Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements

Breathe easy -- you now have more time to plan your next steps with Qlik!
QlikView 11.2 Extended Support is now valid through December 31, 2020. Click here for more information.

Not applicable

QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

Question:

How can I limit QV Access Point to only one Active Directory group?

Scenario:

We're a large organization and have a limited number of CAL's available.  We want to limit Access Point usage to a specific group of user that we control using one Active Directory group.  My hope is to prevent CAL's from being assigned to unauthorized users within our organization.  I'd like for those users who don't have permission to get into Access Point to end up hitting some sort of "Access Denied" page where we could redirect them to a link in our user provisioning catalog.

Tags (1)
1 Solution

Accepted Solutions
erikzions
Contributor

Re: QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

Do not apply the group assignment to the CALs.  Assign the group to the distribution of the dashboard.  The task to distribute the dashboard to access point in the QMC has a distribute tab.  Distribute the dashboard to named users.  Add the group to that list and only the users in that group will see the dashboard.  You will have to remove the CALs for users who leave the group manually, as I do not know of a way otherwise.  But you can delete all CALs, and users still in the group will get a new one assigned upon opening the dashboard. 

I hope this helps.

5 Replies
MVP & Luminary
MVP & Luminary

Re: QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

1. Turn off "Dynamic CAL Assignment" in QMC. Then manually add/remove Named Users CALs.

2. To keep unauthorized users out of Session & Usage CALs, adjust the permissions on the QVW folders to only include authorized user groups. Then unauthorized users will see no content in AP.

-Rob

erikzions
Contributor

Re: QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

You could also just distribute to the specific people you want.  Everyone else would not see anything, and therefore not be able to lease a CAL?  Although if you know the specific people turning off Dynamic Call assignment is a good idea.

To do this, edit the task in QMC and under the distribute tab distribute to named users.  Add the specific people or AD group you want and they are the only ones who can see it. 

sarvjeet
New Contributor III

Re: QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

- Create AD groups for Desired users. Distribute tasks to Ad group

- Enable dynamic cal allocation

- You can also add section access control in scripts on top of it

User not in Ad group and Section access won't be able to see thumbnail in Access point

-Sarvjeet

Not applicable

Re: QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

Thank you for the quick response. 

I've got "Allow dynamic CAL assignment" unchecked.

I've tried designating/adding an Active Directory group to the "Assigned CALs" area but every time I Apply the change and then refresh the page the group is gone again.  Am I only able to designate CALs to individual users and not to a group of users?

The reason I'd like to limit CAL assignments to a group is that the group of users is very dynamic.  We constantly have users being added and removed from this group on a daily basis.

erikzions
Contributor

Re: QlikView 11.2 SR6 - How would I limit Access Point usage to only a specified Active Directory group?

Do not apply the group assignment to the CALs.  Assign the group to the distribution of the dashboard.  The task to distribute the dashboard to access point in the QMC has a distribute tab.  Distribute the dashboard to named users.  Add the group to that list and only the users in that group will see the dashboard.  You will have to remove the CALs for users who leave the group manually, as I do not know of a way otherwise.  But you can delete all CALs, and users still in the group will get a new one assigned upon opening the dashboard. 

I hope this helps.