1 Reply Latest reply: Mar 5, 2015 8:12 AM by Peter Cammaert RSS

    SAP Connector Authorization QTQVCADMIN

      We are testing out the authorizations, and we wanted to test out if we wanted to limit table and field access to users.  

       

      We have user QLIKVIEW_TES, which we assigned QTQVCACCESS, this user works fine we are able to connect using this user and pull table data.   We copied this role to test out the table access to see if we can limit what tables the user can pull and this works fine.   So know trying to use the QTQVCADMIN, we added this role to a user and accessed transaction /n/QTQVC/USERCONTROL,

      The tables that we were pulling were VB* tables in QTQVCACCESS, so I then wanted to test to limit what Sales Organization was being seen.    VKORG,    I the transaction I had

      Table VBAK,  Field name VKORG, Domain VKORG and the value.    I then tried to reload data, but I got all sales orgs.    I think added the User information on the right side I added QLIKVIEW_TES, VKORG, VALUE.    Tried to reload but still got all sales orgs.    If we are going to have a few users that will download the SAP Data into the QVD's does the authorization go to the download users.    I understand that the field restriction has to be maintained so that when the download user connect and pull, it has to check this access correct, even though QTQVCADMIN is not a role that is assigned to the user. 

       

      Thank you in advance for any information you can supply

      Diane Papia

      diane.papia@analog.com

        • Re: SAP Connector Authorization QTQVCADMIN
          Peter Cammaert

          Usually, data filtering is not done at the SAP Connector level since that would mean moving away from a single connection-single account-cost-effective connection, to a different SAP User for every other connection.:

           

          You could use an additional WHERE clause in the VB* SELECT statements, but even that technique may pose problems sooner or later. Moreover, separating and reducing data this low in the stack almost always results in multiple overlapping QlikView documents which must be managed and maintained (how do you handle users that should be able to see everything?).

           

          The most common QlikView technique is to load everything from the source systems, process everything through all intermediate Data Transformation steps, and let the top-level UI document decide on what a particular user can and cannot see. Section Access in combination with Data Reduction is a simple and efficient tool for this kind of data authorization.

           

          If you have a Publisher license, the QlikView Publisher can be used to create different top-level documents for different users, each one containing no more data than the end-user is allowed to see/use.

           

          Peter