Authorization (What are you allowed to see?
What are you allowed to do?)
Once a user has been authenticated (i.e. the system knows who they are), the first step in
assigning their security privileges has been completed. The second step is to understand
what authority or rights they have to applications, data or both. This step is called
Authorization. At a fundamental level, an administrator will populate an Access Control
List (ACL) with a list of users and/or groups and what they should have access to. When
the time comes for a user to request access, the system looks up the user’s authenticated
identity in the ACL and verifies if the administrator has granted the user enough privileges
to do that.
Direct access to the QlikView Document using QlikView Desktop is always governed by
Windows NTFS File Security. Access to the web-based QlikView Enterprise Management
Console is restricted to Windows Users who are a member of a particular local Windows
Group.
DOCUMENT-LEVEL AUTHORIZATION
Once a user has been authenticated, the QVS typically handles authorization on its own. The
QVS offers the choice between storing the ACL information as Windows NTFS privileges
(applicable only when the user authenticated using a Windows user identity) or by storing
the ACL information in QlikView’s own internal repository (called DMS or Document
Metadata Service). The choice of NTFS or DMS affects access to all documents on the
QVS.
NTFS VS DMS
The QVS can use the Windows file system’s own NTFS privileges to store authorization
information. When in NTFS authorization mode, the QVS controls access to a given QlikView
document by determining if the authenticated user has NTFS privileges to the underlying
QlikView Document file (.QVW file). This is based on the operating system privileges and
Windows NTFS is used for the ACL. The privileges of the authenticated user are configured
by a server admin using standard Windows Explorer functionality via directory properties
options.
