15 Replies Latest reply: May 23, 2015 12:04 AM by Toni Kautto RSS

    Strict Exclusion is not working on QEMC

    Srikanth P

      Hello, We added the section access with strict exclusion. The logic is working fine on the Qlikview Desktop client. But when we deployed to Staging server the strict exclusion is not working. We got "Failed to Open a Document Access denied".

       

      Is these any server settings needs to be update ?

       

      Any one faced this type error before

        • Re: Strict Exclusion is not working on QEMC
          Daniel Oberbillig

          I am facing the same problem. But in my case I don't have any limited fields/values and only wanted to enable admins to have access but not the users...so it is not a problem to turn off 'strict exclusion'. I thought the reason for the denied access could be the situation that there were no corresponding fields in section access in section application

          See the manual:

          "...access to the document will be denied whenever the field values in

          the section access reduction fields lack matches in their corresponding section

          application field."

           

          But would be interested to know if there is another reason.

          • Re: Strict Exclusion is not working on QEMC
            Andrei Kaliahin

            Hi,

             

            I've faced the same problem in documents with SA. Even though we do not use Initial Data reduction in some of them.

            We've resolve this issue by ticking off "Strict exclusion checkbox" even it seems to be disabled (not active).

             

            Hope this helps.

             

            Regards,

            Andrei

            • Re: Strict Exclusion is not working on QEMC
              Peter Cammaert

              You're probably mixing two things here:

               

              • ADMIN access in the Desktop: in QlikView Desktop, SA entries with ACCESS=ADMIN will always be able to get in, whatever the link values, data reduction results, strict exclusion setting, etc. This is a behavior that is Desktop-only. Probably configured this way to allow developers to debug...document security.
              • Strict exclusion: in the Access Point, everybody is a USER, even the IDs that have ACCESS=ADMIN. Since most ADMINS have an empty link field (for example the service account responsible for reloading the document should best be configured with an empty link field.)  Strict exclusion will always deny them access because there is no data left after reduction.

               

              Peter

              • Re: Strict Exclusion is not working on QEMC
                Bill Britt

                Hi,

                 

                You need to make sure the service account is in SA and has ADMIN rights.

                 

                Bill

                  • Re: Strict Exclusion is not working on QEMC
                    Srikanth P

                    Britt, I am using our staging server service account in SA and that have full Admin privileges on the staging server.

                     

                    Is there any idea why other user accounr got "Failed to open the document Access Denied" error.

                      • Re: Strict Exclusion is not working on QEMC
                        Bill Britt


                        Hi,

                         

                        Take a look at the attached qvw. If you try to login as user D you will get the error and it is because he has no data assigned to him.

                         

                         

                        Section Access;
                        LOAD * INLINE [
                            ACCESS, USERID, DATA
                            ADMIN, A, *
                            USER, B, 1
                            USER, C, 2
                            USER, D,
                        ];
                        Section Application;

                        LOAD * INLINE [
                            DATA, YEAR
                            1, 2015
                            2, 2014
                            3, 2013
                        ];

                          • Re: Strict Exclusion is not working on QEMC
                            Srikanth P

                            Britt, The example you provided looks fine. In my case the developers (testing) can access the qvw with desktop client. But we can't access the qvw on Access point.

                             

                            LOAD * INLINE [

                            NTNAME , ACCESS, REDUCTIONFIELD

                            DOMAIN\SQLIKVIEW , ADMIN , <ALL>

                            DOMAIN\USER1 , USER , A

                            DOMAIN\USER2 , USER , B

                            DOMAIN\USER3 , USER , C

                            ];


                            LOAD * INLINE [

                            REDUCTIONFIELD , FIELD

                            <ALL> , A

                            <ALL> , B

                            <ALL> , C

                            A, A

                            B,B

                            C,C

                            ];


                            The above is the exiting SA & reduction table on environment. The reduction works fine on Desktop Client. But it won't work on the Access point.

                              • Re: Strict Exclusion is not working on QEMC
                                Peter Cammaert

                                Did you let the server reload your document before opening it in the AccessPoint?

                                 

                                Peter

                                • Re: Strict Exclusion is not working on QEMC
                                  Bill Britt

                                  Hi,

                                   

                                  In looking at your example I have a few questions? What is your service account name? Is it SQLIKVIEW? If so you need to remove the <ALL> from the REDUCTIONFIELD field. That will allow it to reload all data.  If you are trying to make it were a users can see values A,B & C use a * in the field and don't do the <all> stuff.

                                   

                                  Yours load

                                   

                                  LOAD * INLINE [

                                  NTNAME , ACCESS, REDUCTIONFIELD

                                  DOMAIN\SQLIKVIEW , ADMIN , <ALL>

                                  DOMAIN\USER1 , USER , A

                                  DOMAIN\USER2 , USER , B

                                  DOMAIN\USER3 , USER , C

                                  ];


                                  LOAD * INLINE [

                                  REDUCTIONFIELD , FIELD

                                  <ALL> , A

                                  <ALL> , B

                                  <ALL> , C

                                  A, A

                                  B,B

                                  C,C

                                   

                                  ];

                                   

                                  Try this

                                   

                                   

                                  LOAD * INLINE [

                                  NTNAME , ACCESS, REDUCTIONFIELD

                                  DOMAIN\SERVICEACCOUNT , ADMIN ,

                                  DDOMAIN\SOMEUSERNAME, ADMIN,*

                                  DOMAIN\USER1 , USER , A

                                  DOMAIN\USER2 , USER , B

                                  DOMAIN\USER3 , USER , C

                                  ];


                                  LOAD * INLINE [

                                  REDUCTIONFIELD , FIELD

                                  A, A

                                  B,B

                                  C,C

                                  ];

                                    • Re: Strict Exclusion is not working on QEMC
                                      Srikanth P

                                      Britt, SQLIKVIEW is service account and this account access to ALL Reduction field values. so I added the custom value instead of <ALL>. This approach was mentioned ny Henric in his section access blog spot.

                                      • Re: Strict Exclusion is not working on QEMC
                                        Srikanth P

                                        Britt, As you suggested the below SA table works fine with Strict Exclusion. Why "<ALL>" to Service account is not working on the Access point but it works fine on Desktop client ? Is there any specific reason with AJAX client.

                                         

                                        LOAD * INLINE [

                                        NTNAME , ACCESS, REDUCTIONFIELD

                                        DOMAIN\SERVICEACCOUNT , ADMIN , *

                                        DDOMAIN\SOMEUSERNAME, ADMIN,*

                                        DOMAIN\USER1 , USER , A

                                        DOMAIN\USER2 , USER , B

                                        DOMAIN\USER3 , USER , C

                                        ];


                                        LOAD * INLINE [

                                        REDUCTIONFIELD , FIELD

                                        A, A

                                        B,B

                                        C,C

                                        ];


                                        I have another question, if we are doing Distribute to Qlikview server to Specific mounted folder, we seen duplicate qvw files on access point ?

                                          • Re: Strict Exclusion is not working on QEMC
                                            Bill Britt

                                            Hi,

                                             

                                            For a user the  <ALL> might work, never have used that before. On the second issue, I would think you mount folder is under the root folder. If that is the case QVS will see the document in the mount folder when it scans the root.

                                             

                                            This is wrong and you will see the document in the Mount folder twice.

                                            Untitled.png

                                             

                                             

                                            This would be a correct way.

                                             

                                            1.png
                                            Bill

                                        • Re: Strict Exclusion is not working on QEMC
                                          Toni Kautto

                                          As far as I can tell strict exclusion is not the main reason for your problems. Strict exclusion in this case actual protects you from showing all data to the users.

                                           

                                          The reload and distribution sequence on server will be inline with;

                                           

                                          1. Open and reload QVW
                                          2. Close and save temp QVW with all data|
                                            1.png
                                          3. Reopen the temp QVW as the service user
                                          4. Data in reduced based on service user reduction values
                                            2.png
                                          5. Save QVW in source documents
                                          6. Distribute QVW

                                           

                                          When User1 with reduction value A tries to open the application from the Access Point the distributed application does not have a matching reduction value.
                                          With Strict Exclusion enabled this means that the user gets access denied do no no matching data.
                                          With Strict Exclusion disabled a user with no matching data will get access to all data.

                                           

                                          In desktop client the QVW is always stored with all data, and the reduced when user opens the file.

                                          I hope this clarifies why you get the observed difference between server and desktop client.