Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Open Lakehouse is Now Generally Available! Discover the key highlights and partner resources here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
QFanatic
Creator
Creator
‎2020-04-23 10:12 AM

Section access - order of Excecution

hi everyone,

I just want to check something here. so in my section access as below...

SECURITY:
LOAD * INLINE [
ACCESS,USERID,PASSWORD,NTNAME,MANAGER_NUMBER
ADMIN,ADMIN,ADMIN,*,*
USER,*,*,domain\user1,*
ADMIN,*,*,domain\user2,*
];

1. Section Access (SA for short) looks to verify people on the domain using their domain details.

2. if users cant be authenticated in step 1, user can log in use in "ADMIN" and "ADMIN".  The Password field is only populated for this sign in....it doesnt get populated for the NT Authentication - is that correct? The Asterisk will then populate the Password field for the NON NT people?

3.Lastly - reduction will be done on Manager Number as well.

I'm a bit confused about the sequence, and what the password field is for - for an NT user.

 

Thanks

1,606 Views
0 Likes
1 Solution

Accepted Solutions
marcus_sommer
MVP
MVP
‎2020-04-28 03:09 AM

In response to QFanatic

I think it's not completely correct here respectively a bit misleading although I never checked it in this way - means using only NTNAME and PASSWORD together and that in this combination PASSWORD queried the NT password. And it doesn't makes much sense because at this moment the user has be already authenticated with his/her NTNAME. AFAIK only PASSWORD and USERID belong directly to each other and the various NT authentication-methods are checked automatically while USERID and PASSWORD check the user-entries through a small popup-window.

You may also check this logic by querying the logged-in user within textboxes with osuser() which returned the NT user and qvuser() which returned the the user from the USERID.

Further I believe that in your case the order of execution is quite regardless because like already mentioned all specified authentication methods must be fulfilled.

- Marcus

View solution in original post

1,491 Views
9 Replies
marcus_sommer
MVP
MVP
‎2020-04-24 10:17 AM

The various ways to authenticate an user are additionally to eachother and not a substitution for another failing/missing one. This means if you apply NTNAME and USERID / PASSWORD both are queried and must be valid to get the access. There are probably not many usecases in which it make sense to use both methods of them together. In your example no non NT user will get access and each NT user will need to apply the userid/password although there were already an authentication to their NTNAME (no SSO with it).

- Marcus

1,571 Views
0 Likes
QFanatic
Creator
Creator
‎2020-04-24 10:35 AM
Author

In response to marcus_sommer
Hi Marcus, thank you for your reply.

In my script is usually like to make provision for, in the matter where a
user cannot authenticate using his NTNAME, that there is a 'back door' open
so that they can get in using a username and password.

So then, this is not possible?

Thank you
1,568 Views
0 Likes
marcus_sommer
MVP
MVP
‎2020-04-27 03:17 AM

In response to QFanatic

I think you need to start at least one step before in considering how the reports within the access point could be reached and from whom. The most usually way is to provide the access point only internally which means no access from the outside respectively the internet is allowed. This means only people which are internally authenticated get access and here the most common way is the use of a NT authentication within your (sub) domain(s) directly or with a detour over a VPN or a Citrix environment.

By using such an approach you won't be really touched with the authentication because it's already done a step before and Qlik just used it. AFAIK there are various ways to create other methods to provide an access but none of them will be so simple and/or so secure. Especially if your external users shouldn't be just access to Qlik - often they need also access to various other systems, like file-shares, databases, house-securities and so on and with it a company account because otherwise for each of them will be more or less ugly/secure island-solutions be found. It's not really recommended ...

Beside this the nearest other way of which I could think to provide access to Qlik would be to use a ticket authentication. I never used it myself and therefore I couldn't give more details but if you search for it you will find surely some stuff within the help and there are also various postings to this topic here in the community.

- Marcus

1,519 Views
0 Likes
QFanatic
Creator
Creator
‎2020-04-27 06:07 AM
Author

In response to marcus_sommer
Thank you Marcus. In our scenario, everyone accesses from internally.
1,510 Views
0 Likes
QFanatic
Creator
Creator
‎2020-04-28 02:22 AM
Author

In response to marcus_sommer

Hi Marcus,

QlikView Developer Book says on Section access the following:

 

QFanatic_1-1588054919480.png

 

I am still not clear on this...

1,497 Views
marcus_sommer
MVP
MVP
‎2020-04-28 03:09 AM

In response to QFanatic

I think it's not completely correct here respectively a bit misleading although I never checked it in this way - means using only NTNAME and PASSWORD together and that in this combination PASSWORD queried the NT password. And it doesn't makes much sense because at this moment the user has be already authenticated with his/her NTNAME. AFAIK only PASSWORD and USERID belong directly to each other and the various NT authentication-methods are checked automatically while USERID and PASSWORD check the user-entries through a small popup-window.

You may also check this logic by querying the logged-in user within textboxes with osuser() which returned the NT user and qvuser() which returned the the user from the USERID.

Further I believe that in your case the order of execution is quite regardless because like already mentioned all specified authentication methods must be fulfilled.

- Marcus

1,492 Views
QFanatic
Creator
Creator
‎2020-04-28 04:47 AM
Author

In response to marcus_sommer

Thank you very much Marcus

1,480 Views
0 Likes
Brett_Bleess
Former Employee
Former Employee
‎2020-05-20 10:38 AM

In response to QFanatic

So just to confirm, the UserId/Password dialog is the last check that occurs, so if all other checks fail, that is where you end up with things, so if there was no NTNAME match, that user would get the login dialog, otherwise they would be allowed into the application with no prompt...

Including some links here for any future visitors too:

https://help.qlik.com/en-US/qlikview/April2020/Subsystems/Client/Content/QV_QlikView/Security.htm

https://community.qlik.com/t5/Qlik-Design-Blog/A-Primer-on-Section-Access/ba-p/1465766

I think this should cover the bases for future visitors.

Regards,
Brett

To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.
1,401 Views
0 Likes
QFanatic
Creator
Creator
‎2020-05-20 12:15 PM
Author

In response to Brett_Bleess
Thank you.


Please type your reply above this line -##
1,377 Views
0 Likes