Is it possible to run QV Publisher tasks under different users. The reason i am asking this is the following :
For instance we have 2 domains : Marketing and Sales. Users from Sales are not allowed to access certain Marketing info. But as a consequence of the fact that all the Publisher tasks run with the same user, there is no possibility to do this. Actually, if the sales people know the name and location of the Marketing data, they can use this path in their script and schedule it in the publisher. The publisher runs this task with the global machine user, which runs also tasks for finance, and has access to as well the Sales as the marketing data.
This seems to be a security leak to me, because in this way users can see data, they are not allowed to!
Is there any solution for this or am i working in a wrong way?
A task does not have access to data - a QlikView Application has. The task simply reloads and if necessary distributes/publishes the qvw file.
Are you aware of the Section Access feature with the "Initial data reduction based on section access" option? I believe this should cover your concerns.. Attached you can find a useful introduction section access.
On the one hand you are saying "AdminU as QV admin has rigths to ProductsSold.qvd AND Campaigns.qvd" and on the other hand it suprises you "if we run this script with user AdminU, then we are able to access Campaigns.qvd, even if this application was built by SalesU".
Have you considered working with Folder security instead?
If we use AdminU as QDS-account (QDS : Qlikview Distribution Service), then we MUST give AdminU access to both QVDs because he runs tasks as wel for Sales as for Marketing.
And that's the whole problem. SalesU can put this in his script :
LOAD * FROM (qvd);
And although he does not have access to this data, he will be able to retrieve the data because the job in the publisher is executed by the AdminU account. That's my question, can we run scheduled tasks at night on a server (via the publisher) with the rigths of the user who created this task instead of that 1 user who executes all the tasks
You can use NTFS security, so even if for example a Marketing user tries to reload info taken from a Sales QVD, he won't be able to do it. Also you may want to give it a check to QlikView Deployment Framework which is a group where you can find documentation of how to deploy QlikView in an enterprise environment,
I would say it´s a matter of planning and administrate..
As suggested, if someone has access to Administrator account, and put script varibles in load statements, that is not suppose to be done, for security reasons, then I would say that you have to see over your planning for folder security.
But you could run a batch/vbs script, execute it with a Sales vs Campaign user calling Qv.exe instead of running it with QlikView Distribution Service