Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Open Lakehouse is Now Generally Available! Discover the key highlights and partner resources here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
IAMDV
Master II
Master II
‎2014-02-10 12:43 PM

*** Another Section Access Question ***

Hi Guys,

I hope one of you can help! I've searched on community but I couldn't find anything relevant.

I have two documents.

1: Master.QVW with Section Access

LOAD * INLINE [
    MYFIELD
    1
    2
    3
];

Section Access;
LOAD * INLINE [
    ACCESS, USERID, PASSWORD, MYFIELD
    ADMIN, ADMIN, ADMIN,
    USER, TEST, TEST, 1
];
Section Application;
When I open MASTER.QVW with "Initial Data Reduction with Section Access" everything works as expected. I.E. TEST user can only see 1 value and ADMIN no can see everything! No surprises so far

2: APP.QVW with/without Section Access

I'm using binary load in APP.QVW which is referring to Master.QVW . When I reload APP.QVW; I can see the USERID & PASSWORD prompt and when I enter the prompt with TEST & TEST respectively then I see all the data from MYFIELD instead of 1 row.

Either I'm not thinking right here or this must be bug because anyone can perform binary reload and get all the data!!! I'm well aware of "Prohibit Binary Load" option but that's not what I'm looking for... instead I wanted to see "1" value for MYFIELD in APP.QVW.

Please let me know if this doesn't make sense!

Thanks in advance.

Cheers,

DV

1,732 Views
0 Likes
1 Solution

Accepted Solutions
Luis_Cortizo
Employee
Employee
‎2014-02-10 01:24 PM

In response to IAMDV

Sure!

Please find them attached.

P.S.: Test_SA is the document in which I loaded the example Section Access and BinaryTest_SA the one in which I performed a Binary Load of the Test_SA one.

View solution in original post

Test_SA.qvw
BinaryTest_SA.qvw
983 Views
0 Likes
14 Replies
hic
Former Employee
Former Employee
‎2014-02-10 12:50 PM

There are several situations where being "ADMIN" overrules the data reduction rules. This might be one... The idea is that ADMIN should be exactly that - an ADMIN - with no restrictions.

Try to do the same thing with USER access.

HIC

983 Views
luis_pimentel
Partner - Creator III
Partner - Creator III
‎2014-02-10 12:52 PM

Hi Deepak

If you are ADMIN, you can overwrite the section access after a binary laod. The rule is : qvw inherit section access from the binary load but if you build a new section access in the calling qvw this will override rights defined in the binary, that's why you have the option "prohibit binary load" in order to avoid a user to do a binary and rewrite the Section Access.

So yes, you are right, anyone can perform binary reload and get all the data.

Cheers,

Luis.

983 Views
0 Likes
IAMDV
Master II
Master II
‎2014-02-10 01:06 PM
Author

In response to luis_pimentel

Luis - Thanks for quick response. I can't believe it but I guess I have to believe it! So anyone can perform binary reload and extract all the data irrespective of SA. I understand that SA is applied after the reload but I'd expect it to return only reduced data set.

HIC - Thank you for your time. I'm trying to extract the data of "USER" access and in the above example it's "TEST". So it shouldn't return all the data and in fact it worries me that anyone who has basic access to MASTER doc and Desktop client can see all the data. Unless we assume that all the Desktop client users are "ADMINS".

May be I'm over reacting but I'm worried about this issue!!


DV

983 Views
0 Likes
Luis_Cortizo
Employee
Employee
‎2014-02-10 01:09 PM

Have you checked the "Initial data reduction based on section access" check on the second document?.

Even if the binary load inherits the section access from the first document, if you don't check it no reduction will be performed.

I've just loaded your example tables in two QlikView documents and it works just find. The second document inherit the section access from the first one, ask for user and password and reduces the data.

However, if I don't activate the reduction check it asks for user and password but don't reduce anything.

983 Views
0 Likes
IAMDV
Master II
Master II
‎2014-02-10 01:15 PM
Author

In response to Luis_Cortizo

That's interesting! Do you mind posting both the Apps. I'm using "Initial data reduction based on section access" on the second document. I thought about it and expecting the data to reduce. But I'm not implementing SA on the Second document.

Thanks for your help,

to

Cheers,

DV

983 Views
0 Likes
Luis_Cortizo
Employee
Employee
‎2014-02-10 01:15 PM

In response to IAMDV

"anyone who has basic access to MASTER doc and Desktop client can see all the data. Unless we assume that all the Desktop client users are "ADMINS""


No over reacting at all, but for me it makes sense.


The second document is performing a binary load from the first one and the person who is reloading is allowed to pass throught the section access (as they have a user and a password), but as the second QlikView document is not configured to perform a data reduction on opening it doesn't (even when the section access get inherited).


For me it's the same scenario as if anyone develops a really secure and complex section access but don't check the reduction option On Opening.

983 Views
0 Likes
Luis_Cortizo
Employee
Employee
‎2014-02-10 01:24 PM

In response to IAMDV

Sure!

Please find them attached.

P.S.: Test_SA is the document in which I loaded the example Section Access and BinaryTest_SA the one in which I performed a Binary Load of the Test_SA one.

Test_SA.qvw
BinaryTest_SA.qvw
984 Views
0 Likes
IAMDV
Master II
Master II
‎2014-02-10 01:24 PM
Author

In response to Luis_Cortizo

"For me it's the same scenario as if anyone develops a really secure and complex section access but don't check the reduction option On Opening."

I agree Luis! and I've seen loads of Developers not checking this box because it will restrict when you have conflicting access levels. However, I'd think whoever don't check this box as either "Lazy Developer" or "Novice Developer". My point is that you have the option to restrict the data. But in my example I either want an option or have a pessimistic approach by reducing the data instead of showing full data! After all, we are talking about application security and I'd expect to minimal access wherever possible.

Do you mind posting your example where you think it works (data reduction works on second document)?

I can see the attachment... please ignore the above message.

Thanks again.

Still

DV

983 Views
0 Likes
Luis_Cortizo
Employee
Employee
‎2014-02-10 01:30 PM

In response to IAMDV

"After all, we are talking about application security and I'd expect to minimal access wherever possible."

Yes, I agree absolutely. As I totally agree on the need for security I wouldn't let the user to perform a binary load freely of sensible data anyway.

Take into account that the reduction is performed when you open the QlikView document. So right after the reload you will be able to see everything. If you save the document when you open it again it will ask for UserID and Password and then it will reduce the data (if anyone has activated the check).

Maybe is it an option to distribute to the people whom are going to perform the binary load an empty copy of a QlikView document with the option already checked?.

983 Views
0 Likes