Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Access denied to documents when using getwebticket combined with section access and publisher loop and reduce

Hi All,

We have hit a roadblock in our development and hopefully someone can see what we are missing.

We are attempting to use getwebticket functionality (aspnet) combined with, section access/section application and publisher’s loop and reduce functionality.

In our initial testing we used the reload engine instead of publisher. The ticket and document reduction were working properly. In our production environment we can see the ticket is generated and the accesspoint recognizes the authenticated user, their name is displayed in the upper right corner, but when you attempt to open a document access is denied.

I created an account on the authentication site that is the same as the account that runs all our Qlikview services (QlikviewAccount in the section access and section application script(below)). This account can open all documents.

If we turn off reduce data/strict exclusion in the document and reload other authenticated users can access the document, leading us to believe the issue lies in the section access/application.

I then commented out the section access and section application key words and confirmed that the data is being loaded in the security tables and everything links properly. So I’m a bit stumped, is there a setting we are missing when using publisher or is there an issue in our section access/application script?

Below are the settings and script:

Product: Qlikview Server 11 (11.0.11282.0)

Qlikview Server settings:

1) DMS mode

2) Prohibit Anonymous

Qlikview Web Server settings: - authentication

1) Always

Publisher job:

1) Reload enabled

2) Reduce – loop through document field

3) Distribute to all authenticated users

Document Settings:

1) Security – Admin Override Security

2) Opening – Reduce Data – strict exclusion

3) Server – Filter AccessPoint Document List Based on Section Access – checked

Document Security:

SECTION Access;

load

ACCESS,

NTNAME,

REPLACE(REPLACE(SECURITYKEY,'{',''),'}','') AS SECURITYKEY;

sql select upper(username) as NTNAME,upper(case c.rolename when 'Administrator' then 'Admin' else 'User' end) as ACCESS, ltrim(rtrim(upper(a.userid))) as SECURITYKEY

from qlikview_security.dbo.aspnet_Users as a

inner join qlikview_security.dbo.aspnet_UsersInRoles as b

      on a.UserId = b.UserId

inner join qlikview_security.dbo.aspnet_roles as c

      on b.RoleId = c.RoleId

where lower(c.rolename)<>'registered';

load * inline [

NTNAME,ACCESS,SECURITYKEY

QlikviewAccount,ADMIN,QV-121-344-422

];

SECTION Application;

star is '*';

load

REPLACE(REPLACE(SECURITYKEY,'{',''),'}','') AS SECURITYKEY,

DATAKEY,

if(SCOPE=0,1,2) as SCOPE

;

sql select ltrim(rtrim(upper(a.userid))) as SECURITYKEY ,ltrim(rtrim(isnull(e.EntityCode,'*'))) as DATAKEY, f.scope as SCOPE

from qlikview_security.dbo.aspnet_Users as a

inner join qlikview_security.dbo.aspnet_UsersInRoles as b

      on a.UserId = b.UserId

inner join qlikview_security.dbo.aspnet_roles as c

      on b.RoleId = c.RoleId

left join qlikview_security.dbo.UsersEntities as d

      on a.UserId = d.UserId

left join qlikview_security.dbo.Entities as e

      on d.EntityId = e.EntityId

inner join qlikview_security.dbo.UserDemographic as f

      on a.UserId = f.UserId

where lower(c.rolename)<>'registered' and active = 1;

//

load * inline [

SECURITYKEY,DATAKEY,SCOPE

QV-121-344-422,*,1

];

Thanks for your assistance,

Dirk

1 Solution

Accepted Solutions
Not applicable
Author

Hi Daniel,

With the help of our partner group we were able to determine and resolve the issue.

When using publisher to loop and reduce in combination with section access the services account or whatever account your using for the section access in the publisher job cannot be included in the section application section of the script otherwise all data will be reduced to that accounts key.

So we updated our publisher job to specifically use the QLIKVIEWACCOUNT and we updated the script to the following(simplified):

star is '*';

SECTION Access;

load * inline [

NTNAME,ACCESS,SECURITYKEY,SCOPE

DBRADLEY,ADMIN,DBRADLEY

TESTUSER,USER,TESTUSER,2

QLIKVIEWACCOUNT,ADMIN,*,*

];

SECTION Application;

load * inline [

SECURITYKEY,DATAKEY

DBRADLEY,1

TESTUSER,2

TESTUSER,3

];

//Load Data to link to

Data:

load * inline [

DATAKEY,DATA

1,ONE

2,TWO

3,THREE

];

*Note that the QLIKVIEWACCOUNT is not present in the Section Application of the above script.


All users are now able to access the appropriate documents and the data is reducing properly.

Thanks for your help,

Dirk

View solution in original post

6 Replies
danielrozental
Master II
Master II

Dirk, are you dealing with a really large application? why the need to do both a loop & reduce and section access?

Have you tested to see if section access works without doing a loop & reduce?

Not applicable
Author

Hi Daniel,

Thanks for your response.

Yes it is a large application and for needs to be broken into secure large units. These units are than further reduced by section access according to users needed access.

I removed the loop and reduce from the test job and redistributed. No user can access the document except for the

Qlikview Services account I created on the authentication site (QlikviewAccount) in inline load in the above script.

Regards,

Dirk

danielrozental
Master II
Master II

Dirk,

I can't figure out if you're doing something wrong, I would just test with a really simple document, made all by inline tables to check if section access is working fine.

Check the following too please

- Make sure all field names and field contents in the section access part are in upper case, even the USER and SECURITYKEY fields.

- I would also try a simpler SECURITYKEY, just words maybe.

- Can you try loading the section access info from a file instead of a database? I believed that didn't work in previous qlikview versions.

If that doesn't work I would suggest bringing it up with support as they'll be able to do a webex and check everything up.

Not applicable
Author

Hi Daniel,

I tried your suggestion with the following security script:

star is '*';

 

SECTION Access;

load * inline [

NTNAME,ACCESS,SECURITYKEY

DBRADLEY,ADMIN,DBRADLEY

BOBTESTER,USER,TESTUSER

QLIKVIEWACCOUNT,ADMIN,QV

];

 

SECTION Application;

load * inline [

SECURITYKEY,DATAKEY

DBRADLEY,1

BOBTESTER,3

QV,*

];

 

//Load Data to link to

Data:

load * inline [

DATAKEY,DATA

1,ONE

2,TWO

3,THREE

];

The result is the same as before. All users receive the no access pop-up except the Qlikview services account.

I will try working through support to see if this is a server or document setting.

Regards,

Dirk

Not applicable
Author

Hi Daniel,

With the help of our partner group we were able to determine and resolve the issue.

When using publisher to loop and reduce in combination with section access the services account or whatever account your using for the section access in the publisher job cannot be included in the section application section of the script otherwise all data will be reduced to that accounts key.

So we updated our publisher job to specifically use the QLIKVIEWACCOUNT and we updated the script to the following(simplified):

star is '*';

SECTION Access;

load * inline [

NTNAME,ACCESS,SECURITYKEY,SCOPE

DBRADLEY,ADMIN,DBRADLEY

TESTUSER,USER,TESTUSER,2

QLIKVIEWACCOUNT,ADMIN,*,*

];

SECTION Application;

load * inline [

SECURITYKEY,DATAKEY

DBRADLEY,1

TESTUSER,2

TESTUSER,3

];

//Load Data to link to

Data:

load * inline [

DATAKEY,DATA

1,ONE

2,TWO

3,THREE

];

*Note that the QLIKVIEWACCOUNT is not present in the Section Application of the above script.


All users are now able to access the appropriate documents and the data is reducing properly.

Thanks for your help,

Dirk

danielrozental
Master II
Master II

Ok great, thanks for the update.