Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi All,
I am having difficulty assigning a CAL for a new user.
Our current set up is that the named user licenses are stored on a separate server to the access point. The new user can see the server when they click 'Open in Server' but is unable to view any of the documents contained to lease a licence.
Within the management console I have checked to allow license lease and allow dynamic cal assignment
I have also gone into the assigned cals tab and clicked the people heads to manage users. Once here I don't have the option to manually enter the users domain and user name that will be used for logging in.
Is there something I am missing or something I am doing horribly wrong.
Any help you can give me is greatly appreciated.
Many thanks
Jarrad
Hello Jarrad,
I'm chiming in with some details on how access is given in QlikView and how licenses are being handed out. That might help a little with finding out where the problem is in your setup.
You mention that you have named CALs on one machine, Session CALs on another, which would mean you have two different QlikView servers and licenses for them, but let's ignore this for now.
QlikView goes through three stages before it allows a user to open a document.
Stage one is authentication, which is where the user hits the AccessPoint (http://somethingsomething/qlikview) and is being authenticated by whatever authentication method you have in place. For example just straight forward Windows authentication, so you get logged in with the same user that you are logged on to your PC / laptop with.
Authentication doesn't actually do anything else though at this point. This is done by the WebServer, generally.
Stage two, the WebServer asks the QlikView Server "What is this user allowed to access?" That's authorization.
At this point, the QlikView Server checks what the authenticated user has access to. Out of the box, QlikView does that by using NTFS permissions, so the end user needs to have read permissions to the .qvw on disk. That is either done by managing access directly on that folder where the .qvws are stored, or you have a QlikView Publisher that does that during the distribution.
If the user is authorized to open the document, they can then also see it on the AccessPoint.
(There is also Section Access, that is a separate security mechanism. If a document has Section Access, and the user is not allowed to open it based on that, it will not show up on the AccessPoint either by default.)
Stage three is "Do you have a license to use the product?" When the user clicks on the document, the QlikView server then checks if that user has a CAL. If they do not have a Named CAL, it gives them a Session CAL.
All CALs (Named CAL, User CAL, etc..) come from the same place. Your QlikView Server License. They are recorded in the LEF of the server, and their allocation to users is stored in the .pgo files that QlikView Server uses. That is why I doubt you have them actually split up in two systems unless you are using two separate QlikView servers to serve two different sets of documents.
This line of your last query here:
the issue that I'm having is that a new member of staff can see the server but not any of the documents within (and as such not get a license).
I am thinking maybe the new user hasn't yet been added to the correct group, or not been given the correct file access permissions to see the documents at all.
Here is some more information about authorization in QlikView. It also covers the second method we have, DMS mode, just in case that is the one you are using.
Can you elaborate more on what you mean by Our current set up is that the named user licenses are stored on a separate server to the access point. ? Are you referring to where the CalData.pgo (file which contains Named User/Document CAL assignments file is stored? Are you referring where the QlikView Management Service is running?
On the QMC > System > Licenses > QlikView Servers > Client Access Licenses (CALs) > Assigned CALs tab > Manage Users (people icon) screen, are you able to successfully search users?
What type of user directory service provider (DSP) are you utilizing here? What is listed in QMC > System > Setup > Directory Service Connectors > DSC? Is this connection correctly configured?
Thanks.
Hi @Chip_Matejowsky ,
Thank you for getting back to me. We have an instance of Qlikview Management running on server A with 10 named user cals which is where we connect to lease a licence to enable users to work on dashboards. We then have server B which has 50 session cals and is where the access portal is stored. I don't know why this isn't just on the one server but I'm sure there was a reason.
I can search for users within the QMC > System > Licenses > QlikView Servers > Client Access Licenses (CALs) > Assigned CALs tab > Manage Users (people icon) screen but nothing gets returned. Looking in the user directories shows that no one is assigned as a user. To get the named licenses the users just connect to the server and open a document. the issue that I'm having is that a new member of staff can see the server but not any of the documents within (and as such not get a license).
The QMC > System > Setup > Directory Service Connectors > DSC is showing; [Server Name]:4730/DSC/Service. I would say that this is correctly configured as other users are able to lease a licence it's just one member of staff who can not see the QVW files (including Golf Quest etc) and obtain a license.
Many thanks for you help and support in this.
Hello Jarrad,
I'm chiming in with some details on how access is given in QlikView and how licenses are being handed out. That might help a little with finding out where the problem is in your setup.
You mention that you have named CALs on one machine, Session CALs on another, which would mean you have two different QlikView servers and licenses for them, but let's ignore this for now.
QlikView goes through three stages before it allows a user to open a document.
Stage one is authentication, which is where the user hits the AccessPoint (http://somethingsomething/qlikview) and is being authenticated by whatever authentication method you have in place. For example just straight forward Windows authentication, so you get logged in with the same user that you are logged on to your PC / laptop with.
Authentication doesn't actually do anything else though at this point. This is done by the WebServer, generally.
Stage two, the WebServer asks the QlikView Server "What is this user allowed to access?" That's authorization.
At this point, the QlikView Server checks what the authenticated user has access to. Out of the box, QlikView does that by using NTFS permissions, so the end user needs to have read permissions to the .qvw on disk. That is either done by managing access directly on that folder where the .qvws are stored, or you have a QlikView Publisher that does that during the distribution.
If the user is authorized to open the document, they can then also see it on the AccessPoint.
(There is also Section Access, that is a separate security mechanism. If a document has Section Access, and the user is not allowed to open it based on that, it will not show up on the AccessPoint either by default.)
Stage three is "Do you have a license to use the product?" When the user clicks on the document, the QlikView server then checks if that user has a CAL. If they do not have a Named CAL, it gives them a Session CAL.
All CALs (Named CAL, User CAL, etc..) come from the same place. Your QlikView Server License. They are recorded in the LEF of the server, and their allocation to users is stored in the .pgo files that QlikView Server uses. That is why I doubt you have them actually split up in two systems unless you are using two separate QlikView servers to serve two different sets of documents.
This line of your last query here:
the issue that I'm having is that a new member of staff can see the server but not any of the documents within (and as such not get a license).
I am thinking maybe the new user hasn't yet been added to the correct group, or not been given the correct file access permissions to see the documents at all.
Here is some more information about authorization in QlikView. It also covers the second method we have, DMS mode, just in case that is the one you are using.
Thank you very much for this explanation. It really has helped me to understand how the licenses are allocated and how Qlik authorizes a user.
I think you are correct in that the issue lies with the users permissions to the file on the server, having just checked they have not been given permission to access the folder that holds the Qlik documents.
Hopefully once they have permission to get to the folder this issue will be retified.
Thank you so much for your input.
Kind regards
Jarrad
I'm really happy to hear that this helped you, and thanks a ton for marking it as the accepted solution