Re: Considerations switching to DMS mode from NTFS - Qlik Community

isaiah82 · ‎2013-12-17

Hey everybody - currently have a simple NTFS-mode setup where users access via PC's in a browser (no prompt for username/password.) The server is exposed externally over the web already.

What would it entail to allow SSO (single sign on) for users from salesforce.com (accessing via an iPad.) The users do have Active Directory accounts for what it's worth; is there any way to do this with without using DMS mode?

If I need to switch to DMS mode, how painful with this be given the existing implementation? Will it be possible that users continuing to use Windows PC's can (still) avoid having to log in?

Thanks a bunch -Isaiah

danielrozental · ‎2013-12-17

Are you planning to change the current authentication to qlikview or are you still going to use the AD login?

If authentication doesn't change then I don't see a need to switch to DMS mode.

isaiah82 · ‎2013-12-17

Thanks Daniel > honestly I don't know; do you see any way that the AD login could be used from an iPad (in Safari) somehow without the user having to provide (AD) credentials?

danielrozental · ‎2013-12-17

Without the user providing any credentials at all? Then I believe you need to use client-side certificates.

Miguel_Angel_Baeyens · ‎2013-12-17

Hi Isaiah,

Actually there is one: using digital certificates linked to domain accounts. From Windows Server 2008 onwards, you can assign a digital certificate to a domain account using AD Certificate Services (check Microsoft's official documentation). I have been deploying QlikView this way for iOS and Android tablets.

Miguel

isaiah82 · ‎2013-12-17

Thanks for the help guys > Miguel: can you just confirm for me that using your solution I would leave QVS in NTFS mode (wouldn't need DMS)? Also, would there be any configuration needed on the QlikView box to accommodate this?

Peter_Cammaert · ‎2013-12-17

Authentication and authorization are two different things. SSO is an easy way to recover authentication that has already been done by Windows (or by a login box that is presented to your external users). DMS is another way to manage authorizations: instead of relying solely on NTFS permissions, authorizations are managed/stored by QlikView itself.

IMHO, transition from NTFS to DMS is fairly straightforward. A nice DMS feature is that QMC now has an Autorizations tab in User Documents where you can grant permissions to documents from anywhere and without fighting Windows dialogs. Of course, routine reload tasks already do this upon distribution. But I think it's nice-to-have.

Also, on a QlikView management level, DMS has finer-grained permission management. If I can come up with real-life examples, I'll post some here later on.

Peter

Miguel_Angel_Baeyens · ‎2013-12-17

Hi,

I agree with what Peter Cammaert says below. First you need to identify where your issue might be: at the authentication level or at the authorization level. According to your description, it seems to be how to authenticate users, meaning making them able to connect to the QlikView server.

NTFS means that all permissions are granted and managed by the OS, so you leverage on your AD administrators in order to create groups, add users to groups, and grant permissions to these groups.

As a general guideline, I always use DMS: users do not lose any functionality nor they are required to perform any additional actions, but as a QlikView administrator I can tune in tasks and permissions, always relying on a third party directory (in this case, Active Directory).

Miguel

Considerations switching to DMS mode from NTFS

Web Clients

Web Server