Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
sunny_talwar

Section Access change of roles from ADMIN to USER

Hello All -

I have a weird section access question, which I hope someone can share some light on. I am working on a dashboard where I wanted to test section access for a user. So, I decided that I will test it under my name (as USER) and then revert back to ADMIN.

I ran the script with this

Section Access;

LOAD ACCESS,

Upper(NTNAME) as NTNAME,

Text(SECTION_ACCESS_FIELD) as SECTION_ACCESS_FIELD;

LOAD * INLINE [

    ACCESS, NTNAME, SECTION_ACCESS_FIELD

    USER, domain\talwar, ABC

    ADMIN, domain\qlikview, *

];

Section Application;

Running the above worked beautifully and it just gave me access to rows related to ABC.

Once this was done, I wanted to go back to my ADMIN Role.... but it just wouldn't go back to my normal view.

Section Access;

LOAD ACCESS,

Upper(NTNAME) as NTNAME,

Text(SECTION_ACCESS_FIELD) as SECTION_ACCESS_FIELD;

LOAD * INLINE [

    ACCESS, NTNAME, SECTION_ACCESS_FIELD

    ADMIN, domain\talwar, *

    ADMIN, domain\qlikview, *

];

Section Application;

I have tried to remove section access completely and then bring it back. I have also, tried to remove 'Initial Data Reduction Based on Section Access' and 'Strict Exclusion'. Nothing seem to have worked.

Any ideas why am I seeing this behavior? Is this a bug or by design?

Thanks,

Sunny

1 Solution

Accepted Solutions
madhumitha
Creator
Creator

Hello Sunny,

The * which you have defined under admin is not the all the values from the field, it's just all the listed value in your section access. 

For example, there are 3 rows ABC, DEF, GHI. talwar has access to ABC, and say user X is restricted to DEF field, if the admin is given access to * then admin will have access to both ABC and DEF but not to GHI. That's the behaviour u r seeing

View solution in original post

11 Replies
madhumitha
Creator
Creator

Hello Sunny,

The * which you have defined under admin is not the all the values from the field, it's just all the listed value in your section access. 

For example, there are 3 rows ABC, DEF, GHI. talwar has access to ABC, and say user X is restricted to DEF field, if the admin is given access to * then admin will have access to both ABC and DEF but not to GHI. That's the behaviour u r seeing

sunny_talwar
Author

So how do I give complete access to myself without giving another user DEF, GHI?

Miguel_Angel_Baeyens

It works fine for me, but I always first reload the application without section access, save, close, open and reload again with the new table just in case.

I have not tested what happens during the same reload, but I will and report back. Also, I'm using QV11.20

sunny_talwar
Author

Can you comment on madhumitha‌'s response and my response to her?

daveamz
Partner - Creator III
Partner - Creator III

Hi Sunny,

You need to add all the possible values for SECTION_ACCESS_FIELD in order to make * work the way you expect.

Regards,

David

Miguel_Angel_Baeyens

You have to list a dummy user or another user (I do with one of the ADMIN users) for all possible values for the "*". What Madhumitha mentions is correct, the * in section access table does not mean all values in field but all values in the field of the section access table.

In your example, the second table should not grant access if using strict exclusion and open in server (Ajax or Desktop). Opening locally will work either way.

EDIT: Elaborating a bit more, if in your second table you add any other ADMIN or USER for which SECTION_ACCESS_FIELD has the value "ABC", all * users will have access to "ABC" and "ABC" only.

Also remember that when working as client - server, ADMIN roles do not exist in practice, since using the client you cannot perform tasks like reload, edit the script, etc. so the only way of providing an ADMIN full access is like what you would do with a USER: a line for each value of the field the ADMIN needs to have access to.

The advantage of the ADMIN is that it can open any file regardless of the contents and perform a reload, for example, as long as the file is open locally (or via Publisher, but the behavior here is slightly different).


Said in different words, you should not consider ADMIN as a privileged user when getting via the AccessPoint, rather than a developer who can open the file at any time, even if he cannot see any data, as it must be able to edit the file, reload the file, change the script, etc.

(Side note: that's why ADMIN role was initially removed from section access in Qlik Sense in the earlier versions. Yet, either QlikView or Sense, ADMIN should only be used for service accounts or developer accounts, not for granting more or less permissions over the data, that's what the reduction field is for)

sunny_talwar
Author

Okay, this make sense, will do some testing and will get back to you guys. Thanks for looking this for me guys.

daveamz
Partner - Creator III
Partner - Creator III

You can create a dummy user, with a fictive domain and assign all possible values for SECTION_ACCESS_FIELD to him.

Miguel_Angel_Baeyens

See this among other examples:

Section Access - Help