Solved: Re: Failed to open document, You don't have access... - Page 2 - Qlik Community

alec1982 · ‎2015-09-24

hi all,

upon migrating to a new windows server, one of the dashboards that has section access on it is no longer accessible by the users.

Only users with full rights are able to access it but the ones that have section access authority, they get the error in the subject..

any idea?

Alec

alec1982 · ‎2015-09-24

all upper case. and also within the section access script. when trying to think of it.. it happens after migrating to a new server.. so it is more related to how the user is authenticated.. but not sure how to fix it..

NTNAME currently looks like SSMITH do you think I need to add the domain to it?

Report Inappropriate Content · ‎2015-09-24

How about your domain? how does it look like?

Report Inappropriate Content · ‎2015-09-24

Please share 2 lines of your section script

alec1982 · ‎2015-09-24

domain is the same. both servers on the same domain.

here is the script

//Add section access table to set up security

Section Access;

LOAD Upper(NTNAME) as NTNAME,

UPPER(NTDOMAINSID)as NTDOMAINSID,

UPPER([ACCESS])as ACCESS,

UPPER(DEPARTMENT)&'|'& UPPER(SALESMAN) as %AUTHID

FROM

[..\..\Excel Data\Authorization Table.xlsx]

(ooxml, embedded labels, table is Sheet1);

Section Application;

on the data set, there is a matching column of the %AUTHID.

source of solution:

Basics for complex authorization

stevedark · ‎2015-09-25

I would definitely add the domain ahead of the user name, separated with a backslash.

I have also had problems in the past with doing translations (e.g. UPPER and concatenate) when loading into the Section Access table. Going to a temp table first can fix that, e.g.

tmpSA:

LOAD

'' as ForceNoConcat,

Upper(NTNAME) as NTNAME,

UPPER(NTDOMAINSID)as NTDOMAINSID,

UPPER([ACCESS])as ACCESS,

UPPER(DEPARTMENT)&'|'& UPPER(SALESMAN) as %AUTHID

FROM

[..\..\Excel Data\Authorization Table.xlsx]

(ooxml, embedded labels, table is Sheet1);

Section Access;

LOAD

NTNAME,

NTDOMAINSID,

ACCESS,

%AUTHID

RESIDENT tmpSA;

Section Application;

DROP TABLE tmpSA;

The other thing to check is the NTDOMAINSID. You could try loading the Section Access table without it and see if that works. If that then allows in the users you want then check to see if the new machine thinks the domain SID is different to the old one (though this would be strange as the DC has not changed).

Hope that helps,

Steve

Peter_Cammaert · ‎2015-09-25

Steve is right, prefix all NTNAME values with their domainname, and make sure you reload at least once on the new server.

Peter

alec1982 · ‎2015-09-25

hi all,

Thank you for your help!

I figured it out and here is the solution:

The service account within the old server has access as Blank fields on the section access table. on the new server I had to change that to "*". the downside of it is all departments and salesmans need to exist within the section access table in order to show up but that is not an issue on my end as all of them already exist.

Best,

Alec

stevedark · ‎2015-09-25

Hi Alec,

That is often the case with the * symbol. I will often add extra rows to the Section Access table to add all potential values, in order that the * will work correctly.

Glad you got it worked out.

Steve

alec1982 · ‎2015-09-25

Steve,

thank you for all your help. and the document you sent over. great one!

I noticed that the service account should only have "*" to get it work. for example I added another line with blank values and another line with <any>.

but that didn't work. the users couldn't get access if I add these other rows to the service account beside "*".

Failed to open document, You don't have access to this document.