Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
We are attempting to hide salary lines for some users and ran into a problem. When we added the appropriate lines to the Section Access (see "Changed Section"), Salary was hidden from everyone, including those with QVAdmin rights. Clearly not a desirable outcome.
Goal: Prevent those in the QV_OmitSalary AD group from seeing their dept's Salary information, but allow them to see the other dept expenses.
Questions:
What is restricting the admins from seeing the Salary information?
Does anyone see anything wrong with the changed section?
TIA,
John
QV v11.2 SR9
Original:
Section Access;
LOAD * INLINE [
ACCESS, NTNAME, DEPT_NUMBER_SECURITY, USERID, PASSWORD
ADMIN, *, *, QVADMIN, QVADMIN
ADMIN, COMPANY\QLIKVIEW_ADMINS, *, *, *
... this section allows those in their dept (ie: 104, 105, etc...) to see the expenses for their dept, but not any other dept.
USER, COMPANY\QV_ExpenseMgmt_104, 104, *, *
USER, COMPANY\QV_ExpenseMgmt_106, 106, *, *
... about 20 lines removed
USER, COMPANY\QV_ExpenseMgmt_All, *, *, *
];
Changed Section:
Section Access;
LOAD * INLINE [
ACCESS, NTNAME, DEPT_NUMBER_SECURITY, USERID, PASSWORD, GLCODE_FIRST4
ADMIN, *, *, QVADMIN, QVADMIN, *
ADMIN, COMPANY\QLIKVIEW_ADMINS, *, *, *, *
... this section allows those in their dept (ie: 104, 105, etc...) to see the expenses for their dept, but not any other dept.
USER, COMPANY\QV_ExpenseMgmt_104, 104, *, *, *
USER, COMPANY\QV_ExpenseMgmt_106, 106, *, *, *
... About 20 lines removed ....
USER, COMPANY\QV_ExpenseMgmt_All, *, *, *, *
... newly added lines start here .... allows users in the AD group rights to their dept (505/585) for the listed GLCodes (4820)
USER, COMPANY\QV_OmitSalary, 505, *, *, 4820
USER, COMPANY\QV_OmitSalary, 505, *, *, 4821
USER, COMPANY\QV_OmitSalary, 505, *, *, 5830
... about 120 lines removed with different GLCodes
USER, COMPANY\QV_OmitSalary, 585, *, *, 4820
USER, COMPANY\QV_OmitSalary, 585, *, *, 4821
USER, COMPANY\QV_OmitSalary, 585, *, *, 5830
... about 120 lines removed with different GLCodes
];
One thing to keep in mind here is that the star wildcard in the reduction field represents all values listed in the section access table. It does not represent all values loaded in your data table. If all possible values from the datat is represented in the Section Access table, then the star will be equal to all data. If you do not Section Access: Strict Exclusion enabled, try using a reduction value that does not exist if you intend to give the user access to ALL data. For example I often use the reduction value <ALL VALUES> to indicate the intention.
Please notice that all values in Section Access must be in upper case. In this example your NTNAME values are not in UPPER case.
If you find that the reduction is not accurate for a specific user, my suggestion is that you disable section access and validate the reduction buy manually applying the reduction (selection). Will the data reduce as expected when you apply the reduction values manually?
IMPORTANT: Always make a backup of your QVW before changing Section Access, so that you can revert to the backup if you lock yourself out.
Toni,
Thanks for the reply.
The upper case rule does not seem to apply to the AD groups.
Using lower case for the AD group (COMPANY\QV_ExpenseMgmt_xxx), people are able permitted to see only their department information. The app has worked with lower case AD group names for over a year now.
When I uppercase COMPANY\QV_ExpenseMgmt_xxx, my test user is requested to enter her p/w.
John
Hi John,
According to the Qlik 11.20 SR10 Reference page 421 "All the fields listed in Load or Select statements in the section access must be written in UPPER CASE.."
Let me update my post with the whole text from the reference manual.
All the fields listed in Load or Select statements in the section access must be written in UPPER CASE. Any
field name containing lower case letters in the database should be converted to upper case using the upper
function, see upper(textexpression) (page 337), before being read by the Load or Select statement. However
the user ID and the password entered by the end-user opening the QlikView documents are case insensitive.
I am not sure why Qlik requires this, but it is documented that way.
Bill
The field names yes, but other than that, I agree with John that values in the Fields NTNAME,USERID, PASSWORD can be in lower/mixed case.
One thing to add to Toni's answer would be the notion that ADMIN rights are only intended for offline distribution to restrict the users ability to alter the security settings. What these admins can see is, like the rest of the users, the values listed in the section access table
I am glad to see that Henric validates by comment about capital letters in his comment on post Section Access
Bill
Hi Bill, Do we actually disagree??
Yes all Field names should be in capitals and all values in Fields should be in capitals, except for the system fields values in USERID and PASSWORD (so field names still in capitals). Although not specifically mentioned in the reference manual, I think this applies also to the NTNAME and probably AD Group fields(haven't tried).
HI,
I was taught when I joined Qlik 8 years ago that everything in section access had to be capitalize. USERID and passwords are not case sensitive so these being capitalize is not going to case an issue with login.
Bill