I am reading all QVWs in our production environment as XML and doing a simple where-used on the QVDs which contain our section access field security definitions. In all cases, the security QVD is loaded in the hidden script.
Some QVWs do not show the security QVDs in the LineageInfo table. I can't seem to see why. Is there a setting I need to check on the QVWs? Between those that show the QVD in the XML and those that do not, the hidden scripts and document security properties seem to be consistent.
There tends to be this automatic assumption to put SA script in the hidden, but I no longer follow this practice unless there is a specific reason. I think it's left over from the days when we may have put actual passwords in SA. These days, almost everyone uses the NTUSER with no password. Hidden script is a pain and I avoid it. I also don't think hidden script for SA adds meaningful to the security of the app.
Consider this story. BI Manager Sally supervises Junior QV Dev Frank. Under the security policy of the company, Sally is the only person who can update the SA tables. So Sally has write access to the SA source, whether that's a SQL table or a QVD.
Frank reloads qvws when doing desktop development. So Frank needs read access to the SA source. Meaning he could always read the source table if he wanted to. The only security hidden script provides is that it makes it harder for Frank to figure out the name of the SA source. If we need to keep Frank that isolated (not a bad thing) then Frank's development should probably use Development versions of the SA tables.
In my tests, moving the section access out of the hidden script and just sticking it at the end of the script works fine. I can now see the QVD in the document's lineageinfo.
To make this whole vision come together, I would love to be able to tell what fields are used from the section access qvd. It doesn't look like it shows these fields being sourced from the section access qvd, but from the data sources. The section access qvd does not appear in the TableDescription or SrcTables metadata entries.
Have I hit a wall here? What I've done so far is valuable, but we use section access over a number of documents, but they don't all use the same fields. Some are less detailed. Our environment is large enough that users are always asking me who has access to what and how documents are restricted. Having the information of what fields are secured allows me to answer every question.