Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.
Not applicable

Technical question on how QV Server handles Section Access in the back

Hi everyone,

I'm currently faced with an issue regarding section access. More specifically, for some reason users are getting an "Failed to open document. You don't have access to this document".

I'm currently suspecting a possible AD issue, so my question is: When a user clicks on a dashboard in the access portal, how does QlikView determine that user's identity?

Does it validate the user against AD and the check if the name is included in the section access the moment a user tries to open a document?

Or is the username "stored" somehow when the user initially connects to the portal?

The reason I'm suspecting an AD issue is because

  1. users still need to log in to the access portal with their AD credentials, and are not automatically recognized. But trying to log in with wrong credentials is not possible (It is however possible to log in with someone else's credentials)
  2. AD is experiencing performance issues
  3. Even when publishing documents to "All authenticated users'" or "all users", users often don't see all the dashboards for some strange reason. Refreshing then all of a sudden shows other dashboards...
  4. I've tried adding usernames manually in the security settings of a published dashboard on the server. Didn't help either.
  5. Publishing the same dahsboard with seciton access removed, but to Named users also doesn't work. For some reason, that user can't see the dashboard
  6. Publishing that same dashboard without section access, but to "all authenticatedusers" works (ie. user can see the dashboard), but when opening he gets a "Failed to open document. You don't have access to this document".

PS: the service account used for publishing is included in the section access; and then that still wouldn't explain #3, 5 and 6)

All of the above looks like very strange behaviour, and I can't find a way to explain it currently.

All input and thoughts on this matter would be highly appreciated.

1 Reply

Re: Technical question on how QV Server handles Section Access in the back

Hi Tim,

Let me first give you answer to your first question about how it works in background.

When anyone logs in to portal, Qlik Sends the credentials to AD and then AD checks the Authentication of that user. If authenticated, AD sends a positive reply to Qlik and then Qlik Checks the Qlik License against that user. Depending on license Qlik tries to open the application and while opening the application, Qlik Checks the Section Access script for row level Authentication.

You can go through the attached document for more detail.

Now can you feed us with some information like.

1. What version and SR of QlikView you are using.

2. Did you do the "All the required setting for Section Access" like "Initial Data Reduction Based on Section Access".

If possible post a sample script.

Regards,

Kaushik Solanki

Community Browser