Section Access - Admin overriding User Access in A... - Qlik Community

pamaxeed · ‎2018-02-05

Hi guys,

I have a strange behaviour or a missunderstanding in how Section Access is working.

Can somebody confirm me that the USER priviligies are taken in account on the Access Point?

I have the following priviligies:

The table has the %KEY_SECACC as reduction field.

The table contains 2 records for the same user. 1 with a USER Access record and the other with and ADMIN access record.

The strange behaviour comes when the Section Access is applied on the Access Point. In my understanding only the USER Access record should be taken in account which in fact has a valid link to the data and some data should be shown when accessing the dashboard.

But what I get at the end is an empty dashboard with no data and it seems that the ADMIN Access was taken in account, as the %KEY_SECACC value for the ADMIN has no valid links in all other tables. So this would explain why I am getting the dashbaord with NO data.

Is it in fact so? I am bit confused 😕

marcus_sommer · ‎2018-02-06

From a section access point of view is each user which accessed the application through the access point a USER regardless if he is defined as ADMIN or USER within the access-table. If the user has multiple and maybe even different entries it will take this one with the lowest access-rights and/or even struggle in some way and probably deny each access.

- Marcus

pamaxeed · ‎2018-02-07

Hi Marcus,

are there some references regarding this point?

I could not find anything in the Qlik Help.

I made some tests and for the user who have a double entry it will take the highres access-rights:

example:

USER ACCESS REDUCTION_FIELD

PAM ADMIN *

PAM USER X

....

Behaviour:

PAM can see all as it seems the highest access rights was taken in account.

marcus_sommer · ‎2018-02-07

I don't work with Qlik Sense but on the QlikView side this is my reference: Section Access. The main-logics of the feature are quite the same in both tools but a few differences exists - in your case it might be the feature of strict exclusion which isn't set or differently implemented. Maybe this is a good starting point for the use of section access in Sense: Tips and tricks for section access in Qlik Sense (2.0+)

- Marcus

pamaxeed · ‎2018-02-07

It is a Qlikview project Marcus.

marcus_sommer · ‎2018-02-07

Is strict exclusion enabled? If not make a few backup's (at least one without any section access) and enable it.

Further you need also to reload the application each time and closing the application and closing the the QlikView instance and opening the application again. Section access and the resulting data-reduction is only applied by opening the application and a reload will always pull all data. You could avoid closing the whole instance for each test by disabling the following user-setting:

- Marcus

pamaxeed · ‎2018-02-07

It seems it has nothing to do with the strict exclusion, which in case you do not have any valid access to the data will show you an empty dashboard.

I still get all data on the AccessPoint with following setup:

USER ACCESS %KEY_SECACC

DOM\EXPA ADMIN *

DOM\EXPA USER IT_ALL

....

So this means that in any case the hightest access right is taken in account.

All other users with USER Access see only what they can see.

In my tests I also tried to have the following scenario:

USER ACCESS %KEY_SECACC

DOM\EXPA ADMIN DUMMY

DOM\EXPA USER IT_ALL

The dummy value has no reference in my data model and in this case when I access the dashboard I see NO Data at all, so again it confirms me that it takes in account the highest rights.

Regards,

Patric

marcus_sommer · ‎2018-02-07

Have you checked this behaviour within the desktop client and the access point and it's in both the same? If yes, please provide a small example.

- Marcus

pamaxeed · ‎2018-02-07

Desktop behaving in the same way. For the example I will see if I can replicate it. Now I am not at the customer site anymore.

Section Access - Admin overriding User Access in Accesspoint