Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi erverybody,
yesterdy I had the following problem and because I could not find something that described my problem properly, I thought I should post the solution, just in case someone else might be looking for it.
I was trying to implement section access to an existing qvw-document just as it's described in every tutorial.
LOAD * INLINE [
ACCESS, NTNAME, GROUP
ADMIN, domain\grp_admin, 0
USER, domain\grp_user, 1
];
(The "GROUP" Field is for datareduction)
There was just one thing- it did not work... If I changed the "NTNAME" information from ad-groups to ad-usernames like
LOAD * INLINE [
ACCESS, NTNAME, GROUP
ADMIN, domain\username, 0
USER, domain\grp_user, 1
];
it worked just fine. First I thought there would be a problem with the way QlikView gets the group information from the ad-server but I was missing the fact that our domain is using kerberos for authentification, which caused some (at first glance) weired effects.
1) I did not have access at all to the document, if I used the first script-part.
2) The next day, I had access, but if I changed my group membership, my rights in the qvw did not change
The reason was / is, that a kerberos-token does have a specific duration and changes made in the actice directory do not take effect, until a new token is handed out.
1) I did not have access to the document, because I was developing the application and created the ad-groups while I was logged on to the development machine. Therefore (from a kerberos point of view) I was not a member in the newly created groups, even if I added myself on the domain controller.
2) The next day, I got a new token and had access, but it did not change if I changed my group membership.
Long story short:
Affected users (those with a changed group membership) will have to log off and back on to get a new token and the correct rights in the document.
Sincerely,
Marc