Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.
bagdwan1
New Contributor

Problem with section access when opening app from accesspoint

Hello,

I'm using section access in my app.

SECTION Access;

USERS:

LOAD * Inline [

  ACCESS, NTNAME, OPERATOR

  ADMIN, CORPUSERS\XSSELDQLIKVIEW, ADMIN

  ADMIN, CORPUSERS\XP011818, ADMIN

  USER, CORPUSERS\23060649, ORANGE

];

SECTION Application;

LinkTable:

LOAD * Inline [

  OPERATOR, SUBOPERATOR_TYPE

  ADMIN, ORANGE_PRIVATE

  ADMIN, HUTCHISON_PRIVATE

  ORANGE, ORANGE_PRIVATE

  ORANGE, HUTCHISON_PUBLIC

];

When opening the app using the QlikView client it works as expected for all users.

But when we open the app from the access point it works for the ADMIN accounts but the USER account is not granted access.

In the Event log we find

2015-11-12 03:12:34 2015-12-02 13:06:06 4 700 Information File Upload: File upload initiated (110.IDD/DIIS.qvw)

2015-11-12 03:12:34 2015-12-02 13:06:09 2 500 Warning SE_LOG: User - GetSFUser: Failed to LookupAccountName1. GLE(1332)

2015-11-12 03:12:34 2015-12-02 13:06:10 4 700 Information FileClose: Upload completed (110.IDD/DIIS.qvw)

2015-11-12 03:12:34 2015-12-02 13:06:18 4 700 Information SE_LOG: Server - Purge: 110.IDD/DIIS.QVW to be unloaded. All(0), Obselete(1), Expired(0).

2015-11-12 03:12:34 2015-12-02 13:06:18 4 700 Information DOC loading: Unloading document D:\QV-DOCS\USERDOC\110.IDD\DIIS.QVW, state UNLOADING.

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information Ticket created: Ticket (BC32BF3F35B5CE85BBA217867F64CDC1C9E53ECE) for CORPUSERS\XP011818.

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information Ticket Lookup: Ticket BC32BF3F35B5CE85BBA217867F64CDC1C9E53ECE was found.

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information SE_LOG: Document Load - ODE1: Document D:\QV-DOCS\USERDOC\110.IDD\DIIS.qvw, AuthenLev(2). Authuser()

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information SE_LOG: Server - LoadDocument: Loading document D:\QV-DOCS\USERDOC\110.IDD\DIIS.QVW

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information DOC loading: Beginning load of document D:\QV-DOCS\USERDOC\110.IDD\DIIS.QVW.

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information SE_LOG: Document Load: File D:\QV-DOCS\USERDOC\110.IDD\DIIS.QVW opened OK

2015-11-12 03:12:34 2015-12-02 13:06:32 4 700 Information Document Load: The document D:\QV-DOCS\USERDOC\110.IDD\DIIS.QVW was loaded.

2015-11-12 03:12:34 2015-12-02 13:06:33 4 700 Information CAL usage: Named CAL "CORPUSERS\XP011818" now used - ok.

2015-11-12 03:12:34 2015-12-02 13:06:33 4 100 Notice CAL usage: Using CAL of type "Named User" for user "CORPUSERS\XP011818". Named user cals in use: 2

2015-11-12 03:12:34 2015-12-02 13:07:26 4 700 Information Ticket created: Ticket (E1922BC809099519988B7899F7155C6BF967E9C5) for CORPUSERS\23060649.

2015-11-12 03:12:34 2015-12-02 13:07:26 4 700 Information Ticket Lookup: Ticket E1922BC809099519988B7899F7155C6BF967E9C5 was found.

2015-11-12 03:12:34 2015-12-02 13:07:26 4 700 Information SE_LOG: Document Load - ODE1: Document D:\QV-DOCS\USERDOC\110.IDD\DIIS.qvw, AuthenLev(2). Authuser()

2015-11-12 03:12:34 2015-12-02 13:07:26 4 700 Information SE_LOG: Server - UpdateSharedFile: updating DONE for document D:\QV-DOCS\USERDOC\110.IDD\DIIS.QVW

2015-11-12 03:12:34 2015-12-02 13:07:27 1 300 Error Server - ConnectToLoaded: TryDinamicRD. AS(3). Strict(1). Access(2). errId(-4).

2015-11-12 03:12:34 2015-12-02 13:07:27 1 300 Error Server - ConnectToLoaded: TryDinamicRD. AS(3). Strict(1). Access(2).

2015-11-12 03:12:34 2015-12-02 13:07:27 4 700 Information SE_LOG: Document Open: Open document: No access to the file 110.IDD/DIIS.qvw (e=-4)

2015-11-12 03:12:34 2015-12-02 13:07:27 2 500 Warning Document Load: The document D:\QV-DOCS\USERDOC\110.IDD\DIIS.qvw failed to load because of no file access [19].

We have Initial Data Reduction Based on Section Access and Strict Exclusion activated.

If we remove Strict exclusion access is granted but the user can see all data in the app.

We have used OSUser() to make sure that when the user CORPUSERS\23060649 accesses the app via accesspoint he really uses the account CORPUSERS\23060649. This was done when we deactivated section access.

We are using QV version 11.20.12852.0  SR 11 64 bit

Does anyone have any idea why access is not granted for the user when he is in the section access table?

br

Martin Norman

1 Solution

Accepted Solutions

Re: Problem with section access when opening app from accesspoint

Best practice says to always reload a document on the server, using a SectionAccess ADMIN account that has nothing in the link field (OPERATOR in your case). The forced reload-before-distribution is especially useful when your document crosses domains (e.g. a consultant develops a document in another domain but with the correct SA entries)

2 Replies

Re: Problem with section access when opening app from accesspoint

I know a similar behaviour which was caused by opening + saving the application without a reload which then prevented the access. If this is the case you need to make sure that always a reload happens before the application is saved.

Further helpful could be to uncomment the section access statement or to load it within the section application again (without further doings synthetic keys will occur but for this testing it's rather not important) to be able to see the connections within the datamodel and to build an access-table within the gui - maybe there is something unexpected. This meant to include checks like len() and on chars chr() / ord() and compare it against osuser() if there not more evidently reasons.

- Marcus

Re: Problem with section access when opening app from accesspoint

Best practice says to always reload a document on the server, using a SectionAccess ADMIN account that has nothing in the link field (OPERATOR in your case). The forced reload-before-distribution is especially useful when your document crosses domains (e.g. a consultant develops a document in another domain but with the correct SA entries)

Community Browser