Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
124psu
Creator II
Creator II

section access - managing groups and users

Hi all - 

After getting qlik server set up, apps created, we now have a few users ready to start using our application. I've read about section access and how to manage what users can see what data. 

How do I go about setting up this method? I've read you need to create a table in our database to manage their roles.

Right now, our user base is very small as this is a new effort, but would like to be prepared. Is it better to manage users based on groups then create a table to manage these users and then tie it with qlik? 

I've read you need these parameters if you do decide to do in the script editor -- Section Access; LOAD * inline [ ACCESS, USERID USER, User_ID ]; Section Application; LOAD... ... from.

Are these concrete parameters that I need to have included in my table or in the script editor? Looking for the best way to manage what users should see in our application.

Labels (4)
1 Solution

Accepted Solutions
Lauri
Specialist
Specialist

Hi Drew,

Do you have this line above your Section Access?

star is *;

If not, that may be why you aren't seeing all accounts.

And since Christina is seeing Sales, there may be a problem with your syntax. Is the field name "Sales" or "sales" or "Dataload.Sales"? 

In response to your earlier questions:

  • It doesn't matter where your INLINE statement is, as long as it's after "Section Acess" and before "Section Application."
  • The second table, to limit access to States, would be after "Section Application." It will be visible in your data model, and it will link to all other tables containing the States field.

However, it sounds like you are limiting user access to specific values in two fields: Accounts and Departments (and maybe States as well?). As far as I know, section access works with only one field! So you need to create a new field that combines those two fields' values for every possible combination. For example, combine '1' from Accounts and 'IT' from Departments into '1IT'. 

It gets more complicated (at least in my mind): If you have a user who gets to see Accounts 1 and 2, and Departments Finance and IT, then I BELIEVE you need to create yet another new field (let's call it AccessID) to uniquely identify those 4 combinations of values. Like this, which you load in Section Application:

AccessIDAccountDepartment
1011Finance
1011IT
1012Finance
1012IT

 

This way, user Joe shows up like this in your INLINE table:

LOAD * INLINE [

ACCESS,        USERID,           ACCESSID,          OMIT
USER,         qlik\drew,                       * ,
USER,         qlik\christina,           100,                     Sales
USER,        qlik\joe,                       101,               
ADMIN, INTERNAL\SA_SCHEDULER,*,
];

For Christina, I think you would need a row for every Department that she gets to see. I don't think * works on Section Application (contrary to what I originally posted).

And Drew doesn't need to show up in the AccessID table as long as all of the Accounts and Departments are present in it., assigned to other users. If, for example, Account 10/Department IT is not in the table, then Drew will not get to see it. Your * gives you full access to every value of AccessID - but only the ones that are loaded!

 

View solution in original post

10 Replies
Lauri
Specialist
Specialist

I use section access all of the time and it works well for us. We have sensitive medical information; each user gets to see only his/her patients' information.

You can manage in groups, or by user. It depends on if your groups of users all get the same privileges. If they do, then your management will be easier. But either way, you need to know what they are going to get to see.

In the "Section Access" section, you will load the list of users (from an external source or a list you type Inline), along with the part of the data that they are allowed to see. I use a field called ORGID. Joe has ORGID=1, Susan has ORGID=2, etc. 

After that section, you have "Section Application" where all of your 'normal' data gets loaded.

I can give you more detailed instruction if you provide a couple of sample users, where you manage your user list, and whether their privileges are based on group membership or something else.

124psu
Creator II
Creator II
Author

Lets say my user base is broken into 3 groups.

1. Management - sees all data

2. Analyst - sees all data MINUS these fields: employeeSalary, employeeVINnum, managementSalary, ManagementVINnum

3. simpleUsers - should not see everything mentioned above, plus specific States: NYC, LA, ATL, DEN.

The thing I'm trying to wrap around my head is - what if I have just one application that has all the data. Am I creating this section access within a table and explicitly stating which fields they should or should not see?

Now if I were to prohibit simpeUsers from seeing specific columns in the data I'm assuming the visualizations might error out for them? I haven't tested this with any users as I am trying to plan for long term as I know this will be our next task. 

As for setting the users up, what would you recommend? Did you just create a simple table in your database and then just bring that into your qlik application? I'm going through a white paper right now and hoping to gain more insight. I guess the whole process is a bit foreign but gradually understanding bit by bit.

Lauri
Specialist
Specialist

You are correct: Create a table (I do it in Excel, but you can do it in a database or a text file or even inline in the data load editor) that lists your users. It'll look something like this:

UserACCESSGROUPOMIT
JoeUSERManagement 
SteveUSERAnalystemployeeSalary, employeeVINnum, managementSalary, ManagementVINnum
GaryUSERsimpleUsersemployeeSalary, employeeVINnum, managementSalary, ManagementVINnum

 

The OMIT column tells Qlik which fields to hide from these users. I haven't tried it, so you'll need to see how it looks to the end-user. The ACCESS column contains either USER or ADMIN. Admin is only for superusers.

If your users are part of a domain, make sure your load script adds the domain name and \ in front of the usernames. My typical load script looks like this:

star is *;

SECTION ACCESS;

ACCESSDATA:
LOAD
Domain & '\' & UPPER("USERID") as USERID,
ORGID,
"ACCESS",
NULL() AS OMIT
FROM [lib://QlikDataFolder/vrha\vrha_users.xlsx]
(ooxml, embedded labels, table is Sheet1);

SECTION Application;

[Statements to LOAD the data that the app uses]

 

To hide those States' data from simpleUsers, you need to structure your data model correctly, which means when you load the table that contains the States field, it joins to a table that lists the States and which GROUP members can see those states. That table could look like:

StatesGROUP
*Management
LAAnalyst
ATLAnalyst
BOSAnalyst
BOSsimpleUsers
etc.etc.

 

This table is the (hidden) link between your user table (in section access) and all of the data you load. For every value in the States field, the GROUP value will have access. In my sample table, simpleUsers does not have access to LA or ATL but does have access to BOS. (I assume Management gets to see all data, so we enter * in States, just once. And we type "star is *;" above the Section Access in the load script.)

We just need to make sure that the other tables link correctly to this one, in a way that security is properly managed.

 

124psu
Creator II
Creator II
Author

This is an excellent guide! Thank you so much for this. 

124psu
Creator II
Creator II
Author

After some more reading I'm finally starting to understand this methodology. Quick question - I see that you created a table in excel for the SECTION ACCESS and loaded that into the script editor. Does it matter where the section access table in line syntax is placed? The extra table you created that prohibits specific users from seeing specific states, do you create another table (excel, etc) and load this separately and hide this? I'm a bit confused on the 2nd part you mention on this topic. Thanks for relaying the information. It was really informative and helped me understand and begin applying this concept onto my applications.

Lastly - I don't necessarily want to OMIT column fields but instead specific values within the column field.

e.g. For Departments, I want everyone in Marketing to only see Marketing and not Finance and IT. How do I omit values from a column field vs. the whole column field? 

Thank you.

 

124psu
Creator II
Creator II
Author

Hi Laurischarf, so here is what I have so far.

 

SECTION ACCESS;

LOAD * INLINE [

ACCESS,        USERID,           ACCOUNTS,          OMIT
USER,         qlik\drew,                     * ,
USER,         qlik\christina,             1,                     Sales
ADMIN, INTERNAL\SA_SCHEDULER,*,
];

SECTION APPLICATION;

My understanding is you must have section access and section application in the script, all headers must be capitalized/upper case. I'd expect myself (drew) to see all the accounts (accounts 1-5) and have no omits. Instead, I am only seeing Account 1.. I assumed the * asterisk would enable me to see all the accounts.

The other user Christina is actually only seeing account 1 which is working very well. I omitted the 'Sales' field for this user but they are still able to see the sales figure.. 

Looking for some guidance on where I went wrong.

Lauri
Specialist
Specialist

Hi Drew,

Do you have this line above your Section Access?

star is *;

If not, that may be why you aren't seeing all accounts.

And since Christina is seeing Sales, there may be a problem with your syntax. Is the field name "Sales" or "sales" or "Dataload.Sales"? 

In response to your earlier questions:

  • It doesn't matter where your INLINE statement is, as long as it's after "Section Acess" and before "Section Application."
  • The second table, to limit access to States, would be after "Section Application." It will be visible in your data model, and it will link to all other tables containing the States field.

However, it sounds like you are limiting user access to specific values in two fields: Accounts and Departments (and maybe States as well?). As far as I know, section access works with only one field! So you need to create a new field that combines those two fields' values for every possible combination. For example, combine '1' from Accounts and 'IT' from Departments into '1IT'. 

It gets more complicated (at least in my mind): If you have a user who gets to see Accounts 1 and 2, and Departments Finance and IT, then I BELIEVE you need to create yet another new field (let's call it AccessID) to uniquely identify those 4 combinations of values. Like this, which you load in Section Application:

AccessIDAccountDepartment
1011Finance
1011IT
1012Finance
1012IT

 

This way, user Joe shows up like this in your INLINE table:

LOAD * INLINE [

ACCESS,        USERID,           ACCESSID,          OMIT
USER,         qlik\drew,                       * ,
USER,         qlik\christina,           100,                     Sales
USER,        qlik\joe,                       101,               
ADMIN, INTERNAL\SA_SCHEDULER,*,
];

For Christina, I think you would need a row for every Department that she gets to see. I don't think * works on Section Application (contrary to what I originally posted).

And Drew doesn't need to show up in the AccessID table as long as all of the Accounts and Departments are present in it., assigned to other users. If, for example, Account 10/Department IT is not in the table, then Drew will not get to see it. Your * gives you full access to every value of AccessID - but only the ones that are loaded!

 

124psu
Creator II
Creator II
Author

Thank you so much. Seriously. 

The accessID section you created (if more restrictions and permissions are enabled), how do you link that in the section access? Do I just load that in the section access script in the data load editor? Will qlik know automatically that they are related by the accessID? I'm asking because essentially Ill have 2 tables, 1 for the main section access, and 2 for the granular permission settings for users to see finance AND IT, etc. 

Once again, you've been tremendous explaining this! Much appreciated.

Lauri
Specialist
Specialist

Happy to help - I was in the same boat a couple years ago!

Yes, Qlik will automatically link your hidden table (in section access) to your regular table(s) (under Section Application) using the field with the same name (I named it AccessID but you can name it anything).

So your regular tables need to link together correctly so that the permissions apply properly, starting with AccessID. You don't necessarily need to have AccessID in every table; you can have another field that joins tables. Just be sure that all of the tables (that have to be secured) link back to the one containing AccessID.

I recommend you load a very small amount of data to test with. Just a few rows of data, so you can easily verify that each user sees only what they are supposed to (and so data loads go faster).