region &'|'& Product as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, Region &'|'&'<ANY>' as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, '<ANY>'&'|'& Product as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, '<ANY>'&'|'&'<ANY>' as %AuthID  From OrderDetails ;

    Authorization bridge.png

  4. Reduce the file on the USER field using either Section Access or QlikView Publisher.

 

Using the above method you can create quite complex security models. For instance, you can use generic symbols also for product groups. Read more about generic keys in this Technical Brief.

 

Good luck!

 

HIC

 

Further reading related to this topic:

A Primer on Section Access

Data Reduction Using Multiple Fields

Authorization using a Hierarchy

29 Comments
Creator III
Creator III

Hi,

  your give explination on secton access,i have one doubt in section access,

supose in product table i ahve 50 categories,i want to give 50 products to one user at condition how i want to prepare authentication table key and transaction table key.

Regards

0 Likes
13,394 Views
Specialist
Specialist

Hi Henric,

Very nice explanation, thank you for sharing! I currently have a similar requirement in the project I am working and another thing my client asked is to have some excluding access too, is this something that could be implemented with the use of the generic keys (maybe groups like <NOT A> or something like that) or would you suggest another approach?

Regards,

Cesar

0 Likes
13,394 Views
Specialist
Specialist

Hi Henric

Thanks for the explanation. We're just starting deployment of applications and this is what I was missing to deploy it.

0 Likes
13,394 Views
Not applicable

Ive encountered a strange issue when trying to deploy this approach. USERID, or open a reloaded document in my desktop qlikview with section access restrictions on my NTNAME, straight from the server and the restrictions have applied but if I try and view the document through accesspoint it says I dont have access to the document with strict exclusion set. If I disable strict exclusion I can open it on accesspoint but see all records. Ive tried both upprcase NTNAME, ACCESS rights as USER and ADMIN but it just will not open. Anyone encountered this?  (11.20.12451.0) Windows 2008 Server 64 bit. Active Directory?

0 Likes
13,394 Views
Contributor III
Contributor III

John,

Yes. I've experienced (am experiencing) the same issue. The ADMIN setting grants you access to the entire file in desktop mode, but the strict exclusion setting in AccessPoint is not allowing you access because you aren't assigned rights to the file.

Since AccessPoint treats each user as a USER and you have Strict Exclusion set, you need to make sure you are assigning yourself rights explicitly. It should work if you: add at least one record for yourself (or your group) in the Section Access authorization table that has at least one assignment for each column - blanks don't seem to work to grant all access, * allows only other assigned values in the table; then (if you're using an additional Section Application table) make sure that you have at least one record in there for yourself with at least one assignment for each column (and remove any rows with blanks).

That works for me. The painful part seems to be granting admin-type access. I think I need to add rows for every value (business unit in my case) to the authorization table so I can use * as needed.

Let me know how it goes. Good luck!

Arnie

0 Likes
13,394 Views
Creator III
Creator III

Hiya

have you written another blog with details of omit, "region" ..."product" ...and say e.g a third column "category" please?

0 Likes
13,394 Views