Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
pamaxeed
Partner - Creator III
Partner - Creator III

Section Access - Admin overriding User Access in Accesspoint

Hi guys,

I have a strange behaviour or a missunderstanding in how Section Access is working.

Can somebody confirm me that the USER priviligies are taken in account on the Access Point?

I have the following priviligies:

Security.png

The table has the %KEY_SECACC as reduction field.

The table contains 2 records for the same user. 1 with a USER Access record and the other with and ADMIN access record.

The strange behaviour  comes when the Section Access is applied on the Access Point. In my understanding only the USER Access record should be taken in account which in fact has a valid link to the data and some data should be shown when accessing the dashboard.

But what I get at the end is an empty dashboard with no data and it seems that the ADMIN Access was taken in account, as the %KEY_SECACC value for the ADMIN has no valid links in all other tables. So this would explain why I am getting the dashbaord with NO data.

Is it in fact so? I am bit confused 😕

8 Replies
marcus_sommer

From a section access point of view is each user which accessed the application through the access point a USER regardless if he is defined as ADMIN or USER within the access-table. If the user has multiple and maybe even different entries it will take this one with the lowest access-rights and/or even struggle in some way and probably deny each access.

- Marcus

pamaxeed
Partner - Creator III
Partner - Creator III
Author

Hi Marcus,

are there some references regarding this point?

I could not find anything in the Qlik Help.

I made some tests and for the user who have a double entry it will take the highres access-rights:

example:

USER    ACCESS     REDUCTION_FIELD

PAM       ADMIN         *

PAM       USER           X

....

Behaviour:

PAM can see all as it seems the highest access rights was taken in account.

marcus_sommer

I don't work with Qlik Sense but on the QlikView side this is my reference: Section Access. The main-logics of the feature are quite the same in both tools but a few differences exists - in your case it might be the feature of strict exclusion which isn't set or differently implemented. Maybe this is a good starting point for the use of section access in Sense: Tips and tricks for section access in Qlik Sense (2.0+)

- Marcus

pamaxeed
Partner - Creator III
Partner - Creator III
Author

It is a Qlikview project Marcus.

marcus_sommer

Is strict exclusion enabled? If not make a few backup's (at least one without any section access) and enable it.

Further you need also to reload the application each time and closing the application and closing the the QlikView instance and opening the application again. Section access and the resulting data-reduction is only applied by opening the application and a reload will always pull all data. You could avoid closing the whole instance for each test by disabling the following user-setting:

- Marcus

pamaxeed
Partner - Creator III
Partner - Creator III
Author

It seems it has nothing to do with the strict exclusion, which in case you do not have any valid access to the data will show you an empty dashboard.

I still get all data on the AccessPoint with following setup:

USER              ACCESS     %KEY_SECACC

DOM\EXPA      ADMIN                   *

DOM\EXPA      USER                IT_ALL

....

So this means that in any case the hightest access right is taken in account.

All other users with USER Access see only what they can see.

In my tests I also tried to have the following scenario:

USER              ACCESS     %KEY_SECACC

DOM\EXPA      ADMIN              DUMMY

DOM\EXPA      USER                IT_ALL

The dummy value has no reference in my data model and in this case when I access the dashboard I see NO Data at all, so again it confirms me that it takes in account the highest rights.

Regards,

Patric

marcus_sommer

Have you checked this behaviour within the desktop client and the access point and it's in both the same? If yes, please provide a small example.

- Marcus

pamaxeed
Partner - Creator III
Partner - Creator III
Author

Desktop behaving in the same way. For the example I will see if I can replicate it. Now I am not at the customer site anymore.