Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Not applicable

Section Access problem

We are attempting to hide salary lines for some users and ran into a problem.  When we added the appropriate lines to the Section Access (see "Changed Section"), Salary was hidden from everyone, including those with QVAdmin rights.  Clearly not a desirable outcome.

Goal:  Prevent those in the QV_OmitSalary AD group from seeing their dept's Salary information, but allow them to see the other dept expenses.

Questions:

What is restricting the admins from seeing the Salary information?

Does anyone see anything wrong with the changed section?

TIA,

John

QV v11.2 SR9

Original:

Section Access;

LOAD * INLINE [

    ACCESS, NTNAME, DEPT_NUMBER_SECURITY, USERID, PASSWORD

    ADMIN, *, *, QVADMIN, QVADMIN

    ADMIN, COMPANY\QLIKVIEW_ADMINS, *, *, *

... this section allows those in their dept (ie: 104, 105, etc...) to see the expenses for their dept, but not any other dept.

    USER, COMPANY\QV_ExpenseMgmt_104, 104, *, *

    USER, COMPANY\QV_ExpenseMgmt_106, 106, *, *

...  about 20 lines removed

    USER, COMPANY\QV_ExpenseMgmt_All, *, *, *

];

Changed Section:

Section Access;

LOAD * INLINE [

    ACCESS, NTNAME, DEPT_NUMBER_SECURITY, USERID, PASSWORD, GLCODE_FIRST4

    ADMIN, *, *, QVADMIN, QVADMIN, *

    ADMIN, COMPANY\QLIKVIEW_ADMINS, *, *, *, *

... this section allows those in their dept (ie: 104, 105, etc...) to see the expenses for their dept, but not any other dept.

    USER, COMPANY\QV_ExpenseMgmt_104, 104, *, *, *

    USER, COMPANY\QV_ExpenseMgmt_106, 106, *, *, *

... About 20 lines removed ....

    USER, COMPANY\QV_ExpenseMgmt_All, *, *, *, *

... newly added lines start here .... allows users in the AD group rights to their dept (505/585) for the listed GLCodes (4820)

    USER, COMPANY\QV_OmitSalary, 505, *, *, 4820

    USER, COMPANY\QV_OmitSalary, 505, *, *, 4821

    USER, COMPANY\QV_OmitSalary, 505, *, *, 5830

... about 120 lines removed with different GLCodes

    USER, COMPANY\QV_OmitSalary, 585, *, *, 4820

    USER, COMPANY\QV_OmitSalary, 585, *, *, 4821

    USER, COMPANY\QV_OmitSalary, 585, *, *, 5830

... about 120 lines removed with different GLCodes

];

7 Replies
Employee
Employee

Re: Section Access problem

One thing to keep in mind here is that the star wildcard in the reduction field represents all values listed in the section access table. It does not represent all values loaded in your data table. If all possible values from the datat is represented in the Section Access table, then the star will be equal to all data. If you do not Section Access: Strict Exclusion‌ enabled, try using a reduction value that does not exist if you intend to give the user access to ALL data. For example I often use the reduction value <ALL VALUES> to indicate the intention.

Please notice that all values in Section Access must be in upper case. In this example your NTNAME values are not in UPPER case.

If you find that the reduction is not accurate for a specific user, my suggestion is that you disable section access and validate the reduction buy manually applying the reduction (selection). Will the data reduce as expected when you apply the reduction values manually?

IMPORTANT: Always make a backup of your QVW before changing Section Access, so that you can revert to the backup if you lock yourself out.

Not applicable

Re: Section Access problem

Toni,

Thanks for the reply.

The upper case rule does not seem to apply to the AD groups. 

Using lower case for the AD group (COMPANY\QV_ExpenseMgmt_xxx), people are able permitted to see only their department information.  The app has worked with lower case AD group names for over a year now.

When I uppercase COMPANY\QV_ExpenseMgmt_xxx, my test user is requested to enter her p/w. 

John

Employee
Employee

Re: Section Access problem

Hi John,

According to the Qlik 11.20 SR10 Reference page 421  "All the fields listed in Load or Select statements in the section access must be written in UPPER CASE.."


Let me update my post with the whole text from the reference manual.

All the fields listed in Load or Select statements in the section access must be written in UPPER CASE. Any

field name containing lower case letters in the database should be converted to upper case using the upper

function, see upper(textexpression) (page 337), before being read by the Load or Select statement. However

the user ID and the password entered by the end-user opening the QlikView documents are case insensitive.

I am not sure why Qlik requires this, but it is documented that way.

Bill

stigchel
Honored Contributor

Re: Section Access problem

The field names yes, but other than that, I agree with John that values in the Fields NTNAME,USERID, PASSWORD can be in lower/mixed case.

One thing to add to Toni's answer would be the notion that ADMIN rights are only intended for offline distribution to restrict the users ability to alter the security settings. What these admins can see is, like the rest of the users, the values listed in the section access table

Employee
Employee

Re: Section Access problem

I am glad to see that Henric validates by comment about capital letters in his comment on post Section Access

Bill

stigchel
Honored Contributor

Re: Section Access problem

Hi Bill, Do we actually disagree??

Yes all Field names should be in capitals and all values in Fields should be in capitals, except for the system fields values in USERID and PASSWORD (so field names still in capitals). Although not specifically mentioned in the reference manual, I think this applies also to the NTNAME and probably AD Group fields(haven't tried).

Employee
Employee

Re: Section Access problem

HI,

I was taught when I joined Qlik 8 years ago that everything in section access had to be capitalize. USERID and passwords are not case sensitive so these being capitalize is not going to case an issue with login.

Bill

Community Browser