Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

LOOPHOLE IN SECTION ACCESS???

We have a major problem. We have SECTION ACCESS created based on a field named CLIENT_ID and are using Active Directory accounts, however a userid that has no data whatsoever is able to see ALL clients' data.

The application has "initial data reduction based on section access" checked but "strict exclusion" unchecked. (Checking strict exclusion seemed to make the security go haywire and was asking the user for a QV user name and password after they entered their AD user name / password). "Reduce data" on the Security tab is also checked.

SECTION ACCESS;
LOAD * INLINE [
ACCESS, NTNAME, CLIENT_ID, BILL_TO_NDCS
ADMIN, CRENT\SALLEN, *, *,
ADMIN, CRENT\QLIKUSER, *, *,
USER, "CRENT\SCE XXX Users", XXX, *

There is NO data whatsoever with CLIENT_ID XXX OR BILL_TO_NDCS beginning with XXX, hwoever, when we log into the application under a userid in the CRENT\SCE XXX Users group, we are seeing ALL DATA.

This is an urgent problem / bug. If a client has no data, they should not see anything. They should never see other data!?!?!?

1 Solution

Accepted Solutions
Not applicable
Author

I figured it out... I had no data at all that the section access was joining to. Since it can't join to a null, it was showing that client everything. I created a client ID table in the section application that has all client IDs (regardless of whether they have any data elsewhere) and it now works as I expected it. Weird loophole.

View solution in original post

4 Replies
Not applicable
Author

When you set the field you are limited data on (user id) to * it is a wild card field and means they can see all data.

I'm useing section access in the same way and do not have this issue. Do not use * in any field unless you want that user to see all available data in the document.

Not applicable
Author

I figured it out... I had no data at all that the section access was joining to. Since it can't join to a null, it was showing that client everything. I created a client ID table in the section application that has all client IDs (regardless of whether they have any data elsewhere) and it now works as I expected it. Weird loophole.

Not applicable
Author

Hello, I comment to you that we create a document excel and it is there where we give the accesses for module, I attach an example, probably could be useful.

---------------------------------------------------------------------

Section Access;
LOAD
[ACCESS],
NTNAME
FROM (biff, embedded labels, table is [Modulo A$]);
Section Application;

----------------------------------------------------------------------------------------------

Format of file:

ACCESS NTNAME
Admin rsmigi\qlikview
User rsmigi\lwalton

Not applicable
Author

Thank you. I found out that the issue was the the key data file which my SECTION ACCESS field was joining to had no data for that client_id. I believe that since QV cannot join to a null, the SECTION ACCESS data did not link to anything, thereby allowing the user to see all data.

Nasty loophole IMHO.