Solved: Section access - security - Qlik Community

Report Inappropriate Content · ‎2012-04-22

Hi all,

in my app i have performance relevant data of all employees of a company.

i have for each employee the LogInName (Windows NTNAME) of the user as well as the level in the company's hierarchy.

What i want: I want to grant access to the data in my app based on the user's NTNAME and position in hierarchy.

Means: A user of the app can only see his / her own data (based on his / her LogInName) as well the data of people that are below this person.

Simple example:

Table USERS:

UserID	LogInName	FirstName	LastName	ManagerID
1	DOMAIN\SmithJ	John	Smith	2
2	DOMAIN\WallyT	Troy	Wally	4
3	DOMAIN\CarterT	Tammy	Carter	2
4	DOMAIN\BossD	Darren	Boss	4

Table PERFORMANCE:

PerformanceID	UserID	WeekYear	Performance
22	1	1/2012	Good
23	1	2/2012	Excelent
24	1	3/2012	Good
25	2	1/2012	Excelent
26	2	2/2012	Excelent
27	2	3/2012	Good
28	3	1/2012	Medium
29	3	2/2012	Medium
30	3	2/2012	Bad
31	4	1/2012	Good
32	4	2/2012	Excelent
33	4	3/2012	Good

The environment: The app is published on an access point. The server "knows" the NTNAME (LogInName) of each user.

So, if user John Smith is logged in, he should only be able to see the records in table PERFORMANCE where his ID is set as UserID. If Troy Wally is working with the app he should see the performance records of user 1, 3 and himself (2).

How would do this using section access ?

How would i do it if i would want to add more data that is considered sensitive and shall be restricted ? (e.g. i add a table "PRSL. INFORMATION" and it should follow the same access rights as the PERFORMANCE table)

(Important to note: A person must not have access to any other data than the data that he / she is allowed to see.)

Thanks a lot for advise and hints.

Anonymous · ‎2012-04-23

I'm not sure I understand your hierarchy data correctly. Anyway, in the structure I described yesterday, ID is pointing to the user who's logged in, and UserId is the user below the logged user in the hierarchy, on any level. Obviously each user must have a record where he is presented in both fields - to see his own records.
How you build this table, is up to you. You can use load inline, if the table is not big, or use data load with "hierarchy belongs to"

View solution in original post

Anonymous · ‎2012-04-22

Section access in your case must contain fields:
'USER' as ACCESS
upper(subfield(LoginName, '\')) as NTNAME
UserID as ID (field name not important, but don't use USERID)

Section Application needs Hierarchy table containing two columns defining users hierarchy, fields ID and UserId:
ID UserId
1 1
2 1
2 2
2 3
4 1
4 2
4 3
4 4

Field ID is a link between Section Access and Section Application, table Hierarchy
Field UserId is a link between table Hierarchy and table Performance (and additional tables if needed)

Regards,
Michael

Report Inappropriate Content · ‎2012-04-23

Thanks a lot. This already helps.

But the problem i ran into is: If i have a structure like this:

UserID	LogInName	FirstName	LastName	ManagerID
1	DOMAIN\SmithJ	John	Smith	5
2	DOMAIN\WallyT	Troy	Wally	4
3	DOMAIN\CarterT	Tammy	Carter	2
4	DOMAIN\BossD	Darren	Boss	2
5	DOMAIN\CEO	The	CEO	5

Please consider the modified table above. In this hierarchy, if user John Smith is logged in, he

- cannot see his own performance records

- and he cannot see the performance records of Troy Wally

How can this be solved ?

Thanks a lot!!

Anonymous · ‎2012-04-23

I'm not sure I understand your hierarchy data correctly. Anyway, in the structure I described yesterday, ID is pointing to the user who's logged in, and UserId is the user below the logged user in the hierarchy, on any level. Obviously each user must have a record where he is presented in both fields - to see his own records.
How you build this table, is up to you. You can use load inline, if the table is not big, or use data load with "hierarchy belongs to"