I'm having a rough time with user security model. In short, I've just configured some new users into a user document, but AccessPoint is giving them - along with some of the previously-successfully-added users - 'No documents', and I cannot figure out what's going on.
I'll describe our configuration, then what I've observed from the logs and finally some of the things I've tried.
We're using Active Directory with QV10. Complicating this is that our users belongs to Production AD domains but we're operating in a QA AD domain (cross-domain AD group updates typically take about 2 hrs to update, but I made the updates about 6 hours ago now). When they open the AccessPoint in IE8, their domain & id show correctly in the top-right corner of AccessPoint, so that's flowing through ok.
We have a QA domain AD group for our users, and its name is listed in QEMC > User documents > mydocument.qvw > Authorization. The users are listed in that AD group.
The users have Document CALs statically configured, and there are CALs to spare in our pool.
The Section Access for the document merely lists ACCESS and NTNAME, and all the users are listed therein with 'USER' access and NTNAME in DOMAIN\USERID form.
Observations of Logs
Using one of my new-user colleagues as a test case , I observe the following.
Windows Event Viewer / Application shows nothing at around the time of the logon event. WebServer/Log/20120214.txt shows a flurry of 'request received' events, culminating in a <Global method="GetAdminDocListForUser"> XML element, soon followed by a <Global><DocList>...</DocList></Global> that lists no documents.
QlikViewServer/Events_<server>.log has no events around this time, and its only reference to the user is from when I configured him in the Document CAL list.
Using one of my already-a-user-but-can't-access-now colleagues as a test case, I observe the same as the previous user (except that she also has entries in the QlikViewServer\Sessions_<server>.log from 6 days ago).
Things I've Tried
Bouncing the services Delete & rebuild the Section Access List Delete & rebuild the reload task
OK, that's about it. Can anyone cast any light on this? Is there anything that I've missed?
I may have missed something, but Authorization in the QEMC should only appear if you are using DMS (custom directory) instead of NT users. But it seems that your users are able to logon to the domain. Do their group have NTFS permissions on the folders where the documents are? At least read and write permissions are required in the folders where the QVW files are stored so they can open documents and use the session recovery feature (that creates a bookmark stored in the File.qvw.Shared file).
If they are members of some cross domain group or local group they may need to logon to the Server to take full membership from their groups.
Apart from that, are you experiencing this issues from an upgrade from earlier versions or is it just a fresh installation of QlikView Server? Did you check in the QEMC, System, QlikView Web Servers that the folders under "Web" tab exist?