Skip to main content
Announcements
Qlik Introduces a New Era of Visualization! READ ALL ABOUT IT
cancel
Showing results for 
Search instead for 
Did you mean: 
markhayjoergens
Contributor III
Contributor III

Distributed applications -> to domain users (with the need to deny for defined group)

When distributing some of our applications, these are distributed to domain users across all domains, which works like a charm.

We need to be able to add a deny group, containing ~50 users from across the domain forrest. which shouldn't be able to see the applications. This was possible when manually moving reloadet applications to the production enviroment shared folders, where the NTFS security was set on a folder by folder level.

By implementing distribution of applications to said groups of users, we now don't have the same ability to throw in the DENY AD-group to the mix, as the security access-rights are set on a application level each time the application is reloaded and distributed.

Any easy way to solve this?

1 Solution

Accepted Solutions
Peter_Cammaert
Partner - Champion III
Partner - Champion III

Throw those users-to-be-denied-access out of the AD group(s)?

Or better: create a special distribution group per document in AD and add that group to the Distribution list instead of groups that are too permissive? Disadvantage: if you don't take care of AD, you'll have to ask a sysadmin to add/remove people from those groups...

And probably best but not the easiest technique: use Section Access and load permissions from your own DB. That way, you still have the management of document access rights in your own hands instead of leaving it in the hands of sysadmins or any other IT person that takes care of AD?

Best,

Peter

View solution in original post

3 Replies
Peter_Cammaert
Partner - Champion III
Partner - Champion III

Throw those users-to-be-denied-access out of the AD group(s)?

Or better: create a special distribution group per document in AD and add that group to the Distribution list instead of groups that are too permissive? Disadvantage: if you don't take care of AD, you'll have to ask a sysadmin to add/remove people from those groups...

And probably best but not the easiest technique: use Section Access and load permissions from your own DB. That way, you still have the management of document access rights in your own hands instead of leaving it in the hands of sysadmins or any other IT person that takes care of AD?

Best,

Peter

gustavgager
Partner - Creator II
Partner - Creator II

I dont think there is a "Deny" list when doing distributions from the QMC.

I agree with Peter that you should create a group with all users who should have access. If thats not pratical you could use Section access and read users from the ADgroup and then use an CSV or Excelfile to eclude specific users

markhayjoergens
Contributor III
Contributor III
Author

That's also the way it has been done now, when not being able to do this the same way - with cumulative permissions not being a possibility in regards to distribution, as it was the case when messing with NTFS for user access.