Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
karensmith
Contributor II
Contributor II

Section Access using windows users and Network users

I currently have an application that uses section access. User ids are related to a variable vCust. Depending on the user the objects will display data based on customer (vCust) associated to the user.

Here is my script;



Section Access;
Security:
LOAD * INLINE [
ACCESS, USERID, PASSWORD, NTNAME, DIST_ID

ADMIN, admin, xxx, *

USER, TSmith, abc, *,DIST1 ------This a local server user that will access via outside our LAN.

USER, *, *,KSmith,DIST2 ----This is a domain user that will access inside our LAN
];
Section Application;

LOAD DISTINCT DIST_ID, Resident Security;

We currently use Publisher. The application is scheduled in publisher to reload and distribute job.

If I use the 'admin' user and reload via the server development client. Application seems to be okay, but from IE the applicaitons just hangs.

What I don't understand is shoudl the network user connect to Access Point via Network profile and then log into the application. Should the network user be in the distribute list on the server? And, should the local user be in the distribute list on the server?

How should section access work when combined with Publsher and local server users and network users. What all should be configured?



11 Replies
Miguel_Angel_Baeyens

Hello Karen,

You may use the QVUser() built-in function to get the user currently logged into the document to set which objects the user is able to see. Anyway, It's just a comment.

Regarding your section access, when you use IE plugin, by default it sends your Windows login credentials to the AccessPoint and to the section access, if any, in the document. So there is no need for PASSWORD in those records, since QlikView server will compare the login information with Active Directory and allow or deny access accordingly.

Bear in mind that when you open a document in the Desktop application, ADMIN and USER ACCESSes are respected. When you access through the server, all users have USER status, even when they have been explicitly declared otherwise in your script (so they won't be able to reload, access the script and so).

Besides, when you use "*" in section access, it means "all values listed for this field in section access" and they accumulate, so DIST_ID field will have DIST1 and DIST2 for both TSmith and KSmith.

Basically you are mixing user and password users with Active Directory users, and that's where QlikView doesn't know who prevails or even if they have some correspondence between them.

If having a user and password to log into the documents is not a problem for your users, I would set all them up without NTNAME, with their correspondents USERID and PASSWORD field, moreover when you are accessing both from local and wide networks. At least, I'd try for testing with this. Once you have that working, you may concatenate another table with corresponding NTNAME records.

Hope that helps.

karensmith
Contributor II
Contributor II
Author

Miquel,

Thank you for your response. I understand a little better now. If you don't mind I still have one more question. This the only application at the moment that will have the security variation. So, if I set every user up in the script with a user id and password, will I still need to give access from the 'distribute' tab on the server?

thank you in advance

Miguel_Angel_Baeyens

Hi Karen,

I'd suggest you to do so, until you have all your security requirements accomplished and you can use the "*" meaning "all users". It will take some time but it will help you to check how are your users working and reducing data.

Regards.

karensmith
Contributor II
Contributor II
Author

thanks again Miquel.

Still having issues.

I have taken NTNAME out of the script. I have added domain users in the distribute list in QEMC.

Applicaiton shows up in my accesspoint view from IE. It then prompts me to login into application. I user a application user name and password, but DIST_ID is not assigned to that USERID.

But from my client on my PC. DIST_ID is assigned correctly to that same USERID.

Should I take out distribute configuration in QEMC?

Miguel_Angel_Baeyens

Hi Karen,

May I know a little further about your current configuration? I'm sorry but I don't understand your "distribute configuration" and why your section access is not returning the right value for DIST_ID.

Regards.

karensmith
Contributor II
Contributor II
Author



DIST_ID is assigned to specific USERID. (which is defined in Section access of the script)

The frontend objects use the variable vDist in many calculations.

This actually works when using the application from QV Client, but not IE or AJAX.

I am using Section Access for user variable vDist= DIST_ID.



Miguel_Angel_Baeyens

Hello Karen,

Are you using some kind of macro to populate that variable? That may make your document work opened in Desktop but not in server, since some macros (actions, triggers) will not work serverside.

Regards.

karensmith
Contributor II
Contributor II
Author

Not populate the variable, but I was using one to choose a Year value and calendar type. I have tested removing all macros and the result is the same.

The varialbe is populated from the section access



Section Access;
Security:
LOAD * INLINE [
ACCESS, USERID, PASSWORD, DIST_ID, LOGO
//ADMIN, MENA\QlikAdmin, *,*
ADMIN,admin, xxxx

USER,KElzey,aaaa,AVNET, avnet.jpg
USER,KSmith,bbbb,ARROW, murata.jpg

];


Section Application;

LOAD DISTINCT DIST_ID, LOGO Resident Security;



Miguel_Angel_Baeyens

I see Karen,

You are populating your table from Section Access table, which is whay it's not working. Section Access tables are loaded in a different way so you cannot access them (for the sake of the security).

Just do a normal or inline load instead of using the RESIDENT.

Hope that helps!