Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
max_potass
Creator
Creator

Failed to open document, You don't have access to this document.

Hello everyone,

I recently tried to limit Access with Section Access and NT Name.

This works local, but sadly not on the Server. I get the following Message:

Failed to open document, You don't have access to this document.

Does anyone know, what can cause this?

Best Regards

Max

20 Replies
Miguel_Angel_Baeyens

SAUSER is not a key field for the section access. To make it work you MUST have the NTNAME field in the section access table.

Where this NTNAME is coming from or how it is loaded is a different story. That is, NTNAME does not mean a user in the active directory, it can be a list of users from any other table or identity management or user access system. But there must be an NTNAME field in the form DSC\USERNAME in the section access table where DSC is the name of the DSC in the QMC.

max_potass
Creator
Creator
Author

I am not sure, what you mean.

I am not able to see what the actual NTNAME is, as this field is not shown, as it is part of section access.

What I can see is, the SAUSER and the OsUser().

I this particular case, I always see the SAUSER which belongs to the Qlik-Server. It does not matter if I open the Application via Browser or desktop Application and it does not matter, which user I am actually using. (Acces over the QlikView-Access-Point or directly the file on the server with desktop app. This only applies, after the app was published. Before it works just fine.)

To make it clear again: It does work on the Desktop app, before we publish. The correct user is detected, the fields are accordingly reduced, I only see the selected sheets. So no problem there.

Following the Script I use:

Access:

LOAD

SAUSER,

Name,

     FIELDACCESS.BU,

     TABACCESS.Turnover,

     TABACCESS.Helpdesk,

     TABACCESS.Stage_Gate,

     TABACCESS.KAM

FROM

\\qlikpv01\BusinessUnit\Access.xlsx

(ooxml, embedded labels, table is Access);


LOAD //Fieldaccess.BU is used to hide several BU-Fields, therefore it is linked to the different BU-Fields.

FIELDACCESS.BU,

     BU,

     SG_BU,

     Jira_BU,

     PP_BU

FROM

\\qlikpv01\BusinessUnit\Access.xlsx

(ooxml, embedded labels, table is BU);

The Access-Table is sctrucured as follows:

    

ACCESSNTNAMESAUSERNameFIELDACCESS.BUTABACCESS.TurnoverTABACCESS.HelpdeskTABACCESS.Stage_GateTABACCESS.KAM
ADMINXXX\1000len-34543454XXX YYYAll1111
USERXXX\1000len-86788678XXX YYYBU11110
USERXXX\1000len-43554355XXX YYYBU21101
USERXXX\1000len-25682568XXX YYYBU31111
USERXXX\1000len-41914191XXX YYYBU40111
Peter_Cammaert
Partner - Champion III
Partner - Champion III

You can see NTNAME. It has the same value as the one returned by function OSUser(), only converted to upper case (which shouldn't be a problem) So if you display OSUser() in a text box on a sheet, and open a copy with section access disabled (statement commented out, not removed), you should be able to

  • compare loaded values for NTNAME and compare them with OSUser() return values.
  • test your document by displaying NTNAME in a listbox (server object) and selecting the NTNAME value that corresponds with your current account. What happens with the data?

Also note that to avoid any problems, you should always reload your section access data on the server. Never just distribute a document that was only reloaded on your laptop/desktop.

Best,

Peter

max_potass
Creator
Creator
Author

Hello Peter,

as I said, I did check the OsUser and it is correct. But it is not all caps, as I have the domain included. (I red that then, all caps is not necessary, and it does work, as I get a single correct value for SAUSER)

My Problem is, that the NTNAMEs are not detected correctly on the server, if I publish the application. It is always the NTNAME of the Server not the NTNAME of the actual user.

I am currently trying to figure out, if the NTNAME and the OsUser() are different after turning on Section Access. (I checked if the NTNAME/OsUser on the server are different from the local ones, but they are not different.

Therfore I know, I used the correct NTNAMES in the Section Access List.

So the NTNAME and the OsUser should still be the same in my application. But I think, this is not the case, as I clearly see, that the NTNAME is always the NTNAME of the server, not the logged in User)

Peter_Cammaert
Partner - Champion III
Partner - Champion III

And with the Logged in user, you mean the ID that is displayed in the top-right corner of the AccessPoint landing page (after "Welcome...")?

Peter_Cammaert
Partner - Champion III
Partner - Champion III

You were referring to a field (?) called OsName which wasn't familiar to me..

max_potass
Creator
Creator
Author

My Bad, I meant OsUser() Function. Sorry.

max_potass
Creator
Creator
Author

Hi Peter,

I have the Problem, that the OsUser() is not equal to the NTNAME.

If you Reload the Application it works.

The Problem now is, that the Script in the AccesPoint Folder (the published version) is empty, so there is nothing to reload.

If I manually replace this file with my original file, it works. But that is not really what I want.

How do I publish and distribute an Application with the script?

max_potass
Creator
Creator
Author

Hello Peter,

I figured out the problems.

1. We publish into a folder, which deletes the Script and also locks in the NTNAME to the Publisher NTNAME.

We fixed this, by just copying the .qvw directly into the QV-Access Point. Now the NTNAME is correct and it works fine.

2. Now we have to reload the data, as we cannot publish it, as it does not work then. We tried to use a script, which reloads "on open". Sadly, this does not work on the server. So we currently cannot reload our data, which renders the whole thing useless...

Is there a way to fix Problem 2 or another way for Problem 1?

And thanks for all the answers, btw.!

Peter_Cammaert
Partner - Champion III
Partner - Champion III

You seem to be using a Publisher. A Publisher will always delete the script in the User document, but not in the Source document. Source documents can always be reloaded and published to a User document on a particular QVS. If you made the mistake of configuring both Source Documents folder and Document root as the same folder, then undo this and put your original documents in a separate Source Document folder. Then publishing (and opening) documents will work as expected.

What do you mean by "use a script, which reloads "on open"'? You cannot do that on a server because the process that does the reloads (QDS) is different from the service that displays documents (QVS). They can even be running on different machines on different continents. On a server, your document must be reloaded before it can be opened and displayed.

Or am I missing something here?