Hello everyone !

I would like to share with you my most recent work about an automation script for securitization by Section Access because I think it could be useful to anyone who struggle or spends too much time to put it in place and maintain it 🙂

My objective was to find a solution to the following points :

• Avoid manual entry of the section access table in the script of each application because this operation is often a source of errors and time consuming.
  
• Industrialize the creation of the section access table with a generic script including many input and processing controls.
  
• Harmonize the security rule entry phase using standardized and centralized Excels files.
  
• Support new entry rules that are more convenient and powerful than default ones.
  
• Automatically export a summary of the active rules for each application to facilitate security audits (optional).

Here are the main features of the solution I was able to put in place :

• The script is designed to work with A SINGLE reduction field.
  (Use compound keys for more complex scenarios as suggested by Qlik experts : https://community.qlik.com/t5/Qlik-Design-Blog/Data-Reduction-Using-Multiple-Fields/ba-p/1474917)
• The reduction rules must be specified in an individual Excel file for each application to be secured.
  You can specify (optional) the username of the developer/owner of the application, so that it will automatically get access to all data.
• Ability to provide "permanent administrators" in a separate Excel file for which access to all values will be systematically granted across all applications.
• Supported rule types (mixture possible):
  - Individually by users
  - By groups of QMC users referenced and synchronized from a directory (usually LDAP groups)
  - By groups of users defined locally (useful if there is no QMC directory groups existing or simply to bypass existing ones)
• Possible filtering values ​​(with examples) :

Basic
- All values: '*'
- Single value: 'UK'
- Multiple values ​​(two possible ways):
-> Across multiple lines (one value per line, the same you have to do when writing the access section table by yourself)
-> Across a single line using a specific separator : 'UK;IT;ES'

Advanced
- Support for wildcards "*" and "?" in reduction values which makes it possible to write rules of the type "LIKE".
The creation of generic keys in the data model to satisfy more complex cases is no longer mandatory because you can use wildcard (https://community.qlik.com/t5/Qlik-Design-Blog/Basics-for-complex-authorization/ba-p/1465872).

Example : the rule 'B*;U*' will grant access to all values starting with the letters 'B' and 'U'.

- Support rules in exclusion mode.
Instead of listing the allowed values (default), now you can do the opposite by listing the prohibited values, which is much quicker to formulate in some cases.
To do this, the value or list of values must be prefixed with "[*-]" which means "everything but".

Example : if dataset has 100 country codes and I wish they were all accessible EXCEPT two of them, then I can write : "[*-]UK;USA"

• Ability to hide one or more fields from the data model to a user/group.
• Optional preservation of an audit table in the data model and/or export of it as a QVD file for later analysis.

********************************************************************************************

All necessary files are available in the attached Zip archive.

Almost all resources are commented in both English and French (including the implementation guide) to allow anyone to use it.
(Only the script itself is written in French with English comments for editable settings).

I'll be very happy to have your feedback 😊
Don't hesitate to ask if you have any problems or to suggest improvements.

Have a nice day !