Solved: How to set up a user with all data access? (Data R... - Qlik Community

Permalink · ‎2009-12-16

Hi all,

I'll use an example to make the problem clear:


Section Access;

Star is *;

UserAccess:
LOAD * INLINE [
 ACCESS, USERID, PASSWORD, DEPARTMENT
 ADMIN, a1, a1,
 USER, u1, u1, D1
 USER, u2, u2, D2
 USER, u3, u3, *
 USER, u4, u4
];

Section Application;

Departments:
LOAD * INLINE [
 DEPARTMENT
 D1
 D2
 D3
 D4
 D5
];

The result is the following:

a1 has access to all departments,

u1 has access to department D1,

u2 has access to department D2,

u3 has access only to departments D1 and D2,

u4 doesn't have any access ("Access denied to this QlikView document").

So I can't set up a USER (not ADMIN) with access to all departments. As you can see I tryed both * and null in DEPARTMENT field. But it doesn't work. Is it bug or feature? Maybe it works different on server? I'm using QlikView 9 SR2.

Anonymous · ‎2009-12-17

This is working as designed. If you have strict exclusion turned on and a reduction can't be made (as for a1, u4 and u5) the user will be denied access. If the Access level is ADMIN though, all data will be displayed. Here's an excerpt from the reference manual regarding Strict Exclusion:

This means that access to the document will be denied whenever the field values in
the section access reduction fields lack matches in their corresponding
section application field. This, however, does
not apply for users with Admin status, who instead will see
the unreduced data set if there are no matches.

Also, when accessing the document through client/server, all client connections will be considered USERs so even if you have ADMIN level access in the section access, the user will get USER level access when opening the document from QVS using any of the clients.

View solution in original post

Permalink · ‎2009-12-16

1) First,

can you try to add the following line
USER, u5, u5,
that is to say, the same line than the ADMIN one ? There is a difference (comma) between a1 and u4

2) What version of SR2 are you using ? Is it the 9.00.7320.7 ? If not, please download the SR2 again.
The first SR2 release had a bug about the DMS (security in the qvw) on a server. So maybe it's your problem.

Regards

Permalink · ‎2009-12-17

Bertrand, thank you for the answer.

1. I changed load script to the following:


UserAccess:
LOAD * INLINE [
 ACCESS, USERID, PASSWORD, DEPARTMENT
 ADMIN, a1, a1,
 USER, u1, u1, D1
 USER, u2, u2, D2
 USER, u3, u3, *
 USER, u4, u4,
 USER, u5, u5
];

But neither u4 nor u5 doesn't have access to the file.

2. I've just downloaded build 9.00.7320.7. The problem remains the same.

Anonymous · ‎2009-12-17

This is working as designed. If you have strict exclusion turned on and a reduction can't be made (as for a1, u4 and u5) the user will be denied access. If the Access level is ADMIN though, all data will be displayed. Here's an excerpt from the reference manual regarding Strict Exclusion:

This means that access to the document will be denied whenever the field values in
the section access reduction fields lack matches in their corresponding
section application field. This, however, does
not apply for users with Admin status, who instead will see
the unreduced data set if there are no matches.

Also, when accessing the document through client/server, all client connections will be considered USERs so even if you have ADMIN level access in the section access, the user will get USER level access when opening the document from QVS using any of the clients.

Permalink · ‎2009-12-17

Thank you, Johannes.

So I have to choose between 2 evils)

How to set up a user with all data access? (Data Reduction Based on Section Access is enabled)