Qlik Community

QlikView Deployment

Discussion Board for collaboration related to QlikView Deployment.

markhayjoergens
New Contributor

Distributed applications -> to domain users (with the need to deny for defined group)

When distributing some of our applications, these are distributed to domain users across all domains, which works like a charm.

We need to be able to add a deny group, containing ~50 users from across the domain forrest. which shouldn't be able to see the applications. This was possible when manually moving reloadet applications to the production enviroment shared folders, where the NTFS security was set on a folder by folder level.

By implementing distribution of applications to said groups of users, we now don't have the same ability to throw in the DENY AD-group to the mix, as the security access-rights are set on a application level each time the application is reloaded and distributed.

Any easy way to solve this?

1 Solution

Accepted Solutions

Re: Distributed applications -> to domain users (with the need to deny for defined group)

Throw those users-to-be-denied-access out of the AD group(s)?

Or better: create a special distribution group per document in AD and add that group to the Distribution list instead of groups that are too permissive? Disadvantage: if you don't take care of AD, you'll have to ask a sysadmin to add/remove people from those groups...

And probably best but not the easiest technique: use Section Access and load permissions from your own DB. That way, you still have the management of document access rights in your own hands instead of leaving it in the hands of sysadmins or any other IT person that takes care of AD?

Best,

Peter

3 Replies

Re: Distributed applications -> to domain users (with the need to deny for defined group)

Throw those users-to-be-denied-access out of the AD group(s)?

Or better: create a special distribution group per document in AD and add that group to the Distribution list instead of groups that are too permissive? Disadvantage: if you don't take care of AD, you'll have to ask a sysadmin to add/remove people from those groups...

And probably best but not the easiest technique: use Section Access and load permissions from your own DB. That way, you still have the management of document access rights in your own hands instead of leaving it in the hands of sysadmins or any other IT person that takes care of AD?

Best,

Peter

gustavgager
Contributor II

Re: Distributed applications -> to domain users (with the need to deny for defined group)

I dont think there is a "Deny" list when doing distributions from the QMC.

I agree with Peter that you should create a group with all users who should have access. If thats not pratical you could use Section access and read users from the ADgroup and then use an CSV or Excelfile to eclude specific users

markhayjoergens
New Contributor

Re: Distributed applications -> to domain users (with the need to deny for defined group)

That's also the way it has been done now, when not being able to do this the same way - with cumulative permissions not being a possibility in regards to distribution, as it was the case when messing with NTFS for user access.