Qlik Community

QlikView Deployment

Discussion Board for collaboration related to QlikView Deployment.

Not applicable

Section Access with Active Directory and Single Sign On

Hi,

Background: I'm  working on QV10 SR1.

The users of our QV application access the documents via Access Point through a browser, which is accessed via a URL.

Users are authenticated via Active Directory. Since Single Sign On is enabled, once the users log on to their Windows machine and type the URL for Access point, they see all the documents they have been given access to by adding their "domain\userID" to the document through QEMC.

When I connect to Access Point, it tells me I'm logged on as DOMAIN\user_abc

I need to be able to do the following:

There is a document in which I need to restrict data access for the users based on a column Company Segment.

Currently I'm restricting access to specific sheets/tabs in the document using the following expression in the Show Sheet --> Conditional dialog box

=if((OSUser() = 'domain\user_abc'

OR OSUser() = 'domain\user_xyz'),1,0)

This works perfectly fine.

In the sheets\tabs visible to user_abc I further need to restrict data access. I tried using Section access but I'm not sure how to connect the Active Directory ID to the USERID or NTNAME. I tried using the following variants of the Hidden Section Access Script but they did not work.

//Script 1

Section Access;

LOAD * INLINE [

    ACCESS, NTNAME

    user1, domain\user_abc

    user2, domain\user_xyz ];

Section Application;

LOAD * INLINE [

NTNAME, CompanySegment 

domain\user_abc, Segment1

domain\user_xyz, Segment2   ];

//Script 2 (tried OSUser() in the script based on a similar suggestion by Miguel Angel Baeyens in another thread)

Section Access;
LOAD * INLINE [
    ACCESS, OSuser()
    user1, domain\user_abc   
    user2, domain\user_xyz ];

Section Application;

LOAD * INLINE [
OSUser(), CompanySegment

domain\user_abc, Segment1

domain\user_xyz, Segment2 ];

Neither of the scripts worked. It keeps asking me for USERID and Password repeatedly.

When I connect to Access Point, it tells me I'm logged on as DOMAIN\user_abc.

What am I doing wrong? How can I link the AD ID's to NTNAME.

I do not want to define username and password for each user as we have large number of users.

Any help would be greatly appreciated.

Thanks,

AM

11 Replies
danielact
Contributor III

Re: Section Access with Active Directory and Single Sign On

Your first script looks on the right track. The only thing to bear in mind is that the column and volues need to be all capital letters, so try something like this:

Section Access;

LOAD * INLINE [

    ACCESS, NTNAME, COMPANYSEGMENT

    User, domain\user_abc, SEGMENT1

    User, domain\user_xyz, SEGMENT2 ];

Section Application;

LOAD * INLINE [

CompanySegment

SEGMENT1

SEGMENT2];

Add whatever other data you need. If your data comes from a source that's not capitalized, just create a new field using the Upper function to capitalize it, and use that for your section access.

Not applicable

Re: Section Access with Active Directory and Single Sign On

Hi Daniel,

Thanks for your response. As per you suggestion my script now looks like the following but it exhibitied the same behavior as before:

Section Access;

LOAD * INLINE [
    ACCESS, NTNAME , CompanySegment
    USER, DOMAIN\userabc, SEGMENT1
    USER, DOMAIN\userxyz, SEGMENT1
    USER, DOMAIN\userxyz, SEGMENT2
    ];

Section Application;
LOAD * INLINE [
CompanySegment
SEGMENT1

SEGMENT2

];

* Even though you said in your email that "If your data comes from a source that's not capitalized, just create a new field using the Upper function to capitalize it, and use that for your section access." but I read in Introduction_to_Section_Access_-_Rev_1-1  that

**Note that all data loaded via an external data source must be loaded in upper case in the SECTION ACCESS statement. This does not apply to INLINE data which always will be treated as upper case.

 

So I did not change CompanySegment to COMPANYSEGMENT. Should I use something like LOAD CompanySegment AS COMPANYSEGMENT before the Section Access script? All values in CompanySegment field however, are uppercase by default.

Also the binary files load happens in the tab after this hidden scripttab and I cannot change the order. Does that matter?

Thanks

AM

danielact
Contributor III

Re: Section Access with Active Directory and Single Sign On

I'd just change them all to capital letters - it doesn't hurt to try,

Also, make sure you have the proper settings checked in the Document Properties.

Go to Settings > Document Properties and select the Opening tab

Make sure Initial Data Reduction Based on Section Access is checked. You want Strict Exclusion unchecked.

Run the script, then save and close. Reopen, and the section access should be working.

Not applicable

Re: Section Access with Active Directory and Single Sign On

Changed everyting to All caps.

I had the data reduction and Strict Exclusion checked earlier.

But when I unchecked Strict Exclusion, the document opened but showed all of the data without reduction.

So far I was making changes and saving the document. When I reread your response and thought I should reload the document. But this gave an error   Unknown statement Binary [\DataModel\DM1.qvw].

So it does not like hidden script before the binary load.

Employee
Employee

Re: Section Access with Active Directory and Single Sign On

Yes, Binary load has to be the first line in the script. So, you can put it in your hidden script as the first line and then Section Access after that.

Bill

Not applicable

Re: Section Access with Active Directory and Single Sign On

Hi Bill,

Thanks for your response.

I included the Binary load statement in the Hidden script and the script reload went fine.

I checked the Strict Exclusion check box back, the document loads but with enitre data set, not filtering on segment.

Script:

Section Access;

LOAD * INLINE [
    ACCESS, NTNAME , COMPANYSEGMENT
    USER, DOMAIN\userabc, SEGMENT1
    USER, DOMAIN\userxyz, SEGMENT1
    USER, DOMAIN\userxyz, SEGMENT2
    ];

Section Application;
LOAD * INLINE [
COMPANYSEGMENT

SEGMENT1

SEGMENT2

];

danielact
Contributor III

Re: Section Access with Active Directory and Single Sign On

Did you exit the application then re-open it?

Employee
Employee

Re: Section Access with Active Directory and Single Sign On

I don't have a sample, but you have to tie the two together, Your bottom load isn't really connect to the section access.

Segment1 needs to be tied to a FIELD

Section Application;
LOAD * INLINE [
COMPANYSEGMENT, FIELD

SEGMENT1, VALUE1

SEGMENT2, VALUE2

]

Not applicable

Re: Section Access with Active Directory and Single Sign On

Ideally this is what I would like to do. Map Access to AD username and then in Section Application filtering the user access based on what segment they belong to. abc sees data for seg 1, while xyz sees data for both seg 1 & 2. When I do that though, I still get a box to input Userid followed by password.

Section Access;

LOAD * INLINE [
    ACCESS, NTNAME
    USER, DOMAIN\userabc
    USER, DOMAIN\userxyz

    USER, DOMAIN\userxyz

    ];

Section Application;
LOAD * INLINE [
NTNAME , COMPANYSEGMENT

DOMAIN\userabc,     SEGMENT1

DOMAIN\userxyz,     SEGMENT1

DOMAIN\userxyz,     SEGMENT2

];

Thanks,

AM

Community Browser