DMS security using NT users and local security gro... - Page 2 - Qlik Community

abm_trevor · ‎2016-05-31

For various reasons around client AD security rules I am trying to implement a document access regime using the following:

DMS security
Local security groups on the QlikView server
Domain (NTFS) users only within the local security groups

From a physical standpoint this works fine - the right users are getting access to the right documents via the local security groups. The issue I have is that when I look at a User in the QMC it does not reflect any of the local groups that they belong to or any of the documents they can access via the local groups. This makes it very cumbersome to establish who has access to what.

Is there a setting or something in QlikView that will allow me to display this information correctly? It will work perfectly if I use Domain security groups, but there are some logistical internal reasons that this will become very inefficient.

Thanks

Trevor

syukyo_zhu · ‎2016-06-01

Hi marcus,

But you can also get access information from file pgo if you use NFTS.

marcus_sommer · ‎2016-06-01

That's good to know - I haven't never used NT and with DMS those informations aren't there.

- Marcus

marcus_sommer · ‎2016-06-01

What "works better" - what are the benefits?

- Marcus

Peter_Cammaert · ‎2016-06-01

(Sorry for being late, someone rang at the door)

Marcus & xia, I don't think Trevor is using anything from the Custom Directory area. Simply because in QlikView it is still impossible to mix for instance AD accounts and Custom groups and vice versa.

Local (machine) directory groups and AD accounts on the other hand offer one very important advantage: the QlikView Administrator is usually boss on his/her own QlikView server and can add/remove/manage users easily by putting them in local groups that are under his/her control. Instead of having to ask a company sysadmin every time a user needs to be granted/deneied access to a document (and getting a service ticket and an unknown completion time).

So IMHO all of this is already happening in a Windows NTFS & AD environment, with only one catch: QMC doesn't know how to properly display group membership between two directory providers.

Peter

Peter_Cammaert · ‎2016-06-01

Then I think this is pretty much unavoidable. See my other (late) answer.

OTOH it's just the QMC that is having problems with displaying the correct info.

Best,

Peter

abm_trevor · ‎2016-06-01

Thanks Peter

Yes, your previous reply hit the nail on the head. Everything is working as expected except the QMC recognising the local group membership and document access in the Users tab.

Normally I use domain groups and it works perfectly, but in this case the process of adding and changing domain group access is quite cumbersome and slow so I was trying to get around that by using local groups which are under our own control.

So my options appear to be follow the slower process through domain groups or use local groups and pull the missing security information into a QlikView document.

Thanks all for your assistance.

Trevor

DMS security using NT users and local security groups