Qlik Community

QlikView Scripting

Discussion Board for collaboration on QlikView Scripting.

reshma_km
Contributor III

Section Access - Access level for users

Hi All,

Suppose I have a dashboard with both USER and ADMIN access levels. And I am authorized to login as either ADMIN or USER from my Qlikview desktop.

I read that "Opening the document via QlikView Server ignores the ACCESS setting, so every user is treated as having USER level access."

This means when I open the dashboard in access point, I can’t login as ADMIN but only as USER? Or even if I login as ADMIN, it will be treated as USER? Or does it mean something entirely different?

Thanks.

1 Solution

Accepted Solutions
MVP
MVP

Re: Section Access - Access level for users

If he has proper access through QMC (that is part of authetication I mentioned above), he can, else not.

8 Replies
MVP
MVP

Re: Section Access - Access level for users

Yes, Admin access is only restricted to desktop mode. So, even if you login in accesspoint as Admin, you would enjoy no advantage of Admin but User. Otherway, if you see, the advantages (save, access doc properties, reload ..) an Admin user has - is not applicable in accesspoint.

reshma_km
Contributor III

Re: Section Access - Access level for users

Can I login as ADMIN even though there are no privileges?

balrajahlawat
Esteemed Contributor

Re: Section Access - Access level for users

After publishing your app on server, admin would be treated as a user only. This admin/USer concept is limited when you are working on dekstop

balrajahlawat
Esteemed Contributor

Re: Section Access - Access level for users

Privileges are applied to avoid unauthorized access, if you sont have any privileges then it is open to access for every one.


And this Admin & User are account which are created for the purpose of avoiding any security risk

MVP
MVP

Re: Section Access - Access level for users

If you meant CAL priviledge, then with no CAL you won't be able to access application on accesspoint even if you are an ADMIN. This is basically authorisation (section access) vs authetication (CAL). In other words, if you are an admin with no CAL, that means you are authorized but not autheticated. And remember, to access on desktop mode you don't need a CAL (provided the document is created by you), so being authorized only works; you can open it even without having a CAL.

reshma_km
Contributor III

Re: Section Access - Access level for users

No.

My question here is:

If a person has only ADMIN as ACCESS level while developing the app in desktop. After publishing it to access point, when prompted for user id and password, if he enters the credentials for ADMIN, will he  be able to see the dashboard?

Or will he be locked out of the document?

MVP
MVP

Re: Section Access - Access level for users

If he has proper access through QMC (that is part of authetication I mentioned above), he can, else not.

Not applicable

Re: Section Access - Access level for users

I think it would be helpful to lend some clarity to this topic is to take a short step back and look at the two environments being discussed. Desktop/Standalone and Server (aka Access Point or Hub/QMC in Sense parlance).

If you need to provide access security to your data in your QlikView or Sense apps when running standalone Desktop (aka Personal Edition in QlikView), you need to have a mechanism to prompt for user and password authentication, and have mechanism for authorizing data access. If running under Desktop, there isn't any external mechanism to provide this functionality, so Section Access allows you to create an app where you essentially define the authentication (userid/role/password) and data reduction based on that login authentication. Typically, a USERID and PASS columns are defined to support this.

When you take the application and run it on a server, now we run the app in an environment that does provide authentication (Active Directory/LDAP for example) that is in use across an entire enterprise. Being that the server environment provides the authentication, there is no longer the need for the QlikView or Sense app to provide that. It should point to/reuse the existing authentication infrastructure and the approach would necessarily have to change in Section Access to reflect that. Hence, having an "Admin" user defined in the app is not needed as this can be defined elsewhere in the server environment using features such as security rules and streams in Sense for example. So one's thinking about Section Access needs to change to reflect the differences between a standalone environment vs a server environment. Furthermore, in a server environment, you would want to use NTNAME vs USERID and PASS for your Section Access table so that you can use your existing Windows domain authentication. The user has already been authenticated before they could even access QlikView/Sense. Whereas standalone, you would want to do the opposite. An ADMIN type user simply has no meaning in a server environment. Just users are consuming the app.

However, under server, there is an additional type of user that would have to be included in Section Access that is not needed in a standalone/desktop environment. This is a "service" account type of user, for example, the account that will run "batch" tasks to reload the app's data (but may not need any interactive access to that data). In Sense, the userid SA_SCHEDULER would have to be added to the Section Access table so it can be allowed to run reload tasks even though no one would login interactively to access the app and its data using that userid. In QlikView, it is the service account.

In summary, keep in mind the two environments are indeed different. One should not be thinking that the approach of Section Access in standalone mode can simply be reused in a server context. There is some commonality, but they need to be approached differently due to the different operational contexts.

One final point that I see in support all too often. When you consider a multi-app deployment, be sure to take into account how you might approach the design of your Section Access. Do you really want to have this hard coded in each an every application? What happens when a change needs to be made and you have deployed 100+ apps that all have the same Section Access code? One should consider using the $(include) or more appropriately $(must_include) feature and store that common code in external (albeit protected) files to be included at reload time. You could include files to point to Section Access code in one case for a "development" or standalone scenario and then to another for a "production" scenario when deploying to a server.

Community Browser