Qlik Community

QlikView Publisher

Discussion Board for collaboration on QlikView Publisher.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.
Not applicable

security issue in the QV PUBLISHER

Is it possible to run QV Publisher tasks under different users.  The reason i am asking this is the following :

For instance we have 2 domains : Marketing and Sales.  Users from Sales are
not allowed to access certain Marketing info.  But as a consequence of the
fact that all the Publisher tasks run with the same user, there is no
possibility to do this.  Actually, if the sales people know the name and
location of the Marketing data, they can use this path in their script and
schedule it in the publisher.  The publisher runs this task with the
global machine user, which runs also tasks for finance, and has access to as
well the Sales as the marketing data. 

 

This seems to be a security leak to me, because in this way users can see data, they are not allowed to!

  Is there any solution for this or am i working in a wrong way?

Regards

Sven

Tags (2)
10 Replies
Luminary
Luminary

Re: security issue in the QV PUBLISHER

Why should the users other than the QlikView Administrators have access to the QMC to reschedule Publisher tasks?

Not applicable

Re: security issue in the QV PUBLISHER

Hi Martin

Even if it is the Qlmikview admin, also then it doesn't seem normal to me that a task scheduled for Sales can access any Marketing data, even if Sales has no rights to this data

Thanks for your quick reply

Luminary
Luminary

Re: Re: security issue in the QV PUBLISHER

A task does not have access to data - a QlikView Application has. The task simply reloads and if necessary distributes/publishes the qvw file.

Are you aware of the Section Access feature with the "Initial data reduction based on section access" option? I believe this should cover your concerns.. Attached you can find a useful introduction section access.

Not applicable

Re: security issue in the QV PUBLISHER

Ok the task simply reloads, but imagine that we have 3 users :

AdminU (=the Qlikview Admin user who runs the tasks)

SalesU (=A user from sales)

MarkU (= User from Marketing)

AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd

SalesU only to ProductsSold.qvd

MarkU only to Campaigns.qvd

Then, considering the script below ... if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU :

Sales:

LOAD   *
FROM (qvd);

Marketing:

LOAD   *
FROM (qvd);

Luminary
Luminary

Re: security issue in the QV PUBLISHER

The following sentence confuses me:

On the one hand you are saying "AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd" and on the other hand it suprises you "if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU".

Have you considered working with Folder security instead?

Not applicable

Re: security issue in the QV PUBLISHER

Martin

If we use AdminU as QDS-account (QDS : Qlikview Distribution Service), then we MUST give AdminU access to both QVDs because he runs tasks as wel for Sales as for Marketing.

And that's the whole problem.  SalesU can put this in his script :

Marketing:

LOAD   *
FROM (qvd);

And although he does not have access to this data, he will be able to retrieve the data because the job in the publisher is executed by the AdminU account.  That's my question, can we run scheduled tasks at night on a server (via the publisher) with the rigths of the user who created this task instead of that 1 user who executes all the tasks

jaimeaguilar
Valued Contributor II

Re: security issue in the QV PUBLISHER

Hi,

You can use NTFS security, so even if  for example a Marketing user tries to reload info taken from a Sales QVD, he won't be able to do it. Also you may want to give it a check to QlikView Deployment Framework which is a group where you can find documentation of how to deploy QlikView in an enterprise environment,

regards

Not applicable

Re: security issue in the QV PUBLISHER

I would say it´s a matter of planning and administrate..

As suggested, if someone has access to Administrator account, and put script varibles in load statements, that is not suppose to be done, for security reasons, then I would say that you have to see over your planning for folder security.

But you could run a batch/vbs script, execute it with a Sales vs Campaign user calling Qv.exe instead of running it with QlikView Distribution Service

Employee
Employee

Re: security issue in the QV PUBLISHER

Hi Sven,

Take a look at the attached. I am sure this will help you on what you want to do.

Bill

Community Browser