Qlik Community

Ask a Question

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Fredrik_Lautrup
Employee
Employee

Almost every person I meet to talk about Qlik products and security bring up the concept of section access for discussion. I think section access is one of those things that you either love or hate, but as a company using Qlik products you can’t live without it. The great benefit of section access, in my view, is that it’s driven by the data model which makes it really powerful.

It would be great to get your comments on what you think are the strengths of section access.

As section access is a critical part of how we protect data, we carried over its capabilities from QlikView to Qlik Sense and adapted it to Qlik Sense architecture.

So what has changed?

In Qlik Sense the section access is different in that the names of the columns available have changed:

Column

Description

ACCESS

Can be USER or ADMIN. The ADMIN access was introduced in Qlik Sense 2.0 and gives the user full access to data.

USERID

The name of the user in the format of [User Directory]\[User ID]

GROUP

Value of the attribute group on a user

[REDUCTION]

Is the field on which the reduction is performed

OMIT

Fields that should not be available to the GROUP or USERID

In Qlik Sense, a script for section access could look like the following:

section access;

load * inline [

ACCESS, USERID, REDUCTION, OMIT

USER, QVNCYCLES\flp, 1, Region

USER, QVNCYCLES\kag, 2,

];


The example above would give the user QVNCYCLES\flp access to rows with a one in the field called REDUCTION without getting access to data in the Region field, and QVNCYCLES\kag would see the data with a two in the REDUCTION field.

In Qlik Sense section access is applied using strict exclusion, which means that if you are not explicitly granted access you will not be allowed to see any data.

My favourite improvement in section access for Qlik Sense is that it will be harder to lock yourself out of an app. In Qlik Sense you have the option to open an app without data. This means that if you have permissions to change the script you can open the app without data even if you don’t have access to any. This will allow you to change the section access part of the script instead of being locked out.

We have also introduced the capabilities to use attributes sent in at the time of the user authentication to be used with section access. This means that we now can base what data you get access to using the group attribute that can be inserted using SAML or tickets. 

I hope that you found these tips on Section Access for Qlik Sense helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post

Tags (2)
63 Comments
sohailansari201
Creator
Creator

Thank you Sten

0 Likes
1,295 Views
ali_hijazi
Partner
Partner

if a user can see everything in (REDUCTION) field I put * or what?

0 Likes
1,295 Views
sspe
Creator II
Creator II

If you put * in the reduction field, it will give the user access to all the "reductions" you have defined in the Section Access table.

If you e.g. do the reduction based on Employee Names and in you data have Employee Name A,B,C,D and E, but in your Section Access list only defines access to Employee Name A,B and C, then a * will only give access to A,B and C.

Alos, in my opinion the documentation in QlikSense is a little misleading. It says that a user with the ADMIN access type has access to all data in the application, but that's not really what I see. Eventhough the user is defined as ADMIN and with the *, (s)he has still only access to the records defined by the REDCUTION records in Section Access.

/Steen

1,295 Views
qlik_mm0128
Contributor II
Contributor II

Hey  Fredrik,

I'm currently working on applying section access based on SAML attributes above you mentioned "base what data you get access to using the group attribute that can be inserted using SAML".

However, I am currently having issues referencing the particular groups from the load script, I was wondering if it were possible if you could please post an example with the syntax?

Any help you can provide is greatly appreciated.

Kind Regards,

Matt

0 Likes
1,295 Views
Fredrik_Lautrup
Employee
Employee

There are two steps involved with using SAML attributes for section access

  1. You need to map your SAML attribute name to the name group on the virtual proxy
  2. You need to add the value of the group attribute to you section access table to perform a reduction.

Is this consistent with what you have tried?

1,295 Views
sspe
Creator II
Creator II

Hi,

To add to my own reply above, I have done some further testing and found a little strange behaviour which seems to be different from QlikView.

If the user type is "USER" then it all works as expected. The user get access to what's specified in the REDUCTION field, and * gives access to all elements in the REDUCTION list.

If the user type is ADMIN, then it works as for the USER as long as the value specified in the REDUCTION field is either * or a value that exist in the field in the application. What is a little tricky then, is that if you specify a value that doesn't exists, then an ADMIN user get access to ALL data.

If you e.g. use Region as reduction field and have Region A and B in your data model then specifying A og B as values in your section access table, then it all works fine. If you have an ADMIN user which e.g. only should have access to Region B, you just enter that in the Section Access table and then he will only see Region B. If you then enter a *, he will get access to Region A and B. If you then enter a value that doesn't exist in the Region field in the application, then the ADMIN user see data for all Regions.

As far as I know, this behaviour is different from QlikView, and I don't know if it's a bug or if it's by design.I like that it's possible to give access to all data - and not only what's defined in the Section Access table, but I don't know if I like the fact that specifying nothing or a "non-existing" value just gives you all data. I know it only happens if you also specify that it should be an ADMIN user and not a regular user, but still it could be more clear.

Regards

Steen

1,295 Views
blaise
Partner
Partner

To me that sounds like "strict exclision" isn't applied correctly in the version you're using Sten.

Havn't used Section Access in Sense yet so i do not know if this can be changed in Sense, it looks like Sense always uses strict exclusion (given what the author of the post write).

Sounds like a bug to me

0 Likes
1,200 Views
kuba_michalik
Partner
Partner

This is exactly how QlikView behaved when opening a document with ADMIN access. It's even in the documentation somewhere.

Trick is, ADMIN access would work in QlikView only when opening the document in QlikView desktop (or when QMC would open the qvw for reload, and the service account had ADMIN access). On the Access Point, even if you had ADMIN in Section Access, you would be treated as if you had USER there so with strict exclusion enabled and no valid entries in the reduction field you won't be able to access the app.

If anything here is a bug, it's the inconsistency in treatment of ADMIN users between desktop and Access Point in QlikView. But maybe even not that - when opening QlikView documents through the server you are much more limited by definition (can't do a reload no matter what - in QlikSense it's just the question of having proper rights assigned, so in the same vein you can be actually properly treated as an ADMIN - type user).

0 Likes
1,200 Views
klewandowski
Contributor III
Contributor III

Please confirm. In version 3.1+ it's not working anymore? I tried this in older version and it was ok. I tried to implement it in client with version 3.1 but it's not working. Is there any other good way to restrict data for particular user id?

0 Likes
1,200 Views
mbj
Employee
Employee

Hi

Please also see https://qlikcommunity.qliktech.com/docs/DOC-17599

Here I use both userId or even better: groups to authorize on

Verstuurd vanaf mijn iPhone

Op 22 mrt. 2017 om 18:52 heeft Kamil Lewandowski <qcwebmaster@qlikview.com<mailto:qcwebmaster@qlikview.com>> het volgende geschreven:

0 Likes
1,200 Views