Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.

Is Section Access ignoring the domain part of NTNAME?

I am having this weird situation where QlikView Server is granting access to a user that resides in a different domain than the one specified by the NTNAME field.

Imagine a user in the original domain ABC has an NTNAME value in Section Access of ABC\BOB. That user has been moved to a new domain XYZ weeks ago, and since then is unable to log into the old domain in Windows. So everywhere in QlikView (CAL assignment, distributions etc.) this user is now known as XYZ\BOB. Printing =OSUser() in a text box on a sheet confirms his AD identity.

Unfortunately, NTNAME still specifies ABC\BOB which would in my opinion deny access to this document to user BOB. Not so... The user XYZ\BOB with NTNAME value ABC\BOB is still granted access to the document

Is Section Access ignoring the domain part when comparing NTNAME values to the logon ID as returned by the OS?

Note that Section Access is working (user XYZ\PHIL cannot get in: Access Denied) and NTNAME has an exact copy in a field in Section Application field for inspection. This field is also reduced to ABC\BOB by Data Reduction.

Peter

7 Replies

Re: Is Section Access ignoring the domain part of NTNAME?

Hi Peter,

that sounds very strange and I could only think for silly questions like: Is strikt exclusion enabled? Is Session recovery enabled? Does a clearing from the browser-cache be helpful?

Which releases of QV and which client/browser are used?

- Marcus

Re: Is Section Access ignoring the domain part of NTNAME?

Hi Marcus, thanks for replying.

As to your questions (they're far from silly , on the contrary)

  • Yes, strict exclusion has been enabled. This is shown by the NTNAME field copy getting reduced to the ID of the current user. Only with the wrong domain.
  • Yes, Session recovery is enabled. However, if that would circumvent security, then we're in deep s**** trouble.
  • No, that doesn't help anything. Unfortunately, whatever external fixes we apply, the documents keep showing conflicting OSUser/NTNAME values.

We're using 11.20SR12 with the AJAX client in a variety of browsers (mainly IE and Chrome)

Peter

Re: Is Section Access ignoring the domain part of NTNAME?

I suppose the question is whether the user is being authenticated against their NTNAME or SID?

If the authentication is by the user's SID, then changing the users domain does not change the SID, so authentication is still valid - this would explain why other users in the new domain do not access QlikView.

There is a post from a few years ago asking the question but with no response.

[10] Qlikview use AD Group Name or SID ?

Re: Is Section Access ignoring the domain part of NTNAME?

Pure logically it doesn't make sense for section access to ignore the domain especially because with NTDOMAINSID and NTSID exists further methods to restrict an access. Therefore it could be a bug in this release or since release x.

Another thought is that the problem is caused from the way how qlik handled and transferred the information from the OS which performed the authentication: In short I think it's rather not a problem of autorization else the authentication.

- Marcus

Re: Is Section Access ignoring the domain part of NTNAME?

True Colin, and I can only find vague references in very old Qlik training material to what looks like a real string compare, not an SID translation. I guess they're not using the SID technique as the two domains are still active and all users reside in both domains. Makes it even more scary.

Peter

Re: Is Section Access ignoring the domain part of NTNAME?

Hi Peter,

Are you able to extend the logic of the Section Access table to use the NTDOMAINSID to set the access permissions to the data.

NTDOMAINSID is available as a field in the Section Access table, but there is no function in QV to show the current user's SID. It looks like you will have to investigate with a tool like PSGetSID or powershell.

Re: Is Section Access ignoring the domain part of NTNAME?

From the Introduction_to_Section_Access:

The NTDOMAINSID can be derived from the script, “Edit”->”Insert Domain SID”

The NTSID can be generated via free 3’rd party applications such as “Getsid.exe”.

- Marcus

Community Browser