Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
hic
Former Employee
Former Employee
‎2014-06-03 02:05 AM

Data Reduction Using Multiple Fields

Last week I wrote about authorization using Section Access and data reduction. In the example, a user was associated with a country and this entry point in the data model determined whether a record was visible or not: Only records associated with the country were visible. COUNTRY was the reducing field.

 

But if you want several reducing fields? You may have a user that should see one product group in one country, and another product group in another country. Then both COUNTRY and PRODUCTGROUP should be reducing fields. Is that possible?

 

Yes and No.

 

Yes, it is possible. But No, you cannot just add a second reducing field. In simple cases, just adding a second reducing field will work fine, but as soon as the logic is slightly more complex, it will not work. Below I’ll explain why.

 

Let’s use the following example: A user MARKUS should see the product group Machines in Germany and Food in France – but not the other way around. Then the obvious approach would be to create an authorization table like the following:

 

FoodNMachines2.png

 

I.e. two reducing fields – COUNTRY and PRODUCTGROUP – defining the following logic:

 

     (‘GERMANY‘ AND ‘MACHINES’) OR (‘FRANCE’ AND ‘FOOD’)

 

However, this will not work in QlikView.

 

If you do the above, you will get a data model like the following (where the red table is the Section Access table).

 

Incorrect data model.png

 

This means that the selections in the real data model will be made in COUNTRY and in PRODUCTGROUP. But remember that QlikView always uses OR-logic between values of the same field and AND-logic between fields. This means that QlikView will interpret the selection in these two fields as

 

     (‘GERMANY‘ OR ‘FRANCE’) AND (‘MACHINES’ OR ‘FOOD’)

 

which is not the same as the initial requirement. The selection made will include Machines in France and Food in Germany, which is against the initial requirement. In fact, it is impossible to make a selection that corresponds to the initial requirement using only these two fields.

 

So what should you do?

 

The solution is to create a new, single reducing field based on COUNTRY and PRODUCTGROUP, e.g. through

 

     COUNTRY & ‘|’ & PRODUCTGROUP as AUTHORIZATIONKEY

 

The first challenge is to find the table where this key should be created. It must be in a table with a grain fine enough that both country and product group are uniquely defined on each record. In the above data model this is the Order Details table: Each order line has only one product and one customer – thus one product group and one country – associated with it. So, the authorization key should be created here.

 

Correct data model.png

 

There are other challenges also, e.g. how to get the country and product group information into the load of the Order Details table (Solution: ApplyMap) and how to handle the concept of Any Value (Solution: Generic Keys), but these can all be solved. For details, see the blog post about Complex Authorization.

 

Bottom line: You can use multiple reducing fields in Section Access, but only if each user has only one record in the authorization table. If a user has several records, you need to create one single authorization key.

 

Also, the above example clearly shows that authorization is part of the data modelling and should be thought of at an early stage in the development process.

 

HIC

 

Further reading related to this topic:

A Primer on Section Access

Basics for complex authorization

Authorization using a Hierarchy

52,927 Views
20 Comments
Marcio_Campestrini
Specialist
Specialist
‎2014-06-03 06:49 AM

Henric, thanks for sharing this.

0 Likes
20,983 Views
Anonymous
Not applicable
‎2014-06-03 12:49 PM

Useful info.

I would add that the whole conversation about concatenated keys,  where they should go,  etc. is really important to understand for all qv developers outside of the topic of section access.

0 Likes
20,983 Views
kalyandg
Partner - Creator III
Partner - Creator III
‎2014-06-04 12:30 AM

hi HIC,

very useful info, and good conceptual too

0 Likes
20,983 Views
Anonymous
Not applicable
‎2014-06-04 01:30 AM

Thanks HIC.

Very useful article.

0 Likes
20,983 Views
jaygarcia
Contributor III
Contributor III
‎2014-06-09 04:36 AM

Thanks for this! This will be of a great help for many of us!

J

0 Likes
20,983 Views
nenadvukovic
Creator III
Creator III
‎2014-06-10 09:38 AM

Hi Henric,

I've been using the "wrong" approach to segregate between our sites and salesmen. Fortunately I have had such a case only with a salesmen manager which was harmless. Thank you very much for this yet another brilliant insight of yours. I've immediately enabled the working security using the complex key.

Cheers and all the best,

Nenad

0 Likes
20,983 Views
ksmith24
Contributor III
Contributor III
‎2014-10-10 04:27 PM

Great writeup, this works well in the QlikView local client.  However we are seeing some issues when reloading and publishing on the server - can't open the document in Access Point (access denied).  Henric are you aware of anything that might cause difficulty on the server?  It reloads fine.  We just can't open the published document.

0 Likes
16,737 Views
hic
Former Employee
Former Employee
‎2014-10-10 05:23 PM

The most obvious difference between the Desktop and the Server is the difference between ADMIN and USER. On a server, no one gets ADMIN rights... And on the Desktop, QlikView will let you open the file if you're an ADMIN, also if the data reduction doesn't allow it.

So, change your Section Access so that everyone (except one single general ADMIN that you use only as a safety backdoor, and the publisher account) has USER rights and make sure Strict Exclusion is on. Then the Desktop and the Server should behave the same (except for the general ADMIN).

HIC

0 Likes
16,737 Views
ksmith24
Contributor III
Contributor III
‎2014-10-16 01:59 PM

Thank you, it seems that upon reloading and saving, data reduction occurs for the Publisher service account - and the only username left in the AuthorizationTable, for the published version, is the username for the service account - locking out all other users.  This feed was helpful:  Issue in Using NTNAME in Section Access and reloading the application using Publisher.
A few people suggested keeping the service account user in Section Access, but removing it from the AuthorizationTable / Section Application.  That seems to work for me.

0 Likes
16,737 Views
reanfadyl
Partner - Creator
Partner - Creator
‎2015-11-29 08:50 PM

Hi Henric,

Thank you for your post it is very helpful.  I am dealing with a situation where we want the users to have access to different 'grains' of the same data set.

For example a User can access the detailed transaction $ for Machines sold in Germany, but only see the Total $ value by Country for machines sold in France and Finland.


Do you have any suggestions for how you would handle this? 


Regards


Rean


PS. The data model I am working with is using a single concatenated Fact table.

0 Likes
16,737 Views
Subscribe by Topic