Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
markhayjoergens
Contributor III
Contributor III
‎2017-11-22 03:40 AM

Distributed applications -> to domain users (with the need to deny for defined group)

When distributing some of our applications, these are distributed to domain users across all domains, which works like a charm.

We need to be able to add a deny group, containing ~50 users from across the domain forrest. which shouldn't be able to see the applications. This was possible when manually moving reloadet applications to the production enviroment shared folders, where the NTFS security was set on a folder by folder level.

By implementing distribution of applications to said groups of users, we now don't have the same ability to throw in the DENY AD-group to the mix, as the security access-rights are set on a application level each time the application is reloaded and distributed.

Any easy way to solve this?

641 Views
0 Likes
1 Solution

Accepted Solutions
Peter_Cammaert
Partner - Champion III
Partner - Champion III
‎2017-11-22 04:58 AM

Throw those users-to-be-denied-access out of the AD group(s)?

Or better: create a special distribution group per document in AD and add that group to the Distribution list instead of groups that are too permissive? Disadvantage: if you don't take care of AD, you'll have to ask a sysadmin to add/remove people from those groups...

And probably best but not the easiest technique: use Section Access and load permissions from your own DB. That way, you still have the management of document access rights in your own hands instead of leaving it in the hands of sysadmins or any other IT person that takes care of AD?

Best,

Peter

View solution in original post

555 Views
0 Likes
3 Replies
Peter_Cammaert
Partner - Champion III
Partner - Champion III
‎2017-11-22 04:58 AM

Throw those users-to-be-denied-access out of the AD group(s)?

Or better: create a special distribution group per document in AD and add that group to the Distribution list instead of groups that are too permissive? Disadvantage: if you don't take care of AD, you'll have to ask a sysadmin to add/remove people from those groups...

And probably best but not the easiest technique: use Section Access and load permissions from your own DB. That way, you still have the management of document access rights in your own hands instead of leaving it in the hands of sysadmins or any other IT person that takes care of AD?

Best,

Peter

556 Views
0 Likes
gustavgager
Partner - Creator II
Partner - Creator II
‎2017-11-23 06:20 AM

In response to Peter_Cammaert

I dont think there is a "Deny" list when doing distributions from the QMC.

I agree with Peter that you should create a group with all users who should have access. If thats not pratical you could use Section access and read users from the ADgroup and then use an CSV or Excelfile to eclude specific users

555 Views
0 Likes
markhayjoergens
Contributor III
Contributor III
‎2017-12-12 09:51 AM
Author

That's also the way it has been done now, when not being able to do this the same way - with cumulative permissions not being a possibility in regards to distribution, as it was the case when messing with NTFS for user access.

555 Views
0 Likes