i was looking to setup Security for the application I have created and was looking at the posts here and read the help as well. But what i dont understand is that my client has a AD Group which he manages somewhere else.. All he wants is that when users try to access the QVW, it should check an Excel sheet to check if the username is in the sheet and only then open the document. I think its really simple, just that I am unable to do it.
I have an excel sheet with all the DOMAIN\USERNAME AS User name and how do I do it? Currently I have this and it doesnt seem to work...
SECTION ACCESS;
LOAD [USER ID] as NTNAME, [ACCESS] FROM (ooxml, embedded labels, table is Sheet1);
You should simply apply Section Access in the normal way but don't associate the Section Access tables to the wider dataset. This will give you the security you need whilst allowing users to see all the data.
If you're still running into problems the first place I'd look is to ensure that ALL the data and fields within the Section Access tables is in UpperCase; no idea why it has to be but it does!?
Thanks for the quick response. I was also thinking if we need to assign the CALs on the server to block the access or do I have to select Assidn Dynamic CALs and just use the simple section access to take care of it??
Section Access entries are read in order, top-down, and QlikView will stop when it finds a match. Therefore, if you want only users within the spreadsheet to have access, make the last row of the spreadsheet
NTNAME *
ACCESS NONE
You would then need to declare Star is *; in your script to let QV know that the * is a wildcard.
In my experience both mehtods can handle it. For larger deployments assigning individual CALs to documents and then specific users can be onerous so I usually use Dynamic CAL assignment in conjunction with SA - it's my understanding that a CAL won't be assigned to anyone who doesn't open the .qvw and if SA is applied correctly only those in the spreadsheet will gain access and therefore be assigned a CAL.
Vlad may be able to confirm that situation.
If you're working with static small numbers of users and you're only looking to restrict Access not data then I'd recommend just controlling things via CAL assignment in the Mgmt COnsole.
I believe Matt is correct. It just seems easier to restrict access altogether rather than reducing data, assuming a user isn't supposed to be in a document at all. And yes, you can control authorization in the management console, but if you want to allow dynamic CAL assignment, then section access is the only way.
