section access

Report Inappropriate Content · ‎2012-02-01

hi all,

is there a way to restrict access to just one sheet in my app to a pre-defined user group ? meaning: everybody can see sheets a, b, c, d and certain users can also see sheet d

maybe by section access ? if yes, how would i do that ?

thanks in advance,

k

kaushiknsolanki · ‎2012-02-01

Hi,

Have a look at the below post for more information on sheet level access with example.

http://community.qlik.com/thread/32321

Regards,

Kaushik Solanki

Please remember to hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!

hic · ‎2012-02-01

Yes you can: If you use a conditional show condition on the sheet (Properties – General – Show sheet – Conditional) you could restrict a sheet to be shown only to some users. The show condition should then be Match(User,'A','B','D'). Section Access could be used to assign users to groups and then groups could be used instead in the condition.

However, this is a very weak security. The data is still available to the user and can be accessed through other objects. For instance, if you allow server objects the user can re-create the objects you want to hide and see the stuff you do not want to show.

Report Inappropriate Content · ‎2012-02-01

Thanks, but where are the user names set ?

Can i use the network user names ?

hic · ‎2012-02-01

Either you define them in Section Access or you use the function OSUser(). Then the show condition could be Match(OSUser(),'A','B','C')

Report Inappropriate Content · ‎2012-02-01

Thanks, this works.

Two questions though:

- Is this consedered 'best practice' when it comes to restricting access to single sheets ?

- When working in a domain, my user name has to be DOMAINNAME\USERNAME - How can i handle different domain names ? E.g. a user A working in DOMAIN 123 today, but domain 456 tomorrow ? Do i have to hard code it in the condition or is there a way to get the domain a user is logged on to and make the condition dynamical ?

Thanks!

hic · ‎2012-02-01

Is it "best practice"? Yes - as long as you are aware that this really isn't a security measure. The data is still there for the user. So it is more a question of convenient presentation of the data.

If you use Section Access, you can use the user name alone. QlikView will interpret that as “any domain”. If you use OSUser(), you could wrap the function call in a string function, e.g. Subfield(OSUser(),’\’,2) to get the user name alone.

Report Inappropriate Content · ‎2012-02-01

Thanks again,

"The data is still there for the user."

How would i do it, to make sure no user that shouldnt have access to this sheet, cannot grab the data somehow else - through server objects etc...

hic · ‎2012-02-01

Data is not tied to a sheet – the sheet is just a presentation layer.

If a user shouldn’t be allowed to see specific records, these records should be excluded from the data model by the use of data reduction, using either the Publisher or Section Access. The same is true for specific fields. Only then can you be really sure that you hide the data.

However, if you

1) disallow creation of server objects and

2) disallow download of the application and

3) make sure that no objects on any sheet contain any data from sensitive fields, directly or indirectly

then you should in principle also be OK. But I personally do not think this a good, robust solution: Sooner or later someone will make a change to the application that will invalidate this security. Then it is better to do it properly from the start and really exclude the sensitive data.

Related Topics