Skip to main content

QlikView App Dev

Discussion Board for collaboration related to QlikView App Development.

Announcements
Welcome to Qlik Community! Check out our new navigation! FIND OUT MORE
cancel
Showing results for 
Search instead for 
Did you mean: 
marc_behrens
Partner - Contributor III
Partner - Contributor III

Section Access, AD Groups and Kerberos

Hi erverybody,

yesterdy I had the following problem and because I could not find something that described my problem properly, I thought I should post the solution, just in case someone else might be looking for it.

I was trying to implement section access to an existing qvw-document just as it's described in every tutorial.

LOAD * INLINE [

     ACCESS, NTNAME, GROUP
     ADMIN, domain\grp_admin, 0
     USER, domain\grp_user, 1


]
;

(The "GROUP" Field is for datareduction)

There was just one thing- it did not work... If I changed the "NTNAME" information from ad-groups to ad-usernames like

LOAD * INLINE [

     ACCESS, NTNAME, GROUP
     ADMIN, domain\username, 0
     USER, domain\grp_user, 1


]
;

it worked just fine. First I thought there would be a problem with the way QlikView gets the group information from the ad-server but I was missing the fact that our domain is using kerberos for authentification, which caused some (at first glance) weired effects.

1) I did not have access at all to the document, if I used the first script-part.

2) The next day, I had access, but if I changed my group membership, my rights in the qvw did not change

The reason was / is, that a kerberos-token does have a specific duration and changes made in the actice directory do not take effect, until a new token is handed out.

1) I did not have access to the document, because I was developing the application and created the ad-groups while I was logged on to the development machine. Therefore (from a kerberos point of view) I was not a member in the newly created groups, even if I added myself on the domain controller.

2) The next day, I got a new token and had access, but it did not change if I changed my group membership.

Long story short:

Affected users (those with a changed group membership) will have to log off and back on to get a new token and the correct rights in the document.

Sincerely,

Marc

0 Replies