Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Reload with Section Access under different user fails

I am working on a project, where access to the qvw should be extremely limited. Due to security reasons, the general service user which runs all services on the Qlikview Server should not have access to this specific qvw file.

I was attempting to work with the task option "Reload" - "Section Access" - Username/Password - but all attempts to reload the document via the task fail. If I reload the document directly from the client when connected as the same user, all goes well.

Below the error log from the reload.

We are running Qlikview 12 SR5.

(2017-04-06 09:09:22) Information: Starting task 'xxxxxxx'. Id:7e0fda33-8d13-4efa-a8ab-03d8e2d7722a. Triggered by 'ManualStartTrigger'. Id:00000001-0002-0003-0405-0607080a0b0c

(2017-04-06 09:09:22) Information: Entering Task Execution.

(2017-04-06 09:09:22) Information: ClusterID=1

(2017-04-06 09:09:22) Information: QDSID=3030ed33-4bf2-84dc-c7c1-2af29e157ffe

(2017-04-06 09:09:22) Information: TaskID=7e0fda33-8d13-4efa-a8ab-03d8e2d7722a

(2017-04-06 09:09:22) Information: MaxRunTime=1.00:00:00

(2017-04-06 09:09:22) Information: MachineName=QLIKVIEW1

(2017-04-06 09:09:22) Information: Max attempts:1

(2017-04-06 09:09:22) Information: Current Attempt=0

(2017-04-06 09:09:22) Information: Task Dependencies are OK

(2017-04-06 09:09:22) Information: Document is marked to be Reloaded with fresh data. Initializing Reload for Distribution.

(2017-04-06 09:09:22) Information: Opening "C:\QlikView_SourceDocs\xxxxxxxxx.qvw"

(2017-04-06 09:09:22) Information: Allocating new QlikView Engine. Current usage count=2 of 4 (of type non-reader).

(2017-04-06 09:09:22) Information: Max retries:5

(2017-04-06 09:09:22) Information: Attempt:01

(2017-04-06 09:09:24) Information: Opened the QlikView Engine successfully. ProcessID=14132

(2017-04-06 09:09:24) Information: Allocated QlikView Engine successfully. Current usage count=3 of 4 (of type non-reader). Ticket number=4194.

(2017-04-06 09:09:24) Information: Loading document "C:\QlikView_SourceDocs\xxxxxx.qvw" (0.20 Mb)

(2017-04-06 09:09:25) Information: Physical FileSize=0.20 Mb. Memory Allocation Delta for this file=4.73 Mb. Available Physical Memory Before Open=599.11 Mb. Available Physical Memory After Open=586.11 Mb. Total Physical Memory=32767.55 Mb.

(2017-04-06 09:09:25) Information: Attempted to load the document without data.

(2017-04-06 09:09:25) Information: The document was loaded successfully.

(2017-04-06 09:09:25) Information: Document was opened successfully

(2017-04-06 09:09:25) Information: Starting reload

(2017-04-06 09:09:25) Information: The Source Document is being reloaded. DocumentPath=C:\QlikView_SourceDocs\xxxxxxx.qvw

(2017-04-06 09:09:25) Information: The Source Document reload complete. DocumentPath=C:\QlikView_SourceDocs\xxxxxxx.qvw

(2017-04-06 09:09:25) Information: Memory Allocation Delta for this file=4.82 Mb. Available Physical Memory Before Reload=584.70 Mb. Available Physical Memory After Reload=586.32 Mb. Total Physical Memory=586.32 Mb.

(2017-04-06 09:09:25) Error: The Source Document was NOT reloaded successfully. DocumentPath=C:\QlikView_SourceDocs\xxxxxxx.qvw.

(2017-04-06 09:09:25) Information: Closing the document.

(2017-04-06 09:09:26) Information: Closed the QlikView Engine successfully. ProcessID=14132

(2017-04-06 09:09:26) Error: The task "xxxxxxxx" failed. Exception: || QDSMain.Exceptions.TaskFailedException: Task execution failed with errors to follow. ---> QDSMain.Exceptions.ReloadFailedException: Reload failed ---> QDSMain.Exceptions.LogBucketErrorException: The Source Document was NOT reloaded successfully. DocumentPath=C:\QlikView_SourceDocs\xxxxxxxxxxx.qvw. || at QDSMain.ReloadTask.VerifyConditions(TaskResult taskResult) || at QDSMain.ReloadTask.Reload(String fileName, TaskResult taskResult, String sectionAccessUserName, String sectionAccessPassword, eReloadOptions reloadOption, String variableName, String variableValue, Boolean moniterCpuUsage) || --- End of inner exception stack trace --- || at QDSMain.ReloadTask.Reload(String fileName, TaskResult taskResult, String sectionAccessUserName, String sectionAccessPassword, eReloadOptions reloadOption, String variableName, String variableValue, Boolean moniterCpuUsage) || at QDSMain.DistributeTask.Execute(TaskResult currentTaskResult) || --- End of inner exception stack trace --- || at QDSMain.DistributeTask.Execute(TaskResult currentTaskResult) || at QDSMain.Task.AbstractTask.TaskExecution(ILogBucket logBucket, TaskResult taskResult)

(2017-04-06 09:09:26) Information: Task Execute Duration=00:00:03.6788522

(2017-04-06 09:09:26) Information: TaskResult.status=Finished

(2017-04-06 09:09:26) Information: Notifying all triggers of new state:FinishedWithErrors

(2017-04-06 09:09:26) Information: Notifying all triggers of new state:FinishedWithErrors - completed

(2017-04-06 09:09:26) Information: Saving Task Result

1 Solution

Accepted Solutions
Miguel_Angel_Baeyens

I see your point here.

The way QlikView works is using a user with enough privileges to write, read and interact with the operating system in different ways (creating files, writing permissions, reading config files, etc.). Among other things, this service account runs the QlikView software, and one of the functions is triggering reloads when they need to happen. So the user which starts and actually runs the reload process is the service account, and that cannot be changed without heavy third party development to impersonate one process as another user.

However, section access allows you to achieve what you want: even if the service account will be the one reloading and saving the file, you can specify a pair of USERID/PASSWORD (which from the security standpoint, is way less secure than using an NTFS account) which this service account must use to open the application.

Again, think of the service account as any other QlikView user. Now, let me use an example: I have an application with a section access using both NTNAME and USERID/PASSWORD. My username is DIR\MBAEYENS and has ADMIN access on the application. Your user, DIR\CKOFLER is not in the section access table.

However, I want you to open the application to validate some charts and figures for me. While your user's NTNAME is not in my section access table, I give you this userid and password so you can open the app.

Exactly the same is what happens with this section of the task in the reloading process. It is the "servicesmcrmeservice" account the one which opens the file, as in the example above is CKOFLER who opens the file. However, it will use the username and password to authenticate in the application.

Now, this username and password must be specified hardcoded in the section access table, meaning it is a string of text for both the username and password.

See the example below, one step further:

Section Access;

// Users from the company Active Directory

NTNamesTable:

LOAD * INLINE [

ACCESS, NTNAME, USERID, PASSWORD, COUNTRYCODE

ADMIN, DIR\MBAEYENS, *, *, *

USER, DIR\CKOFLER, *, *, ES

USER, DIR\CKOFLER, *, *, DE

];


// user with full country permissions to reload, NOT in Active Directory

LOAD DISTINCT

  'ADMIN' AS ACCESS

, '*' AS NTNAME

, 'RELOADER' AS USERID

, 'yxlJxRW85#dF9' AS PASSWORD

, COUNTRYCODE

FROM CountryCodes.qvd (qvd);

Section Application;

When opening the application, security will apply as follows:

  • User DIR\MBAEYENS is allowed to see all countries, and when opening the file locally, do whatever (ADMIN).
  • User DIR\CKOFLER is allowed to see only DE and ES as countries, and when opening the file locally, will be able to do some things as defined by the admin, but not all (like, no reload or no export)
  • Any other user will be prompted to provide a user name and a password. If the credentials above are not used, the user will be denied access and will not be able to open the application, either locally or on the AccessPoint.

Following this example, when the reload happens, user "VIZRTINT\servicemscrmeservice" will try to open the file, and unless the task has "RELOADER" as User Name and "yxlJxRW85#dF9" as the password specified in the QMC, the reload will fail. Yet, the user who will perform the reload, open the file and save it, will be "VIZRTINT\servicemscrmeservice" which has no access whatsoever to the information contained in the application.

Nevertheless, this is not the most secure way to prevent anyone to read information from the application, as the password for the task must be stored somewhere. It is stored encrypted (I don't know the algorithm that Qlik uses) but still not a good idea if security is the utmost concern.

Hope this makes it a bit clearer now.

View solution in original post

16 Replies
Peter_Cammaert
Partner - Champion III
Partner - Champion III

The posted tasklog isn't very helpful. It simply says that the reload failed. Could be due to one or more of a hundred reasons. Check these:

  • Are there any error messages in the DocumentLog?
  • Is the Section Access user defined as ADMIN? I'm assuming that this is the case, or this user would not be able to reload a protected document in QV Desktop. But we need to be sure...
  • Is the Seciton Access user allowed to save the document in the target directory?
  • Which type of Section Access are you using? NTNAME or USERID/PASSWORD?
Not applicable
Author

Hi Peter,

Thank you for the quick response.

I did not have DocumentLog activated for this QVW, but tried that now, ran another reload but could not find any files. According to another forum post I found, those should be somewhere in C:\ProgramData\QlikTech\DistributionService\ or C:\ProgramData\QlikTech\DistributionService\1\Log but when I searched for the file, I did not get any results.

To confirm:

Section Access User is ADMIN and allowed to save the document in the target directory (Accesspoint I assume). We are using NTNAME for section access and have not had any issues in the 20+ other qvw files we have - which however are all reloaded with the standard service user.

Additional info:

as I have a close timeline, I have temporarily requested the standard service user to have read access to the restricted directory where all my data files are located. After attempting to run the task now - with Section Access on that other user set - I no longer get any error messages.

After trying to remove data permissions for the standard service user and keeping the Section Access Reload on the other user, the reload fails again. So to me it looks like even if we attempt to reload a file with another user than the standard user - the standard user still must have access permissions to both data source and the file.

If this is the case, we have a security risk that will potentially kill the project. I hope there is a solution for this.

awhitfield
Partner - Champion
Partner - Champion

Hi Carola,

the document log is created in the same folder as the actual qvw.

Andy

Not applicable
Author

Hi Andy,

thank you for confirming the path. To reduce the back-and-forth in this phase, I am storing the test files directly on SourceDoc. There I could not find a DocumentLog.txt file - but a couple of DOCUMENTNAME_TIMESTAMP.txt files - containing only my script from the data load.

I am attaching the version that would coincide with my attempt to remove the standard qlikview user from the permission table for section access.

awhitfield
Partner - Champion
Partner - Champion

DOCUMENTNAME_TIMESTAMP.txt file - that os the document log file 😉

Bill_Britt
Former Employee
Former Employee

HI Carola,

This log doesn't help. It is not the log when the document was ran.

Does this happen on all documents that has section access applied?

Is the service account that the distribution service is running under part in Section Access?

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Not applicable
Author

Hi Bill,

I do not keep DocumentLogs normally - I only activated it for this specific qvw, then ran the reload task via the Management Console- and this was the file I found in the folder afterwards. If there are any other ways for me to provide a proper log file, please let me know. I already thought that a txt containing my script is not really what will help in this case.

To answer your questions: I work with section access on lots of qvw files - they all keep the permission data in the same way. What's special with this qvw: the data security level of this is very high, so the goal is that users who have the password of the regular service user cannot log on to Qlikview and work with the file. My first approach was to work with the "Section Access" flag under the RELOAD tab of the task (which is what I have not done before), where I entered actually myself for test purposes as the other user. I have full permissions on Qlikview, the server, the restricted data area and the restricted file. This was not successful until I enabled data access to the standard service user and also included the standard service user in the permission file for the section access.

The HELP page on this tab is not extremely extensive - it says: enter username and password - which is what I did. Exactly as it appears in the permission file for section access. So the problem could be that my expectation of "Section Access" under "Reload" is wrong.

To confirm again: the goal would be to reload and publish a restricted document with a new service user, which is not the same user that runs all Qlikview services. The standard service user that usually operates Qlikview should not have access to the data source or the published document.

So if you could as a next step confirm if my expectation of "Section Access" under "Reload" is realistic or not - I may have to close this question and open another one in a different group, to get advise on the core requirement.

Bill_Britt
Former Employee
Former Employee

What version of Qlik are you running?

Does the account you are trying to use how the necessary rights to all the data?

Enable the the logging in the QVW and then post the Document log after the reload with the task log.

attach your SA header line

ACCESS NTNAME >>>>

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Not applicable
Author

Hi Bill,

The Qlikview version as well as a task log from a reload attempt when the error occurred is included in my initial question. And I enabled logging in QVD, produced a DocumentLog which is attached to my response to Andy further up.

Section Access is working - I established that while manually reloading the document. Plus when giving the standard Qlikview service user read-access to the restricted directory as well as including it in the section access permissions, the reload task where I specify another user under "Section Access" in the "Reload" tab also works - however once we remove the standard Qlikview service user from the section access for that document, the reload task fails.

Is "Section Access" under "Reload" supposed to replace any permissions of the standard Qlikview Service User? It does not look like it.