Qlik Community

QlikView Scripting

Discussion Board for collaboration on QlikView Scripting.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.
marc_behrens
New Contributor II

Section Access, AD Groups and Kerberos

Hi erverybody,

yesterdy I had the following problem and because I could not find something that described my problem properly, I thought I should post the solution, just in case someone else might be looking for it.

I was trying to implement section access to an existing qvw-document just as it's described in every tutorial.

LOAD * INLINE [

     ACCESS, NTNAME, GROUP
     ADMIN, domain\grp_admin, 0
     USER, domain\grp_user, 1


]
;

(The "GROUP" Field is for datareduction)

There was just one thing- it did not work... If I changed the "NTNAME" information from ad-groups to ad-usernames like

LOAD * INLINE [

     ACCESS, NTNAME, GROUP
     ADMIN, domain\username, 0
     USER, domain\grp_user, 1


]
;

it worked just fine. First I thought there would be a problem with the way QlikView gets the group information from the ad-server but I was missing the fact that our domain is using kerberos for authentification, which caused some (at first glance) weired effects.

1) I did not have access at all to the document, if I used the first script-part.

2) The next day, I had access, but if I changed my group membership, my rights in the qvw did not change

The reason was / is, that a kerberos-token does have a specific duration and changes made in the actice directory do not take effect, until a new token is handed out.

1) I did not have access to the document, because I was developing the application and created the ad-groups while I was logged on to the development machine. Therefore (from a kerberos point of view) I was not a member in the newly created groups, even if I added myself on the domain controller.

2) The next day, I got a new token and had access, but it did not change if I changed my group membership.

Long story short:

Affected users (those with a changed group membership) will have to log off and back on to get a new token and the correct rights in the document.

Sincerely,

Marc

Community Browser