Solved: Section Access allow access to all data - Qlik Community

stevedark · ‎2009-05-26

Hi There,

I wish to set up access to individuals to see thier own data, but to admins to see all data. I attempted to do this with section access, with users having access to individual records, but the admin having null (eg. all data).

However, on loading the users saw the right data, but the admin only saw records where the data was blank. I tried replacing blank data with 'ANY', but the admin user could not log in (as they could then see no records). Using a * symbol gave the admin access to everything the users had, but not to anything outside of that.

I'm guessing the problem is down to leaving the value out on the inline load of section access is the same as empty string, not null?

Either way, I worked around it like this:

Section Access;
LOAD * INLINE [
ACCESS,USERID,PASSWORD,NTNAME,MAPNAMETO
ADMIN,admin-user,<removed>,*,*
ADMIN,*,*,DOMAINNAME\QVPublisher,*
USER,JohnD,,DOMAINNAME\JohnD,JOHN
USER,JaneD,,DOMAINNAME\JaneD,JANE
USER,FectchAll,adfjklajd,ajdfkl,ANY
];

[...]

SecurityNames:
LOAD * INLINE [
SecurityNames
JOHN
JANE
];

[...]

ExchangeLog:
LOAD
*,
if(exists(SecurityNames,upper(RecipientName)), upper(RecipientName), 'ANY') as MAPNAMETO,
[...];
SQL SELECT *
FROM dbo.tbl_ExchangeAgentLog;
[...]
DROP TABLE SecurityNames;

So basically I have a dummy user in the security, which maps to ANY, a temporary table with allowed names in, and anything that isn't an allowed name being mapped to ANY - that then means that the * on the admin account will map to any record.

This obviously isn't very robust though, as if an entry gets added to the SecurityNames table, without a corresponding Section Access entry those rows will not be shown to the administrator.

There has to be a neater way than my work around! Any suggestions gratefuly received.

Cheers,
Steve

Anonymous · ‎2009-05-28

Hi Steve,

When opening the document via server all clients will be considered User even if Admin is specified under Access in the section access table.

This means that when strict exclusion is checked the admin without a proper reduction value can see all the data when opening the document locally but not when it's opened via server since the admin only gets User access level as well. Since no proper reduction can be made for the admin, Strict Exclusion will deny him/her access.

View solution in original post

disqr_rm · ‎2009-05-26

Try enclosed. Open with fowllong:

User, Password, Comments

a1, a1, User with Sales Office S1 authorizations

a2, a2, User with Sales Office S2 authorizations

x1, x1, Admin User with all Sales Office authorizations

Hope this gives you an idea.

stevedark · ‎2009-05-27

Hi Rakesh,

Many thanks for your response.

The example you sent worked fine, though initially there were no sales offices outside of S1 and S2. I added some in, and x1 could see those also, whilst the other users could not.

Your load script made me realise one fundamental mistake I had been making. Putting null() inside an Inline load was just putting 'null()' in as a string litteral - rather than inserting a null value.

I changed my code to be like yours and do a concatenated load from an autogenerate for the admin - and that appeared to call the function null() rather than put in a litteral (at least that is what syntax highlighting suggested). The problem that I had originally still remained though. I am probably missing something obvious.

I've gone back to my work around for the time being, but will try and work out what is going wrong at some point soon.

Cheers,
Steve

stevedark · ‎2009-05-27

Hi Rakesh,

I have found where the problem lies, and I think it is a QV bug.

When I was trying with my own document I was attempting to load it in the IE component, with the document published in Server. When I opened your document and it all worked fine it was in QV Developer. I subsequently got my document working in QV Developer (which is not the end game anyway), but when I tried to access the document from the server the admin account could not log in. Finally, I dropped your .qvw in our published folder and tried to access that via the server, and I was unable to log in as X1.

Unless anyone else can shed any light on this I shall report it as a bug and see what happens from there. To my mind the security in Developer and Server should at least be consistent?

Thanks for your assistance.

Cheers,
Steve

disqr_rm · ‎2009-05-27

Hi Steve, Did you make any change to my document? If so, could you please upload the new document?

Report Inappropriate Content · ‎2009-05-27

Hi Steve,

In order to the section access to work fine you need to add your Publisher service account name in the section access with admin rights ( saying it can see everything like the admin).

If publisher user account is not granted all access in the section access, users will not be able to see their data accordingly to their rights, because the server user will load blank data.

Rgds

Sébastien

stevedark · ‎2009-05-27

Hi Sébastien,

The problem is not related to Publisher. The document I am having trouble with is refreshing fine at the specified beat. The test document that Rakesh has sent I am loading the data in Developer and then copying the file to the server - so Publisher is not even being used.

Thanks for the suggestion though.
Cheers,
Steve

stevedark · ‎2009-05-27

Hi Rakesh,

It is pretty much as it was when you first sent it. I have just added some rows that are outside of the security context of a1 and a2, so these were only available to x1.

Please find the revised .qvd attached.

I have not tried your original .qvd in QV Server, as I changed it in QV Developer first. I shall give that a try now.

Many thanks,
Steve

disqr_rm · ‎2009-05-27

Try this one. Just changed the case of SecTab, and enabled concatenate. If this doesn't work, I can't think of anything why it shouldn't. Could be a bug.

stevedark · ‎2009-05-28

Hi Rakesh,

The same issue still exists with the revised version. X1 / X1 are valid credentials in Developer, but not through Server.

Can anyone else verify if this happens on their Server installation?

I shall chase an explanation elsewhere and see where I get.

Cheers,
Steve