Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Customer Spotlight: Discover what’s possible with embedded analytics Oct. 16 at 10:00 AM ET: REGISTER NOW
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2016-09-20 04:28 AM

Active Directory User Groups for Authorization in a QlikView Application

I would like to set up an authorization in my QlikView Application using AD groups, which are set up already.

So different user groups have (or not) the authorization to see (and click) on navigation points. With a condition [match(OsUser(),'CORP\ADGroup') ] on a textbox it is definitely possible with single users... but with a AD group? Does anybody have experience with this?

1,501 Views
0 Likes
3 Replies
Gysbert_Wassenaar
MVP
MVP
‎2016-09-21 03:03 AM

You can use AD groups for setting up authorization using Section Access. You can use that to populate a small table with values and reduce it with section access so members of a group do have access to some values in that table and the other users don't. You can then use that table to drive access (or rather visibility and use) of other objects like text boxes etc.


talk is cheap, supply exceeds demand
856 Views
0 Likes
adamdavi3s
Master
Master
‎2016-09-21 10:44 AM

If you want to do something directly with the group then you could pull the data into your dashboard from SQL.

Setting up SQL to pull AD data isn't that bad, we do this as I linked AD groups into the governance dashboard template to allow us to map user NTFS access to user Qlik access

http://qlikanddirty.com/2016/08/25/querying-ldap-to-pull-back-people-in-ad-groups/

856 Views
0 Likes
Peter_Cammaert
Partner - Champion III
Partner - Champion III
‎2016-09-21 11:24 AM

In response to Gysbert_Wassenaar

The difference of this Section Access solution as mentioned by Gysbert with your match technique, is that Section Access will not only try to match usernames with identical SA table entries but will also try to detect group membership of the current user in al possible groups in your Section Access table. This is the perfect solution to your access management challenge. For example, in a Section Access table you can specify entries like (LINKFIELD is an optional reduction field, omit it if you only require access control):

SA:

LOAD * INLINE [

ACCESS, NTNAME, LINKFIELD

ADMIN, CORP\Administrator, *

USER, CORP\UserBob, BOBSREGION

USER, CORP\ADGroup, NORTHREGIONS

USER, CORP\DeptBUsers, SOUTHREGIONS

USER, CORP\QVDEVELOPERS, *

:

];

Two users will get individual access, other users will get access because they are members of groups ADGroup, DeptBUsers or QVDEVELOPERS and everyone else won't even get in.

This externalises the actual access management of a particular QV decoument to Active Directory tools.

Best,

Peter

856 Views
0 Likes