7 Replies Latest reply: May 29, 2015 7:52 AM by Bill Britt RSS

    Section Access problem

    John Repucci

      We are attempting to hide salary lines for some users and ran into a problem.  When we added the appropriate lines to the Section Access (see "Changed Section"), Salary was hidden from everyone, including those with QVAdmin rights.  Clearly not a desirable outcome.

       

      Goal:  Prevent those in the QV_OmitSalary AD group from seeing their dept's Salary information, but allow them to see the other dept expenses.

       

      Questions:

      What is restricting the admins from seeing the Salary information?

      Does anyone see anything wrong with the changed section?

       

      TIA,

      John

      QV v11.2 SR9

       

      Original:

      Section Access;

      LOAD * INLINE [

          ACCESS, NTNAME, DEPT_NUMBER_SECURITY, USERID, PASSWORD

          ADMIN, *, *, QVADMIN, QVADMIN

          ADMIN, COMPANY\QLIKVIEW_ADMINS, *, *, *

       

      ... this section allows those in their dept (ie: 104, 105, etc...) to see the expenses for their dept, but not any other dept.

          USER, COMPANY\QV_ExpenseMgmt_104, 104, *, *

          USER, COMPANY\QV_ExpenseMgmt_106, 106, *, *

      ...  about 20 lines removed

          USER, COMPANY\QV_ExpenseMgmt_All, *, *, *

      ];

       

      Changed Section:

      Section Access;

      LOAD * INLINE [

          ACCESS, NTNAME, DEPT_NUMBER_SECURITY, USERID, PASSWORD, GLCODE_FIRST4

          ADMIN, *, *, QVADMIN, QVADMIN, *

          ADMIN, COMPANY\QLIKVIEW_ADMINS, *, *, *, *

       

      ... this section allows those in their dept (ie: 104, 105, etc...) to see the expenses for their dept, but not any other dept.

          USER, COMPANY\QV_ExpenseMgmt_104, 104, *, *, *

          USER, COMPANY\QV_ExpenseMgmt_106, 106, *, *, *

      ... About 20 lines removed ....

          USER, COMPANY\QV_ExpenseMgmt_All, *, *, *, *

       

      ... newly added lines start here .... allows users in the AD group rights to their dept (505/585) for the listed GLCodes (4820)

          USER, COMPANY\QV_OmitSalary, 505, *, *, 4820

          USER, COMPANY\QV_OmitSalary, 505, *, *, 4821

          USER, COMPANY\QV_OmitSalary, 505, *, *, 5830

      ... about 120 lines removed with different GLCodes

          USER, COMPANY\QV_OmitSalary, 585, *, *, 4820

          USER, COMPANY\QV_OmitSalary, 585, *, *, 4821

          USER, COMPANY\QV_OmitSalary, 585, *, *, 5830

      ... about 120 lines removed with different GLCodes

      ];

        • Re: Section Access problem
          Toni Kautto

          One thing to keep in mind here is that the star wildcard in the reduction field represents all values listed in the section access table. It does not represent all values loaded in your data table. If all possible values from the datat is represented in the Section Access table, then the star will be equal to all data. If you do not Section Access: Strict Exclusion enabled, try using a reduction value that does not exist if you intend to give the user access to ALL data. For example I often use the reduction value <ALL VALUES> to indicate the intention.

           

          Please notice that all values in Section Access must be in upper case. In this example your NTNAME values are not in UPPER case.

           

          If you find that the reduction is not accurate for a specific user, my suggestion is that you disable section access and validate the reduction buy manually applying the reduction (selection). Will the data reduce as expected when you apply the reduction values manually?

           

          IMPORTANT: Always make a backup of your QVW before changing Section Access, so that you can revert to the backup if you lock yourself out.

          • Re: Section Access problem
            John Repucci

            Toni,

            Thanks for the reply.

            The upper case rule does not seem to apply to the AD groups. 

            Using lower case for the AD group (COMPANY\QV_ExpenseMgmt_xxx), people are able permitted to see only their department information.  The app has worked with lower case AD group names for over a year now.

            When I uppercase COMPANY\QV_ExpenseMgmt_xxx, my test user is requested to enter her p/w. 

             

            John

              • Re: Section Access problem
                Bill Britt

                Hi John,

                 

                According to the Qlik 11.20 SR10 Reference page 421  "All the fields listed in Load or Select statements in the section access must be written in UPPER CASE.."


                Let me update my post with the whole text from the reference manual.

                 

                All the fields listed in Load or Select statements in the section access must be written in UPPER CASE. Any

                field name containing lower case letters in the database should be converted to upper case using the upper

                function, see upper(textexpression) (page 337), before being read by the Load or Select statement. However

                the user ID and the password entered by the end-user opening the QlikView documents are case insensitive.

                 

                I am not sure why Qlik requires this, but it is documented that way.

                 

                Bill