Qlik Community

QlikView App Dev

Discussion Board for collaboration related to QlikView App Development.

Announcements
Now Live: Qlik Sense SaaS Simplified Authoring – Analytics Creation for Everyone: READ DETAILS
cancel
Showing results for 
Search instead for 
Did you mean: 
cbushey1
Creator III
Creator III

AD Group in SA

Hi there,

I am trying to configure our Section Access to use AD groups and I have a couple of questions as I am unable to get this to work.

1. Does it matter what type of AD group (Local, Global, Universal)?

2. What is the proper way to specify it in the script? 

3. Do I need to specify the domain? It is the same domain as everything else.

 

Assuming the name of my AD group is qlik_developers, and it is created within the business unit of Application...

LOAD * INLINE [

ACCESS, NTNAME, ROLE

ADMIN, QLIK_DEVELOPERS, ROLE1

];

 

Thanks in advance!

Labels (4)
17 Replies
qliksus
Specialist II
Specialist II

A simple way is to use the function  OSUSER() to find out how Worldview recognize the userid of your AD . Use the same name returned by the function in the section access 

 

LOAD * INLINE [

ACCESS, NTNAME, ROLE

ADMIN, "What the function OSUSER retruns", ROLE1

];

 

atoz1158
Creator II
Creator II

Hi

 

We AD Groups in our Section Access and it work correctly.

All our AD groups are Global and we always qualify with the domain name as follows

 

LOAD * INLINE [

ACCESS, NTNAME, ROLE

ADMIN, DOMAIN\QLIK_DEVELOPERS, ROLE1

];

Cheers
Adrian

 

cbushey1
Creator III
Creator III
Author

What about the group type? Is it security or distribution?

atoz1158
Creator II
Creator II

Hi

The type is security

Cheers

Adrian

cbushey1
Creator III
Creator III
Author

Is your security group in a OU? 

Mine is and I can not get it to find it. 

Section Access;

Star is *l

Security:

LOAD * INLINE[

ACCESS,NTNAME,USERROLE

ADMIN,USA\QLIK_DEVELOPERS,ROLE19

];

Section Application;

// USA is my domain, and qlik_developers is the name of the security group.

 

atoz1158
Creator II
Creator II

Hi

Yes they ares, the following are a couple of the groups "distinguishedName" (got via LDAP) we have

CN=Qlikview Administrators,OU=QlikView Groups,OU=Security,DC=spock,DC=startrek,DC=com
CN=Qlikview Regional Account Managers,OU=QlikView Groups,OU=Security,DC=spock,DC=startrek,DC=com

spock is the domain name

Regrads

Adrian

BinayKumarSah
Contributor III
Contributor III

You can use groups and user names in the NTNAME field in a section access table. So if you'd rather use AD groups then use those instead of the user names. 

 

Please check this link already available in community may be helpful,

 

http://community.qlik.com/thread/57817

Brett_Bleess
Employee
Employee

Seems most of the pertinent info has been covered below, but you did not mark anything as the solution, so please be sure to close out the thread by doing so, if you did something different, you can post that and then use the Accept as Solution button on that post...

Here are some likely useful links, but I also wanted to reiterate some points, things need to be in format of DOMAIN\USER or GROUP and they must be Security objects, Distribution objects will not work.  I believe all three security types should work but cross-domain may cause issues, just FYI, but it sounded like you had everything in a single domain.  

https://help.qlik.com/en-US/qlikview/April2019/Subsystems/Client/Content/QV_QlikView/Security.htm

https://community.qlik.com/t5/Qlik-Design-Blog/A-Primer-on-Section-Access/ba-p/1465766

Those two links should allow you to double-check things, and oh, last thing I did forget to mention is everything in the Section Access table load MUST be uppercase too, forgot that one.

Regards,
Brett

To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.
cbushey1
Creator III
Creator III
Author

Brett, 

Thanks for the reply and the extra material. 

I have not been able to get this to work yet, and in total transparency, I have not spent anytime on it in the last few weeks as there have been other priorities. I do want to get back to this and I do want to make this work as it will help us out a great deal. 

You mentioned it is more complicated if there are multiple domains and I am wondering if that is contributing to my problem. We have a few domains or sub-domains (not really my expertise). I will review the links and get back here once soon.