Qlik Community

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Employee
Employee

Tips and tricks for section access in Qlik Sense (2.0+)

Almost every person I meet to talk about Qlik products and security bring up the concept of section access for discussion. I think section access is one of those things that you either love or hate, but as a company using Qlik products you can’t live without it. The great benefit of section access, in my view, is that it’s driven by the data model which makes it really powerful.

It would be great to get your comments on what you think are the strengths of section access.

As section access is a critical part of how we protect data, we carried over its capabilities from QlikView to Qlik Sense and adapted it to Qlik Sense architecture.

So what has changed?

In Qlik Sense the section access is different in that the names of the columns available have changed:

Column

Description

ACCESS

Can be USER or ADMIN. The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data.

USERID

The name of the user in the format of [User Directory]\[User ID]

GROUP

Value of the attribute group on a user

[REDUCTION]

Is the field on which the reduction is performed

OMIT

Fields that should not be available to the GROUP or USERID

In Qlik Sense, a script for section access could look like the following:

section access;

load * inline [

ACCESS, USERID, REDUCTION, OMIT

USER, QVNCYCLES\flp, 1, Region

USER, QVNCYCLES\kag, 2,

];


The example above would give the user QVNCYCLES\flp access to rows with a one in the field called REDUCTION without getting access to data in the Region field, and QVNCYCLES\kag would see the data with a two in the REDUCTION field.

In Qlik Sense section access is applied using strict exclusion, which means that if you are not explicitly granted access you will not be allowed to see any data.

My favourite improvement in section access for Qlik Sense is that it will be harder to lock yourself out of an app. In Qlik Sense you have the option to open an app without data. This means that if you have permissions to change the script you can open the app without data even if you don’t have access to any. This will allow you to change the section access part of the script instead of being locked out.

We have also introduced the capabilities to use attributes sent in at the time of the user authentication to be used with section access. This means that we now can base what data you get access to using the group attribute that can be inserted using SAML or tickets. 

I hope that you found these tips on Section Access for Qlik Sense helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post

Tags (2)
60 Comments
MVP
MVP

As far as I can see from your example the differences from QlikView are the omission of the old USERID and PASSWORD fields, and NTNAME has been renamed to now be USERID?  This ID, I presume can be either NTName or whichever other way you are authenticating your Sense users?  You also don't reference the two SID fields - are these no longer used?

The move to always use Strict Exclusion is a good one - this was often overlooked as a potential security loophole in QlikView when someone forgot to tick the box.

Is this ability to get into a QVW with no data even when Section Access is applied going to find it's way across into QlikView 12, with the QIX engine being employed?  I have had a lot of questions regarding users locking themselves out of documents, hence this blog post I wrote:

http://www.quickintelligence.co.uk/help-ive-locked-myself-out/

Steve

1,045 Views
garystrader
Contributor III

I agree that forcing "strict exclusion" is a good feature.  I'm not sure how many people forgot vs. just didn't understand how it worked in QlikView.  I saw many customers struggle with getting section access working properly, so they'd uncheck the box, and all the sudden they could get in, and so they thought they fixed it.  In reality they were disabling security.


Does ADMIN access give you the ability to see all data in the data model, or is it just "possible" data as linked through the section access tables?  I'm thinking about that confusing distinction in QlikView between explicit values, * and space/blank/empty access (possibly deprecated).

1,045 Views
MVP
MVP

I hadn't fully appreciated the text ' The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data' in the article above.

Surely this would mean that if a script was ported across from QlikView then users who had access to the menus in QlikView desktop would automatically get access to all data.  Even if Sense script was written by someone familiar with QlikVIew, they could easily make that wrong assumption.  Hmm.

Steve

1,045 Views
Employee
Employee

Qlik Sense no longer uses windows accounts internally in the product. This is the main reason for changing to USERID and if we are not using windows accounts SID make no sense.

In Qlik Sense all accounts work the same way independent if they are accounts coming through tickets, SAML or header.

Fredrik

1,045 Views
Employee
Employee

ADMIN means all data i.e not the same as the *.

1,045 Views
tanvi_madan1
New Contributor III

Hi Fredrik,

Can you help me out in making groups in qlik sense and using same in section access.

Suppose i have 100 users and want to assign them to 5 groups and to each group i need to provide section access how i need to approach for same in qlik sense??

Thanks,

Tanvi

1,045 Views
Not applicable

Hi ,

Can anyone help me in solving the above mentioned problem in qlik sense? How did you resolve the problem Tanvi  ? Can you please share the solution for me ?

0 Likes
1,045 Views
Employee
Employee

The most common solution for this is to use your user directory (AD, LDAP) to create the groups you need in Qlik Sense. Then you connect to your user directory to make the group information available in Qlik Sense.

After this you should be able to use your group names in the section access table to grant permissions to the data in your app.

Regards

Fredrik

1,045 Views
Not applicable

Thanks Fredrik for the reply !!!

0 Likes
1,045 Views
ali_hijazi
Honored Contributor

REDUCTION is a field in the schema? or a section access table field?

Please advise

0 Likes
1,045 Views
Employee
Employee

REDUCTION is a field in a table that you want to perform the reduction on.

0 Likes
1,045 Views
Not applicable

Hi Fredrik,

This exactly how i am managing my section access.

But i am facing one issue, lets say i have 100 users part of a qlik group.

Out of 100, i want to restrict 1 users for few columns.

so in my section access table, do i need to create 100 lines mentioning all 100 members

or can i just create 1 line for the user for whom i want to restrict the data.

0 Likes
1,045 Views
Not applicable

Do I need to enable session access somewhere in the document other that the script?

How can I get my "QlikSense user id"?  I am using my windows user id "domain name\userid" as USERID. Although I gave the reduction column & just for testing making them all upper case (As suggested in otheer blogs), the data is not reducing.

What am I missing?

Thanks!

0 Likes
1,045 Views
Employee
Employee

You would have to check but I think you can add a line with the user name of the user and the restriction and those will apply to the user. But just test it out and you will find out.

0 Likes
1,045 Views
Employee
Employee

Hard to say what you are missing.

But there is no setting that you need to turn on and the user ID is shown at the top of the hub when you log in.

Could you share how your section access table would look?

0 Likes
1,045 Views
ssamuels
New Contributor III

I'm having trouble implementing Section Access in Sense. I've tried adding DOMAIN\USERNAME values in the USERID column. This is working fine, but adding DOMAIN\GROUPNAME values to the GROUP column does not seem te work. I want to add individuals users as well as AD groups to my section access table. Can someone provide a script sample?  

0 Likes
1,045 Views
ssamuels
New Contributor III

I figured it out now.

Adding DOMAIN\GROUPNAME values to the GROUP column in the section access table won't work because Qlik Sense expects groupnames stored in Qlik Sense. The groupnames coming from Active Directory are stored in Qlik Sense without the domain prefix. This is the resulting scipt sample that allows both users and usergroups to open my app.

Section Application;

LOAD * INLINE [

ACCESS, USERID, GROUP, REDUCTION_FIELD

USER, DOMAIN\USER1, *, A

USER, DOMAIN\USER2, *, B

ADMIN, *, ADMINISTRATORS, *

];

Section Application;

1,045 Views
slondono
Contributor II

And how do you add a group in QlikSense?

0 Likes
1,045 Views
ssamuels
New Contributor III

‌you don't add groups in Qlik Sense, they are created as user attributes when users are imported from a user directory (for instance Active directory).

0 Likes
1,045 Views
Not applicable

Hi all,

First of all thank you flp for this post.

Let me share my experience with Qlik Sense Server, applying Data Security in my Company.

The example of flp :

section access;

load * inline [

ACCESS, USERID, REDUCTION, OMIT

USER, QVNCYCLES\flp, 1, Region

USER, QVNCYCLES\kag, 2,

];


-----------------In reality to be applied in Sense Server :--------------------



SECTION ACCESS;

LOAD

*

INLINE [

    ACCESS, USERID, REDUCTION,OMIT

  USER, QVNCYCLES\flp, 1, REGION //always uppercase

  USER, QVNCYCLES\kag, 2,

    ADMIN,BISERVER-P\QLIK, ,   // ADMINS should be included, so to not lock  from Application

];

SECTION APPLICATION;

Table_including_Region_field:

Load [Region],

  Upper([Region]) AS REGION  // converting to uppercase

Resident [Table already loaded where field Region exists];

Table_including_Reduction_field:

Load [Reduction],

  Upper([Reduction]) AS REDUCTION  // converting to uppercase

Resident [Table already loaded where field Reduction exists];

From Qlik sense Documentation:

"As the same internal logic that is the hallmark of Qlik Sense is also used in the access section, the security fields can be put in different tables. All the fields listed in LOAD or SELECT statements in the section access must be written in UPPER CASE. Convert any field name containing lower case letters in the database to upper case using the Upper function before reading the field by the LOAD or SELECT statement"

                                                                                   

1,045 Views
Employee
Employee

note to ensure that the Sense Scheduler can reload you need to add in the internal user as an admin to the section access.I.e.

LOAD * INLINE [

    ACCESS, USERID, GROUP

  ADMIN, INTERNAL\sa_scheduler, *

];

1,045 Views
Not applicable

In the above example BISERVER-P\QLIK is a user that has been loaded from Active Direcory and has the role of Administrator. Also we place commas in order the administrator to have full access to the application, otherwise he is going to be locked. A good practice is to work in Qlik Sense Desktop and then uploading to stream in Server and adding the above script. So in case admin is locked, we can upload again the app and changing the section access script based on new requirements of our companys data policy.

0 Likes
1,045 Views
mbj
Contributor

Hi All,

Key thing is that you keep the users and groups in 1 table in section access.

Section Access;

//THIS WORKS

LOAD * INLINE [

    ACCESS ,USERID , GROUP ,COUNTRY_AUTH

    USER   ,* ,GERMANY ,GERMANY

    USER   ,* ,ITALY ,ITALY

    ADMIN ,INTERNAL\SA_SCHEDULER , * , *

    ADMIN ,QLIKDEMOSAAS\QSERVICE , * , *

    ADMIN ,QLIKDEMOSAAS\QLIK   , * , *

];

0 Likes
1,045 Views
andrespa
Valued Contributor

Great post in general, but still I'm missing a more detailed documentation on how really Section Access works behind scenes. Cause at least to me, implementing it is always a matter of trial and error and I have the general feeling of don't fully understand how it works.

0 Likes
1,045 Views
Employee
Employee

Good idea for a subject, lets see if we get a round to writing this at some point.

1,045 Views
maxim1500
Contributor

I agree with andrespa‌. Is it possible that QlikView and QlikSense behave differently behind the scene? I read all over the forum that Section Access "hides" the data instead of reducing it in QlikView, and that performance gets much worst when you enable section access.

I made a proof of concept in QlikSense, and it seems to be reducing the data. I have a huge dataset with 300M+ rows, and using section access, it becomes really performing when I select only the data related to a single user.

Could someone confirm that QS actually reduces the data?

0 Likes
1,045 Views
MVP
MVP

Section Access is QlikView and Qlik Sense behaves in exactly the same way.  Both apps hide the data from those that do not have access to it.

This is done using the associative data model, which is what makes Qlik products as good as they are.

Just as when you make a selection in a Qlik product to give a smaller set of data it will perform better, applying section access will make an app run quicker for users - as the engine only considers the data which each user has access to.

A reduce in QlikView (via Publisher) will make more efficient apps than the same app using section access - but it is also much less flexible.  Separate apps are required for each data slice that is produced.  This quickly becomes a bit of a management headache, at best.

Enabling section access will not slow down an application, on either platform, and if a user is seeing a subset of data it will speed up access for that user considerably.

Hope that makes sense?

Steve

1,045 Views
maxim1500
Contributor

Thank you! It answers perfectly.

1,045 Views
sohailansari201
Contributor

This article has helped me understanding more clearly about Section Access in QS. But I am running into a weird problem with its implementation in QS.

Here is my script:

SECTION ACCESS;

LOAD

*

INLINE [

ACCESS, USERID, EMPLOYER_NAME, OMIT

USER, LOCALUSERS\SENSE_SYSTEM,*,

USER, LOCALUSERS\QVDEV, ABC,

USER, LOCALUSERS\QVDEV, XYZ,

USER, LOCALUSERS\QVADMIN,*,

USER, LOCALUSERS\QLIKUSER, XYZ,

USER,INTERNAL\SA_SCHEDULER,*,

];

SECTION APPLICATION;

The users QLIKUSER and QVDEV are successfully seeing the reduced data based on ABC and XYZ only but the user SENSE_SYSTEM and QVADMIN are not seeing all the data. Instead they also see the data reduced to ABC and XYZ. I have tried both USER or ADMIN in the ACCESS field for them but it just doesn't work. Can some one notice anything out of the ordinary here?

Thank you.

0 Likes
1,045 Views
sspe_dgs_com
Contributor II

Hi,

This is actually normal behaviour. The "*" will only give you all data defined in the Section Access list. In your case, you have only defined the EMPLOYER_NAME ABC and XYZ so a "*" in this case will only give you those employees. If you need to to be able to see every employee that exists, you'll have to do a distinct load of EMPLOYEE_NAME from your data and then add it these to the list.

There might be other work arounds, but this is the one I have used in the past.

Regards

Steen

1,045 Views