Qlik Community

Qlik Sense App Development

Discussion board where members can learn more about Qlik Sense App Development and Usage.

Announcements
BARC’s The BI Survey 19 makes it official. BI users love Qlik. GET REPORT
flottmen
New Contributor

Qlik Authentication Model Questions

We have what I understand to be a unique case.  My company manages a SAAS platform and uses Qlik to provide reporting to our clients.  As you might imagine, one client is not allowed to see another client's data.  What complicates this is that our clients often work with one another.  As a result each client (AffiliateId in our system) can be given access to a row of data by the virture of three different attributes on that row:

- SellerAffiliateId

- BrokerAffiliateId

- BuyerAffiliateId

Each of these ids references the AffiliateId mentioned above.

Currently, we have been creating completely separate apps to represent each AffiliateId and streams to handle authentication.  The down side of this is that there are a ton of tasks that need to be run by a task manager that maxes out at 7 concurrent tasks.  This is leading to loading times that are much longer than we'd like (we regularly have large numbers of tasks sitting in the queue).

We have looked at using Section Access to solve this problem.  This would significantly reduce the number of tasks needed to accomplish our desired outcome.  It would also simplify our deployment strategy because we would only have to maintain one stream and app (rather than one per client).  However, we can not seem to get Section Access to work with these multiple attributes.  Has anyone done anything like this?  Essentially, we would need Section access to work if the AffiliateId passed by the authentication layer matched the SellerAffiliateId OR the BrokerAffiliateId OR the BuyerAffiliateId.  My tests don't seem to produce this outcome.

As an alternative we have considered baking the row level security into our ETL layer.  Each of our ETL tasks would be responsible for creating a QVD for each AffiliateId (rather than one QVD for the data).  Then the client applications could be consolidated to one app and stream and the script would use the AffiliateId passed by the authentication layer to choose the appropriate QVD for that client.  Has anyone done anything like this before? 

Does anyone have any advice on which of the two strategies to pursue?  Any negative experiences attempting one or the other that you'd like to share?

Thanks.