Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

security issue in the QV PUBLISHER

Is it possible to run QV Publisher tasks under different users.  The reason i am asking this is the following :

For instance we have 2 domains : Marketing and Sales.  Users from Sales are
not allowed to access certain Marketing info.  But as a consequence of the
fact that all the Publisher tasks run with the same user, there is no
possibility to do this.  Actually, if the sales people know the name and
location of the Marketing data, they can use this path in their script and
schedule it in the publisher.  The publisher runs this task with the
global machine user, which runs also tasks for finance, and has access to as
well the Sales as the marketing data. 

 

This seems to be a security leak to me, because in this way users can see data, they are not allowed to!

  Is there any solution for this or am i working in a wrong way?

Regards

Sven

10 Replies
simondachstr
Luminary Alumni
Luminary Alumni

Why should the users other than the QlikView Administrators have access to the QMC to reschedule Publisher tasks?

Not applicable
Author

Hi Martin

Even if it is the Qlmikview admin, also then it doesn't seem normal to me that a task scheduled for Sales can access any Marketing data, even if Sales has no rights to this data

Thanks for your quick reply

simondachstr
Luminary Alumni
Luminary Alumni

A task does not have access to data - a QlikView Application has. The task simply reloads and if necessary distributes/publishes the qvw file.

Are you aware of the Section Access feature with the "Initial data reduction based on section access" option? I believe this should cover your concerns.. Attached you can find a useful introduction section access.

Not applicable
Author

Ok the task simply reloads, but imagine that we have 3 users :

AdminU (=the Qlikview Admin user who runs the tasks)

SalesU (=A user from sales)

MarkU (= User from Marketing)

AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd

SalesU only to ProductsSold.qvd

MarkU only to Campaigns.qvd

Then, considering the script below ... if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU :

Sales:

LOAD   *
FROM (qvd);

Marketing:

LOAD   *
FROM (qvd);

simondachstr
Luminary Alumni
Luminary Alumni

The following sentence confuses me:

On the one hand you are saying "AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd" and on the other hand it suprises you "if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU".

Have you considered working with Folder security instead?

Not applicable
Author

Martin

If we use AdminU as QDS-account (QDS : Qlikview Distribution Service), then we MUST give AdminU access to both QVDs because he runs tasks as wel for Sales as for Marketing.

And that's the whole problem.  SalesU can put this in his script :

Marketing:

LOAD   *
FROM (qvd);

And although he does not have access to this data, he will be able to retrieve the data because the job in the publisher is executed by the AdminU account.  That's my question, can we run scheduled tasks at night on a server (via the publisher) with the rigths of the user who created this task instead of that 1 user who executes all the tasks

jaimeaguilar
Partner - Specialist II
Partner - Specialist II

Hi,

You can use NTFS security, so even if  for example a Marketing user tries to reload info taken from a Sales QVD, he won't be able to do it. Also you may want to give it a check to QlikView Deployment Framework which is a group where you can find documentation of how to deploy QlikView in an enterprise environment,

regards

Not applicable
Author

I would say it´s a matter of planning and administrate..

As suggested, if someone has access to Administrator account, and put script varibles in load statements, that is not suppose to be done, for security reasons, then I would say that you have to see over your planning for folder security.

But you could run a batch/vbs script, execute it with a Sales vs Campaign user calling Qv.exe instead of running it with QlikView Distribution Service

Bill_Britt
Former Employee
Former Employee

Hi Sven,

Take a look at the attached. I am sure this will help you on what you want to do.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.