Qlik Community

Qlik Sense Enterprise Documents

Documents for Qlik Sense related information.

Data Level Security in QlikSense

pawwy1415
Contributor II

Data Level Security in QlikSense

This document show how Data Level Security is implemented in Qliksense.

  • As per best practice before implementing section access create a backup or duplicate of the app prior to adding any section access statements to the load editor.
  • Section Access only works on Qlik Sense Server. An app with a valid section access table in the load editor must be on the server and reloaded on the server for the security to take effect. To test different user’s access, you must publish the app to a stream so that you can test logging in as different users to see the effect. Without publishing the app is stuck in the 'my work' of one user and not accessible by other users.
  • Always load the Section Access table before the rest of the data model.
  • The Section Access table requires an ACCESS field and a USERID or GROUP field. Under USERID, you will use the userid that the Qlik Sense hub uses to track all users. For default security, it’s likely to be in a DOMAIN\USERID format. I suggest entering the USERID or GROUP reference in all caps as you see below.

  • If you want any user to see all values in Product name then need to pass '*' for a field value entry in the section access table
  • Under Section access table the field names should be capitalized as should the data values in those field(s). You don't need to alter your source data, just alias the field name in the section access table to provide a capitalized field name and use the upper() function to put the values in all caps as well.


    Security_Tmp:
    LOAD USERID,
    ACCESS,
   “Product name”
    FROM [$(vLOADSOURCEFILES_PATH) User Access Mapping Table.xlsx]
    (ooxml, embedded labels, table is [User Access Mapping]);

   Section Access;
   Load Upper(USERID) as USERID,
   Upper(ACCESS) as ACCESS,
   Upper ("Product name") as PRODUCTNAME
   Resident Security_Tmp;

   Drop Table Security_Tmp;

  • In the rest of your data model you must also have the same all caps field names and data values. The way it works is that when a userid logs in, it will act as if the whole app was filtered based on the records with the field values (or combination of field values if you have multiple fields) referenced in the section access table for that USERID. The associative indexing is intact for this action so that all linked tables will likely be filtered based on those same field values.

   Section Application;
   LOAD
   Upper (“Product name”) as PRODUCTNAME,
   Sales
   FROM [$(vSTOREQVD_PATH) ProductData.QVD]
   (qvd);
Comments
kkkumar82
Valued Contributor III

do you mean '*' for seeing all data I think you should leave the field Product Name blank for seeing all values because lets assume if you have one more Product in the field which is not assigned any of the users '*' will show only three products for the Admin if you leave blank it will show even the one which is not assigned to any of the users to the Admin.

I hope you want to give an example where ADMIN wants to see all data irrespective of what is assigned to

users

thomakel
New Contributor III

THX for sharing!

But how to add only certain users from a "AD group" in QlikSense section access?

E.g.

Section access;

Load * Inline [

    ACCESS, USERID, GROUP, COUNTRY,

    ADMIN, *, DEVELOPER, *

    USER, MY_DOMAIN\USER1, GROUP_A, CANADA

    USER, MY_DOMAIN\USER2, GROUP_A, USA

];

Section Application;


Sadly this is not working.
Is syntax correct?

pawwy1415
Contributor II

Hi Thomas,

Remove ','  after COUNTRY field in  Inline script.

GROUP is not required when we have entered USERID.

Please make sure the COUNTRY field in Section Access( inline script) and Section Application COUNTRY field should be in Upper case i.e, both filed names and Records should be Upper case.

Thanks

ahmar811
Contributor III

It is mandatory to write Section Access table before the rest of the data model. I don't think so

ahmar811‌ , Section Access need not be the first statement , you could write the section access even at the last no issues

Version history
Revision #:
1 of 1
Last update:
‎06-04-2018 12:13 AM
Updated by: