Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
hic
Former Employee
Former Employee

Authorization is about determining which data a user is allowed to see. QlikView has several different ways by which you can reduce the data so that the user only gets to see the data he is allowed to see.

In the simplest case, the authorization table defining who-gets-to-see-what is just a two column table linking user names to e.g. regions. But sometimes you need a more complicated logic. It could be that you have users that are allowed to see all products but just within one region, and at the same time all regions but just for one product. In other words, you want to make the reduction in several fields with the possibility of OR-logic.

 

QlikView can do this and here’s how you do it:

 

  1. Create an authorization table by loading the authorization data into QlikView after concatenating the reducing fields into one single generic authorization key:

         Load USER, REGION &'|'& PRODUCT as %AuthID From AuthTable ;

    Authorization table.png

  2. Create an authorization key in the table with the most detailed transactions:

         Load *, Region &'|'& Product as AuthID From OrderDetails ;

    If you don’t have all the necessary keys in the table, you can fetch fields from other tables using Applymap. See more about Applymap here:

  3. Create an authorization bridge table linking the two above tables. Since the %AuthID field can contain generic symbols such as '<ANY>', several load statements are needed to create the bridge table:

         Load
    Region &'|'& Product as AuthID, Region &'|'& Product as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, Region &'|'&'<ANY>' as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, '<ANY>'&'|'& Product as %AuthID  From OrderDetails ;
         Load Region &'|'& Product as AuthID, '<ANY>'&'|'&'<ANY>' as %AuthID  From OrderDetails ;

    Authorization bridge.png

  4. Reduce the file on the USER field using either Section Access or QlikView Publisher.

 

Using the above method you can create quite complex security models. For instance, you can use generic symbols also for product groups. Read more about generic keys in this Technical Brief.

 

Good luck!

 

HIC

 

Further reading related to this topic:

A Primer on Section Access

Data Reduction Using Multiple Fields

Authorization using a Hierarchy

39 Comments
Anonymous
Not applicable

Hi,

  your give explination on secton access,i have one doubt in section access,

supose in product table i ahve 50 categories,i want to give 50 products to one user at condition how i want to prepare authentication table key and transaction table key.

Regards

0 Likes
27,473 Views
cesaraccardi
Specialist
Specialist

Hi Henric,

Very nice explanation, thank you for sharing! I currently have a similar requirement in the project I am working and another thing my client asked is to have some excluding access too, is this something that could be implemented with the use of the generic keys (maybe groups like <NOT A> or something like that) or would you suggest another approach?

Regards,

Cesar

0 Likes
27,473 Views
Marcio_Campestrini
Specialist
Specialist

Hi Henric

Thanks for the explanation. We're just starting deployment of applications and this is what I was missing to deploy it.

0 Likes
27,473 Views
Not applicable

Ive encountered a strange issue when trying to deploy this approach. USERID, or open a reloaded document in my desktop qlikview with section access restrictions on my NTNAME, straight from the server and the restrictions have applied but if I try and view the document through accesspoint it says I dont have access to the document with strict exclusion set. If I disable strict exclusion I can open it on accesspoint but see all records. Ive tried both upprcase NTNAME, ACCESS rights as USER and ADMIN but it just will not open. Anyone encountered this?  (11.20.12451.0) Windows 2008 Server 64 bit. Active Directory?

0 Likes
27,473 Views
arniewolff
Contributor III
Contributor III

John,

Yes. I've experienced (am experiencing) the same issue. The ADMIN setting grants you access to the entire file in desktop mode, but the strict exclusion setting in AccessPoint is not allowing you access because you aren't assigned rights to the file.

Since AccessPoint treats each user as a USER and you have Strict Exclusion set, you need to make sure you are assigning yourself rights explicitly. It should work if you: add at least one record for yourself (or your group) in the Section Access authorization table that has at least one assignment for each column - blanks don't seem to work to grant all access, * allows only other assigned values in the table; then (if you're using an additional Section Application table) make sure that you have at least one record in there for yourself with at least one assignment for each column (and remove any rows with blanks).

That works for me. The painful part seems to be granting admin-type access. I think I need to add rows for every value (business unit in my case) to the authorization table so I can use * as needed.

Let me know how it goes. Good luck!

Arnie

0 Likes
27,473 Views
joeybird
Creator III
Creator III

Hiya

have you written another blog with details of omit, "region" ..."product" ...and say e.g a third column "category" please?

0 Likes
27,473 Views
hic
Former Employee
Former Employee

I haven't written about "OMIT", but I have written other ones about using multiple reducing fields. See e.g. Data Reduction Using Multiple Fields

HIC

21,900 Views
gauthamchilled
Creator
Creator

Hi hic

I followed your suggestion for implementing complext authorization. I have a issue discussed here extended section access help Do you have a better soluton to address this issue?

thanks

Gautham

0 Likes
21,900 Views
Not applicable

Hi,

I am trying to use <ANY> for in ADMIN user in my section ACCESS TABLE. When I run my Section Access table any user with <ANY> as a key is denied access. Is there any way around this?

0 Likes
21,900 Views
hic
Former Employee
Former Employee

That should work. So I don't know why it doesn't work. Post a separate thread with a sample document.

0 Likes
21,900 Views