Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
cedriclupo
Partner - Contributor III
Partner - Contributor III

NTFS AD Group Authorization on access point

Hello Qlik friends,

I have created 3 folders all containing Qlik documents.

     - Project1 on folder 1

     - Project2 on folder 2

     - Governance Dashboard on folder 3

Server is part of a windows domain

Server is configured as NTFS authorization

The 3 folders are mounted and accessible by the QMC

No publisher

SMB License (no DMS)

The aim is to make appear the correct applications in the access point depending on the user AD group, keeping the NTFS inheritance on each Windows folder.

So far, it works only when I add a single user to access the file, but it does not seem to work on AD group level.

Is it something that is not set well in the QMC?

Is it recommended to create a local group containing domain group?

Thank you for your answers

Cédric

5 Replies
zhadrakas
Specialist II
Specialist II

AFAIK that's not possible with ad groups. Are the user member of a ad group which aren't allowed to access this sheet you couldn't give them access in any way - one access denial meant it's always denied regardless if there are further authorizations.

This meant you need to use single user instead of user groups (this mustn't be done manually - there are ways to read an ad, for example Search Recipes | Qlikview Cookbook) or more practically by 5 users: you used a visibility-condition for this sheet like:

if(match(osuser(), 'user1', 'user2', ...), true(), false())

Peter_Cammaert
Partner - Champion III
Partner - Champion III

What are the (wrong) permissions you do get when you apply your AD groups to different folders? Do all users get access to too many documents? Or is everybody denied access to every document?

cedriclupo
Partner - Contributor III
Partner - Contributor III
Author

Hello Tim,

it's not about sheets but about showing the documents in access point, which means that I can't add script: this is managed by AD.

cedriclupo
Partner - Contributor III
Partner - Contributor III
Author

Hi Peter,

If I input just the groups in the permissions, nobody has access to anything.

cedriclupo
Partner - Contributor III
Partner - Contributor III
Author

So if I can resume, here are the possibilities:

1)  We use publisher -> we create manual groups (you can't use AD groups)

2)  We have an enterprise edition (not SBE) and we create manual groups (you can't use AD groups)

3)  We have SBE edition (no DMS possible) and we add users one by one

I wonder why we can't use AD groups, it would be so much easier as it's already set up and no risk of error. It could directly be managed by help desk.