Qlik Community

Ask a Question

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Announcements
QlikWorld Online 2021, May 10-12: Our Free, Virtual, Global Event REGISTER TODAY
Fredrik_Lautrup
Employee
Employee

Almost every person I meet to talk about Qlik products and security bring up the concept of section access for discussion. I think section access is one of those things that you either love or hate, but as a company using Qlik products you can’t live without it. The great benefit of section access, in my view, is that it’s driven by the data model which makes it really powerful.

It would be great to get your comments on what you think are the strengths of section access.

As section access is a critical part of how we protect data, we carried over its capabilities from QlikView to Qlik Sense and adapted it to Qlik Sense architecture.

So what has changed?

In Qlik Sense the section access is different in that the names of the columns available have changed:

Column

Description

ACCESS

Can be USER or ADMIN. The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data.

USERID

The name of the user in the format of [User Directory]\[User ID]

GROUP

Value of the attribute group on a user

[REDUCTION]

Is the field on which the reduction is performed

OMIT

Fields that should not be available to the GROUP or USERID

In Qlik Sense, a script for section access could look like the following:

section access;

load * inline [

ACCESS, USERID, REDUCTION, OMIT

USER, QVNCYCLES\flp, 1, Region

USER, QVNCYCLES\kag, 2,

];


The example above would give the user QVNCYCLES\flp access to rows with a one in the field called REDUCTION without getting access to data in the Region field, and QVNCYCLES\kag would see the data with a two in the REDUCTION field.

In Qlik Sense section access is applied using strict exclusion, which means that if you are not explicitly granted access you will not be allowed to see any data.

My favourite improvement in section access for Qlik Sense is that it will be harder to lock yourself out of an app. In Qlik Sense you have the option to open an app without data. This means that if you have permissions to change the script you can open the app without data even if you don’t have access to any. This will allow you to change the section access part of the script instead of being locked out.

We have also introduced the capabilities to use attributes sent in at the time of the user authentication to be used with section access. This means that we now can base what data you get access to using the group attribute that can be inserted using SAML or tickets. 

I hope that you found these tips on Section Access for Qlik Sense helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post

Tags (2)
63 Comments
stevedark
MVP
MVP

As far as I can see from your example the differences from QlikView are the omission of the old USERID and PASSWORD fields, and NTNAME has been renamed to now be USERID?  This ID, I presume can be either NTName or whichever other way you are authenticating your Sense users?  You also don't reference the two SID fields - are these no longer used?

The move to always use Strict Exclusion is a good one - this was often overlooked as a potential security loophole in QlikView when someone forgot to tick the box.

Is this ability to get into a QVW with no data even when Section Access is applied going to find it's way across into QlikView 12, with the QIX engine being employed?  I have had a lot of questions regarding users locking themselves out of documents, hence this blog post I wrote:

http://www.quickintelligence.co.uk/help-ive-locked-myself-out/

Steve

12,621 Views
garystrader
Partner
Partner

I agree that forcing "strict exclusion" is a good feature.  I'm not sure how many people forgot vs. just didn't understand how it worked in QlikView.  I saw many customers struggle with getting section access working properly, so they'd uncheck the box, and all the sudden they could get in, and so they thought they fixed it.  In reality they were disabling security.


Does ADMIN access give you the ability to see all data in the data model, or is it just "possible" data as linked through the section access tables?  I'm thinking about that confusing distinction in QlikView between explicit values, * and space/blank/empty access (possibly deprecated).

12,621 Views
stevedark
MVP
MVP

I hadn't fully appreciated the text ' The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data' in the article above.

Surely this would mean that if a script was ported across from QlikView then users who had access to the menus in QlikView desktop would automatically get access to all data.  Even if Sense script was written by someone familiar with QlikVIew, they could easily make that wrong assumption.  Hmm.

Steve

12,621 Views
Fredrik_Lautrup
Employee
Employee

Qlik Sense no longer uses windows accounts internally in the product. This is the main reason for changing to USERID and if we are not using windows accounts SID make no sense.

In Qlik Sense all accounts work the same way independent if they are accounts coming through tickets, SAML or header.

Fredrik

12,621 Views
Fredrik_Lautrup
Employee
Employee

ADMIN means all data i.e not the same as the *.

12,621 Views
tanvi_madan1
Partner
Partner

Hi Fredrik,

Can you help me out in making groups in qlik sense and using same in section access.

Suppose i have 100 users and want to assign them to 5 groups and to each group i need to provide section access how i need to approach for same in qlik sense??

Thanks,

Tanvi

12,621 Views