Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Fredrik_Lautrup
Employee
Employee
‎2015-09-22 02:59 AM

Tips and tricks for section access in Qlik Sense (2.0+)

Almost every person I meet to talk about Qlik products and security bring up the concept of section access for discussion. I think section access is one of those things that you either love or hate, but as a company using Qlik products you can’t live without it. The great benefit of section access, in my view, is that it’s driven by the data model which makes it really powerful.

It would be great to get your comments on what you think are the strengths of section access.

As section access is a critical part of how we protect data, we carried over its capabilities from QlikView to Qlik Sense and adapted it to Qlik Sense architecture.

So what has changed?

In Qlik Sense the section access is different in that the names of the columns available have changed:

Column

Description

ACCESS

Can be USER or ADMIN. The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data.

USERID

The name of the user in the format of [User Directory]\[User ID]

GROUP

Value of the attribute group on a user

[REDUCTION]

Is the field on which the reduction is performed

OMIT

Fields that should not be available to the GROUP or USERID

In Qlik Sense, a script for section access could look like the following:

section access;

load * inline [

ACCESS, USERID, REDUCTION, OMIT

USER, QVNCYCLES\flp, 1, Region

USER, QVNCYCLES\kag, 2,

];


The example above would give the user QVNCYCLES\flp access to rows with a one in the field called REDUCTION without getting access to data in the Region field, and QVNCYCLES\kag would see the data with a two in the REDUCTION field.

In Qlik Sense section access is applied using strict exclusion, which means that if you are not explicitly granted access you will not be allowed to see any data.

My favourite improvement in section access for Qlik Sense is that it will be harder to lock yourself out of an app. In Qlik Sense you have the option to open an app without data. This means that if you have permissions to change the script you can open the app without data even if you don’t have access to any. This will allow you to change the section access part of the script instead of being locked out.

We have also introduced the capabilities to use attributes sent in at the time of the user authentication to be used with section access. This means that we now can base what data you get access to using the group attribute that can be inserted using SAML or tickets. 

I hope that you found these tips on Section Access for Qlik Sense helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post

Tags (2)
52,011 Views
63 Comments
Fredrik_Lautrup
Employee
Employee
‎2016-05-16 02:11 AM

REDUCTION is a field in a table that you want to perform the reduction on.

0 Likes
10,370 Views
Not applicable
‎2016-05-19 03:32 AM

Hi Fredrik,

This exactly how i am managing my section access.

But i am facing one issue, lets say i have 100 users part of a qlik group.

Out of 100, i want to restrict 1 users for few columns.

so in my section access table, do i need to create 100 lines mentioning all 100 members

or can i just create 1 line for the user for whom i want to restrict the data.

0 Likes
10,370 Views
Not applicable
‎2016-05-23 12:03 PM

Do I need to enable session access somewhere in the document other that the script?

How can I get my "QlikSense user id"?  I am using my windows user id "domain name\userid" as USERID. Although I gave the reduction column & just for testing making them all upper case (As suggested in otheer blogs), the data is not reducing.

What am I missing?

Thanks!

0 Likes
10,200 Views
Fredrik_Lautrup
Employee
Employee
‎2016-05-26 08:08 AM

You would have to check but I think you can add a line with the user name of the user and the restriction and those will apply to the user. But just test it out and you will find out.

0 Likes
10,200 Views
Fredrik_Lautrup
Employee
Employee
‎2016-05-26 08:11 AM

Hard to say what you are missing.

But there is no setting that you need to turn on and the user ID is shown at the top of the hub when you log in.

Could you share how your section access table would look?

0 Likes
10,200 Views
ssamuels
Partner - Creator
Partner - Creator
‎2016-06-20 04:41 AM

I'm having trouble implementing Section Access in Sense. I've tried adding DOMAIN\USERNAME values in the USERID column. This is working fine, but adding DOMAIN\GROUPNAME values to the GROUP column does not seem te work. I want to add individuals users as well as AD groups to my section access table. Can someone provide a script sample?  

0 Likes
10,200 Views
ssamuels
Partner - Creator
Partner - Creator
‎2016-06-20 02:10 PM

I figured it out now.

Adding DOMAIN\GROUPNAME values to the GROUP column in the section access table won't work because Qlik Sense expects groupnames stored in Qlik Sense. The groupnames coming from Active Directory are stored in Qlik Sense without the domain prefix. This is the resulting scipt sample that allows both users and usergroups to open my app.

Section Application;

LOAD * INLINE [

ACCESS, USERID, GROUP, REDUCTION_FIELD

USER, DOMAIN\USER1, *, A

USER, DOMAIN\USER2, *, B

ADMIN, *, ADMINISTRATORS, *

];

Section Application;

10,200 Views
slondono
Partner - Creator II
Partner - Creator II
‎2016-07-18 03:25 PM

And how do you add a group in QlikSense?

0 Likes
10,200 Views
ssamuels
Partner - Creator
Partner - Creator
‎2016-07-18 05:21 PM

‌you don't add groups in Qlik Sense, they are created as user attributes when users are imported from a user directory (for instance Active directory).

0 Likes
10,041 Views
Not applicable
‎2016-07-20 03:52 AM

Hi all,

First of all thank you flp for this post.

Let me share my experience with Qlik Sense Server, applying Data Security in my Company.

The example of flp :

section access;

load * inline [

ACCESS, USERID, REDUCTION, OMIT

USER, QVNCYCLES\flp, 1, Region

USER, QVNCYCLES\kag, 2,

];


-----------------In reality to be applied in Sense Server :--------------------



SECTION ACCESS;

LOAD

*

INLINE [

    ACCESS, USERID, REDUCTION,OMIT

  USER, QVNCYCLES\flp, 1, REGION //always uppercase

  USER, QVNCYCLES\kag, 2,

    ADMIN,BISERVER-P\QLIK, ,   // ADMINS should be included, so to not lock  from Application

];

SECTION APPLICATION;

Table_including_Region_field:

Load [Region],

  Upper([Region]) AS REGION  // converting to uppercase

Resident [Table already loaded where field Region exists];

Table_including_Reduction_field:

Load [Reduction],

  Upper([Reduction]) AS REDUCTION  // converting to uppercase

Resident [Table already loaded where field Reduction exists];

From Qlik sense Documentation:

"As the same internal logic that is the hallmark of Qlik Sense is also used in the access section, the security fields can be put in different tables. All the fields listed in LOAD or SELECT statements in the section access must be written in UPPER CASE. Convert any field name containing lower case letters in the database to upper case using the Upper function before reading the field by the LOAD or SELECT statement"

                                                                                   

10,041 Views
Subscribe by Topic