Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Open Lakehouse is Now Generally Available! Discover the key highlights and partner resources here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2010-07-28 05:37 AM

Restrict access depending on combination of NT Groups

Hello.

I have a bunch of groups in my NT Domain.

Let's say - they are MYDOMAIN\BI_ADMIN, MYDOMAIN\BI_USER, MYDOMAIN\BI_FIELDA_1, MYDOMAIN\BI_FIELDA_2, MYDOMAIN\BI_FIELDB_1, MYDOMAIN\BI_FIELDB_2.

I want to grant access to the document using this domain groups - the first thin (is it possible?) I'd like to define whether a user has ADMIN or USER rights to the document - if the user is in the group BI_ADMIN - he must have ADMIN access, if he is in group BI_USER - he has USER access. Sure it's simple if I just only have such division:

LOAD * INLINE [

ACCESS, NTNAME

ADMIN, MYDOMAIN\BI_ADMIN

USER, MYDOMAIN\BI_USER

];

And voila - I have my expected access rights.

But I need some more.

I need that groups MYDOMAIN\BI_FIELDA_1, MYDOMAIN\BI_FIELDA_2, MYDOMAIN\BI_FIELDB_1, MYDOMAIN\BI_FIELDB_2 don't grant access to the document at all - their job is to grant access to some fields as it shown in the next table:

LOAD * INLINE [

NTNAME, FIELDA, FIELDB

MYDOMAIN\BI_FIELDA_1, 1

MYDOMAIN\BI_FIELDA_2, 2

MYDOMAIN\BI_FIELDB_1, , 1

MYDOMAIN\BI_FIELDB_2, , 2

];

The next step is to combine these two wishes - so the user who is in one or many groups of MYDOMAIN\BI_FIELDA_1, MYDOMAIN\BI_FIELDA_2, MYDOMAIN\BI_FIELDB_1, MYDOMAIN\BI_FIELDB_2 but not in one of the groups MYDOMAIN\BI_ADMIN, MYDOMAIN\BI_USER must not have access to the document at all.

(1)User who is only in the group MYDOMAIN\BI_ADMIN must have administrative access to the document but when he opens (not reloads) a document - he must see nothing at FIELDA and FIELDB.

(2)User who is in the grouops MYDOMAIN\BI_USER, MYDOMAIN\BI_FIELDA_1, MYDOMAIN\BI_FIELDB_1 must have user access to the document and when he opens a document - he must see all the info that corresponds to FIELDA = 1 and FIELDB = 1.

And so on.

I tried to do such stuff:

LOAD * INLINE [

ACCESS, NTNAME, FIELDA, FIELDB

ADMIN, MYDOMAIN\BI_ADMIN

USER, MYDOMAIN\BI_USER

, MYDOMAIN\BI_FIELDA_1, 1

, MYDOMAIN\BI_FIELDA_2, 2

, MYDOMAIN\BI_FIELDB_1, , 1

, MYDOMAIN\BI_FIELDB_2, , 2

];



And in case (1) i had a perfect result with one exception - user has access to all the information. But in case (2) I had no access to the document at all.



How can I solve it?



245 Views
0 Likes
0 Replies