Thank you Peter for your reaction, yet I am not 100% sure I understand you.

We currently have both the LDAP as the Configurable ODBC listed as DSC.

The authentication is still done using LDAP (SSO as you are logged in directly when opening the AccessPoint).

We (think we) have used the same usernames in the views in the ODBC. Added the groups in ODBC to the QVW.

The idea would be that, since the usernames match, the groups usernames and groups in ODBC could now used when authorizing people to QVWs.

But what you are saying is "nice idea, but not going to work".

However... if that is the case, what would be the use of the Configurable ODBC to begin with (as I don't see how it could be used stand-alone by lack of password field in the definition)?

Again: I am not 100% sure I understand you correct, so you might be trying to say something else.

There is (I have not heard this has changed in 12.x) a limitation with windows/NTLM based logins in that the groups come through with the login therefore the groups from the DSC are ignored.  This sounds like what you are trying to do.

The only way I know of to achieve what you want to do is to use ADFS & SAML to handle the login.  This is not supported out of the box and requires a 3rd party integration like Shiboleth.

This is not a simple thing to do.  If you don't already have ADFS & SAML expertise  I would not go down this path.  My suggestion would be to talk to Qlik or a Qlik Partner about your requirement and what you want to do is not going to be 'in the manual'.

Cheers.

Thank you for your reply.

If this won't work without 3rd party software, I do wonder why one would add the Configurable ODBC to the DSC when it can't contain a password (according to the documentation), so you can't use it stand-alone.

Not looking forward to inform the customer that what they had in mind won't work, so hoping someone comes along who does know a way to get this to work ("not in the manual").

Probably because QlikView doesn't really care about passwords and authentication. There is only one exception to that rule: Custom Directory which is governed entirely within QlikView.

All the others (except for AD & Co)  are just Directories that list user IDs and their group membership. And while a directory service *could* include stuff like permissions or ACLs, that is not what QlikView tries to pull through the DSC connection. Pretty boring stuff, huh?

What I remember from my own experiments some years ago was that you can't mix directories. I once thought I could move group management to QlikView so that while still using AD user accounts but without AD groups (imagine having to go and ask an official admin for a group change every day...) we could make document access management more efficient. That was a no-no (DMS with AD & custom groups = empty accesspoint‌) as the group membership resolution seemed to work just fine, but the services that tried to deduce corresponding authorizations didn't agree...

You seem to be fighting a similar fight here. Note that I don't have experience with the mix of DSCs you are trying to patch together. But the results look an awful lot like what I got a while ago.