Qlikview - generating webtickets. Any way of locking this down?
I've just setup QlikView Server 11.2 SR1 and am looking at integrating the WebTicket system with our current SAML authentication code in our application portal.
Is there any way to modify the QV configuration so that access to GetWebTicket.aspx is restricted?
Currently, any user authenticated on the domain can fire up a browser, and hit /qvajaxzfc/getwebticket.aspx?cmd=<Global method="GetWebTicket"><UserId>domain\user</UserId></Global> and get a web ticket through the return XML with any domain\user value. Then use this ticket with authenticate.aspx to login to the system as said user.
The reason I'm keen to restrict this is because not all users on our QV Server should get access to certain .qvw models.
Re: Qlikview - generating webtickets. Any way of locking this down?
The ticket should just authenticate the user to the portal. Then in the Distribution task you can specify the authorized users to open that document in the Publisher task itself, and using section access too. If the user is authenticated but not authorized, this will not see the document, therefore will not be able to open it.
There is a third way going to the QMC and setting manually which groups are able to see what documents, again, even when the user has a ticket, i.e.: has been properly authenticated, will not be able to open a document he is not authorized to.