Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Is it possible to run QV Publisher tasks under different users. The reason i am asking this is the following :
For instance we have 2 domains : Marketing and Sales. Users from Sales are
not allowed to access certain Marketing info. But as a consequence of the
fact that all the Publisher tasks run with the same user, there is no
possibility to do this. Actually, if the sales people know the name and
location of the Marketing data, they can use this path in their script and
schedule it in the publisher. The publisher runs this task with the
global machine user, which runs also tasks for finance, and has access to as
well the Sales as the marketing data.
This seems to be a security leak to me, because in this way users can see data, they are not allowed to!
Is there any solution for this or am i working in a wrong way?
Regards
Sven
Why should the users other than the QlikView Administrators have access to the QMC to reschedule Publisher tasks?
Hi Martin
Even if it is the Qlmikview admin, also then it doesn't seem normal to me that a task scheduled for Sales can access any Marketing data, even if Sales has no rights to this data
Thanks for your quick reply
A task does not have access to data - a QlikView Application has. The task simply reloads and if necessary distributes/publishes the qvw file.
Are you aware of the Section Access feature with the "Initial data reduction based on section access" option? I believe this should cover your concerns.. Attached you can find a useful introduction section access.
Ok the task simply reloads, but imagine that we have 3 users :
AdminU (=the Qlikview Admin user who runs the tasks)
SalesU (=A user from sales)
MarkU (= User from Marketing)
AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd
SalesU only to ProductsSold.qvd
MarkU only to Campaigns.qvd
Then, considering the script below ... if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU :
Sales:
LOAD *
FROM
Marketing:
LOAD *
FROM
The following sentence confuses me:
On the one hand you are saying "AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd" and on the other hand it suprises you "if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU".
Have you considered working with Folder security instead?
Martin
If we use AdminU as QDS-account (QDS : Qlikview Distribution Service), then we MUST give AdminU access to both QVDs because he runs tasks as wel for Sales as for Marketing.
And that's the whole problem. SalesU can put this in his script :
Marketing:
LOAD *
FROM
And although he does not have access to this data, he will be able to retrieve the data because the job in the publisher is executed by the AdminU account. That's my question, can we run scheduled tasks at night on a server (via the publisher) with the rigths of the user who created this task instead of that 1 user who executes all the tasks
Hi,
You can use NTFS security, so even if for example a Marketing user tries to reload info taken from a Sales QVD, he won't be able to do it. Also you may want to give it a check to QlikView Deployment Framework which is a group where you can find documentation of how to deploy QlikView in an enterprise environment,
regards
I would say it´s a matter of planning and administrate..
As suggested, if someone has access to Administrator account, and put script varibles in load statements, that is not suppose to be done, for security reasons, then I would say that you have to see over your planning for folder security.
But you could run a batch/vbs script, execute it with a Sales vs Campaign user calling Qv.exe instead of running it with QlikView Distribution Service
Hi Sven,
Take a look at the attached. I am sure this will help you on what you want to do.
Bill