Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rob_insley
Partner - Contributor III
Partner - Contributor III
‎2019-09-11 05:35 PM

What is the Impact of Distribution Task on Security

We are migrating from a standalone server to a  separate Publisher /QVS Deployment. As part of this change we are introducing a Distribution Task as opposed to having The Source Document Refresh in situ (Same Source/Mounted Folder)   

However, when introducing a Distribution Task  it appears to impose some changes on the Security.    Section Access on the document in question is designed to use OS_USER and when just a reload task is defined, Users can gain access to their document according to their Windows Login.  However, when a distribution task is added to distribute to a QVS then the same users now get prompted for user credentials.

Is this expected behaviour and how can I keep the same functionality that existed prior to this change, namely Section Access Data Restriction based on OS_USER.

Thanks in advance.

 

 

Labels (3)
Labels
610 Views
0 Likes
1 Solution

Accepted Solutions
rob_insley
Partner - Contributor III
Partner - Contributor III
‎2019-09-24 05:06 PM
Author

In response to Brett_Bleess

Brett ,

Thank you,  I managed to resolve this .  I didn;t expect a Distribution to behave any differently to a straight reload. But as you describe when Strict Exclusion is enabled on the document it will reduce the document according to the Service Users access, as controlled by Section Access and Section Application.    The section access on our document uses OS_USER and then restricts to the rest of the model via USERNAME.  This was causing the Data reduction.  I amended the section access so that the Service User had a * in USERNAME  and this did the trick.

Thanks for taking the time to reply.

View solution in original post

550 Views
3 Replies
Brett_Bleess
Former Employee
Former Employee
‎2019-09-24 12:05 PM

Rob, the most likely issue is the QV Service Account record in Section Access not being setup correctly.  The only real way to troubleshoot this is to load the Section Access table as a normal table instead of Section Access, this will allow you to see the table in the data model and check to see how things align in relation to the data elements you are trying to reduce.  I am including a link to a Design Blog post on Section Access as well, there are some additional blog posts at the bottom of this post, two related to dynamic reduction etc., hopefully these will assist you in figuring out where things are going wrong, but from what you describe, it should be an issue with the Section Access record, or in how you configured the Distribution settings on the task, did you do specific users or what there?

https://community.qlik.com/t5/Qlik-Design-Blog/A-Primer-on-Section-Access/ba-p/1465766

Regards,
Brett

To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.
562 Views
rob_insley
Partner - Contributor III
Partner - Contributor III
‎2019-09-24 05:06 PM
Author

In response to Brett_Bleess

Brett ,

Thank you,  I managed to resolve this .  I didn;t expect a Distribution to behave any differently to a straight reload. But as you describe when Strict Exclusion is enabled on the document it will reduce the document according to the Service Users access, as controlled by Section Access and Section Application.    The section access on our document uses OS_USER and then restricts to the rest of the model via USERNAME.  This was causing the Data reduction.  I amended the section access so that the Service User had a * in USERNAME  and this did the trick.

Thanks for taking the time to reply.

551 Views
Brett_Bleess
Former Employee
Former Employee
‎2019-09-25 07:18 AM

In response to rob_insley

Hey Rob, just be careful using * though, what that really means is only the values loaded for other users, so if there are values in the reduction field(s) that do not belong to any users, even the service account will fail to load those, which may screw up the analysis or resulting app etc.  

The only way of which I know to completely work around this issue is to create a 'link' table for the service account that contains all the possible values into a single reduction value which is only used for the service account...  This will allow things to work as well.  Hopefully this makes sense.  I am going to mark your post as the solution though, I just wanted to add this to be sure you do not get bitten by something else.

Regards,
Brett

To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.
540 Views
0 Likes