Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello everybody,
I am struggling with an issue within Section Access.
Currently everything is woking fine and SectionAccess restricts the Data exacty the way as it is supposed to be,
except for the NT-User under which the QlikView Services (especially Distribution Service) is running.
In the Section Access Part this User is mentioned with entry BLANK() on the Limitation Field in order to make a proper reduction.
Unfortunately I cannot Quote this User again (2nd line in script) in Section Access with a Limitation on the reduction field , otherwise Section Access doesn't work anymore and Access is denied on Accesspoint for all users--> which makes sense.
We have not set up a QVService Account on the QV-Server, so the question is:
Is there a possibility to give this ServiceAccount User (who on the one hand is an ordinary User in QlikView and on the other hand is local Admin which has al QV-Services running under) restricted user rights?
I hope I made myself clear.
Thank you in advance.
Hi,
What you are trying to do you will not be able to.
If you use the blank, to reload the document it will not allow the service account to login, because in theory he has no data assign to him and so will be denied.
You can try using *, but there are issues with this also. Star needs all data that has been assigned. So, if you have North, South, East and West and you only assign North, South and East then the reload will only pull that data.
You should never use the service account to access the QVW, other than reloading the data.
Bill
Well, the blank limitation field is only there to allow Access=ADMIN users to see everything when opening a document in QV Desktop.
You can try a single SA entry with Access=ADMIN and the required limitation value. Upon reloading the document on the server, all data will still be stored by the batch reload engine because data reduction is only performed upon opening the document, and the document is open before the reload kicks out all remaining data.
But with this account you will never be able to inspect all data ever again.
Good luck,
Peter
Hi Phillip,
Just provide "ADMIN" as ACCESS for that Service User and give " *(Asterisk) " as value for Limited field in section access.
This should work for you.
Hello Guys,
thank you for your suggestions, but I am afraid to tell that nothing leads to the desired result.
As soon as I mention the Service Account User a second time in the Secion Application part (regardless of BLANK or '*' in the Limitation field), the Application won't open on accesspoint again. So I have to exclude this Service account User in the Section Application Part with the "where" condition. Then every User is limited correctly except for the Service Account (can't open).
Hi,
What you are trying to do you will not be able to.
If you use the blank, to reload the document it will not allow the service account to login, because in theory he has no data assign to him and so will be denied.
You can try using *, but there are issues with this also. Star needs all data that has been assigned. So, if you have North, South, East and West and you only assign North, South and East then the reload will only pull that data.
You should never use the service account to access the QVW, other than reloading the data.
Bill
Hi Bill,
thank you for your Input.
that was my apprehension but I was hoping there would be a workaround.
Many thanks for your fast Support!
Allow me to disagree.
As long as the service account is of Access=ADMIN, there will not be a reduced reload, only a reduced AP View.
See documents in attachment. The QVW has section access with reduction on Region = North,South,East,West. USERIDs are all ADMINs:
USERID A (password A) sees North South East West
USERID B (password B) has data reduction to North South
USERID C (password C) has data reduction to East West.
If I let the QlikView Server perform reloads with Section Access user = B, then user A will still be able to view all regions in the AP, while user B (the reload account) will only have access to North and South.
But of course I'm not making use of this asterisk trick.
Peter
Hi Peter,
There are ways to get around this for sure, but best practice is to load section access before data is loaded. When you do the this "A" user becomes the "Service Account" and will load all the data and then the reduction will be applied to the other users.
EXAMPLE
Section Access;
LOAD * INLINE [
ACCESS, USERID, PASSWORD, REGION
ADMIN, ADMIN, ADMIN,
USER, USER1, U1, AFRICA
USER, USER2, U2, AMERICA
USER, USER3, U3, ASIA
USER, USER4, U4, EUROPE
USER, USER5, U4, AMERICA
USER, USER5, U5, *
];
Section Application;
SALES:
LOAD * INLINE [
REGION, PROFIT
AFRICA, 1000
AMERICA, 2000
ASIA, 3000
EUROPE, 4000
OCEANIA, 5000
];
In this example a reduction field has been added called REGION. The purpose is to
limit the USERS to their sales region profits.
USER1 will only be able to see the profits for AFRICA, USER2 the profits for AMERICA
and USER3 will only see the profits for the ASIA region.
USER4 will be able to see the profits for EUROPE and AMERICA.
USER5 will be able to see all regions listed in the reduction field REGION except for
OCEANIA.
Even if USER5 has “*“ for the REGION reduction field, star means “all listed values”
not all values for the field. Since no USER has OCEANIA listed for the REGION field,
USER5 will not have access to the values for OCEANIA.
If we want USER5 to see OCEANIA as well, we need to add an extra line in our section
access solution
USER, USER5, U5, OCEANIA
Bill
Hi Bill,
while I do agree with you that the asterisk in Section Access is not always what you want it to be, I think this "best practice" is only applicable if the document developer has a perfect idea about what ALL-AND-EVERYTHING really means. After developing multiple security solutions in QlikView, I gradually came to believe that loading section access after everything else is a way better approach, mainly for three reasons:
Aside from all cons that can be brought up against this approach, in this thread the example with the SA at the end clearly did solve the case of not being allowed to assign a reduction value to the Reload ADMIN account.
Thanks for your feedback.
Peter
Hi Peter,
thank you for your Post.
I know how challanging it can be when it comes to more complex security mecanisms.
For those who face this challenge the first time this document might be helpful.(attached).
It shoud exactly cover your mention when it comes to applying data-security on more than just one field ( f.e. 3 fields)
But this 'bridge-table approach' can be applied after the section Access part.
Best regards.