Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
tcarolus
Partner - Contributor III
Partner - Contributor III

Authorization based on AD attribute

Hi all,

Does somebody know if it is possible to grant user access on app level based on AD attribute 'Department'? The idea is that based on the AD group, access is granted on stream level. Group name and stream name are alike. The security rule will be something like ((user.group = resource.name)). --> resource = stream

Within a stream there will be different app's. Based on the attribute 'Department' in the AD we want to grant access on app level. I am aware of the existence and use of custom properties but for this case i'm looking for a more automated solution. So what I'm imagining is the following:

1. IT add's a new group 'new customer' to the AD

2. Within this group there are several users from different "departments" , user1 | attribute "department"=management, user2 | "department"=sales and user3 | "department"=finance.

After adding the necessary information to the AD we want to use this information to create a security rule on app level, something like

((user.department like resource.name)) --> resource = app

Somebody any idea?

Thank you in advance for thinking along with me!

Kind regards,

Tamarah

1 Solution

Accepted Solutions
kfoudhaily
Partner - Creator III
Partner - Creator III

there's no direct way to do this but I have worked on a work around to do this in the past.

using your qlik app you may connect to ad and import your needed data:

user name, departement and other fields:

(OLE DB connection to Active directory)

AD_Users:

load

     division                     AS [Division],

     displayName            AS [Display Name],

     department           AS [Department],

     company                AS [Company],

     co                          AS [Country],

     cn                          AS [Name],

sql select

accountExpires,

assistant,

badPasswordTime,

badPwdCount,

c,

cn,

co,

company,

createTimeStamp,

department,

description,

directReports,

displayName,

distinguishedName,

division,

employeeID,

facsimileTelephoneNumber,

generationQualifier,

givenName,

homeDirectory,

homeDrive,

homePhone,

homePostalAddress,

info,

initials,

internationalISDNNumber,

ipPhone,

l,

lastLogoff,

lastLogon,

lockoutTime,

logonCount,

logonHours,

mail,

manager,

memberOf,

middleName,

mobile,

modifyTimeStamp,

msExchHideFromAddressLists,

objectCategory,

objectGUID,

objectSid,

objectClass,

otherFacsimileTelephoneNumber,

otherHomePhone,

otherIpPhone,

otherMailbox,

otherMobile,

otherPager,

otherTelephone,

pager,

personalTitle,

physicalDeliveryOfficeName,

postalCode,

postOfficeBox,

primaryInternationalISDNNumber,

primaryTelexNumber,

pwdLastSet,

sAMAccountName,

sAMAccountType,

scriptPath,

sn,

st,

streetAddress,

telephoneNumber,

telexNumber,

title,

url,

userAccountControl,

userPrincipalName,

userSharedFolder,

userWorkstations,

whenChanged,

whenCreated

from 'LDAP://domain.local' where objectClass = 'User' and objectCategory = 'Person';

(check AD user attributes for details)

then you can construct your section access using this table.

hope it's helpfull.

regards,

QlikView Qlik Sense consultant

View solution in original post

3 Replies
kfoudhaily
Partner - Creator III
Partner - Creator III

there's no direct way to do this but I have worked on a work around to do this in the past.

using your qlik app you may connect to ad and import your needed data:

user name, departement and other fields:

(OLE DB connection to Active directory)

AD_Users:

load

     division                     AS [Division],

     displayName            AS [Display Name],

     department           AS [Department],

     company                AS [Company],

     co                          AS [Country],

     cn                          AS [Name],

sql select

accountExpires,

assistant,

badPasswordTime,

badPwdCount,

c,

cn,

co,

company,

createTimeStamp,

department,

description,

directReports,

displayName,

distinguishedName,

division,

employeeID,

facsimileTelephoneNumber,

generationQualifier,

givenName,

homeDirectory,

homeDrive,

homePhone,

homePostalAddress,

info,

initials,

internationalISDNNumber,

ipPhone,

l,

lastLogoff,

lastLogon,

lockoutTime,

logonCount,

logonHours,

mail,

manager,

memberOf,

middleName,

mobile,

modifyTimeStamp,

msExchHideFromAddressLists,

objectCategory,

objectGUID,

objectSid,

objectClass,

otherFacsimileTelephoneNumber,

otherHomePhone,

otherIpPhone,

otherMailbox,

otherMobile,

otherPager,

otherTelephone,

pager,

personalTitle,

physicalDeliveryOfficeName,

postalCode,

postOfficeBox,

primaryInternationalISDNNumber,

primaryTelexNumber,

pwdLastSet,

sAMAccountName,

sAMAccountType,

scriptPath,

sn,

st,

streetAddress,

telephoneNumber,

telexNumber,

title,

url,

userAccountControl,

userPrincipalName,

userSharedFolder,

userWorkstations,

whenChanged,

whenCreated

from 'LDAP://domain.local' where objectClass = 'User' and objectCategory = 'Person';

(check AD user attributes for details)

then you can construct your section access using this table.

hope it's helpfull.

regards,

QlikView Qlik Sense consultant
tcarolus
Partner - Contributor III
Partner - Contributor III
Author

Nice, thank you for sharing!

I think it will help us figuring it out.

tcarolus
Partner - Contributor III
Partner - Contributor III
Author

Hi Khalil,

I'm getting back to you on this issue and maybe you have another idea.

Your provided solutions will work if you have one app and want to add restrictions on data access within that same app. But what I'm looking for is full app access based on AD attribute 'Department'.

As far as I know you can restrict access on AD group level:

AppAccess.png

But that is the only attribute from the AD i can select. So what I'm looking for is a way to use another attribute from the AD instead of 'group'.

Any ideas are welcome 🙂

Kind regards, Tamarah