13 Replies Latest reply: Jun 16, 2015 5:48 AM by Mrudul K RSS

    Custom field in Section Access Management

    Mrudul K

      Hi All,

       

      Thanks for your reply to my previous post i.e.

      https://community.qlik.com/thread/165157

       

      I have gone through server management pdf document and Help section of QMC.

       

      I have few queries regarding Section Access Management as-

      1. In Help section of QMC, Section Access Management > Manage Section Access Tables > Table Columns > Custom, a custom field
      2. What is this custom field
      3. May be basic question, but it has to present in the data-model
      4. When we import the data from 'Import Data Table' Whether this custom field value should be present.
      5. If I want to reduce the data as per Area field, can I add the Area as a custom field and import the same using 'Import Data Table'
      6. If I want to reduce data according to particular user group, whether this field will be any group name or so..?


      Can anyone please assist me on same, as I am new to Section Access and would like it to implement it through QMC and reduce data as per user login.



      Thanks & Regards,

      MK

        • Re: Custom field in Section Access Management
          Peter Cammaert
          1. ?
          2. Custom field is any field ytou deifne yourself to link to the rest of your data model (i.e. for automatic data reduction based on an ID that is present in Section Access)
          3. You don't nee to have a corresponding link-field in your data model. But in that case your custom field becomes pretty useless.
          4. See before.
          5. Yes. But that may not be ideal, as you are forcing access to a single Area for all ID's. If you prefer access to multiple areas for some ID's, create a 2-column link table that ties values from your custom field to multiple Areas.
          6. No, the NTNAME field itself can be used to grant access to a group. QlikView will check whether the current user (ID) belongs to a group listed in Section Access. The custom field is just for linking SA definitions to the correct subset of your data.

           

          I would suggest to try to implement Section Access first by way of an external file or an INLINE table. Just to get the feel of it before you proceed to QMC-based section access.

           

          Best,

           

          Peter

            • Re: Custom field in Section Access Management
              Mrudul K

              Thanks a lot for the information Peter.

               

              I have already done a small POC for section access using Hidden script.

               

              But what if, I have a lot of users having different roles coming in .csv file. So, I was just looking into QMC.

               

              Thanks for your reply again.

              • Re: Custom field in Section Access Management
                Mrudul K

                One more thing, what if I add Two tables in Section Access, one is default and other which has all the settings regarding restriction of Data.

                 

                How QMC will behave, whether it will consider union of both tables or ?

                  • Re: Custom field in Section Access Management
                    Peter Cammaert

                    That isn't really necessary. You can move the Data reduction settings table to Section application, and still keep it in your Hidden Script if you want.

                     

                    And for your large number of users problem, it's still preferable to keep the definitions in a file or in a database table. Furthermore, you're talking about roles: that would be an ideal Link field. Imagine the following:

                     

                    Bob = CEO, should have access to everything

                    Frank = MGR_EAST, should have access only to Areas from the Eastern region

                    Bill = Sales Exec, should only see his own stuff

                     

                    In Section Access you load lines for every QlikView end-user, like:

                     

                    ACCESS,  NTNAME, LINK

                    USER,    BOB,    CEO

                    USER,    FRANK,  MGREAST

                    USER,    BILL,   EXEC1

                     

                    In Section Application, you define a Link table with LINK-Area pairs, like:

                     

                    LINK,     Area

                    CEO,      Area1

                    CEO,      Area2

                    CEO,      Area3

                    CEO,      Area4

                    MGREAST,  Area2

                    MGREAST,  Area3

                    EXEC,     Area2

                     

                    Section Access will connect to the LINK field at document-open-time and select the values that should remain. Normal associative behavior will propagate this selection through the whole of your data model. All others will be eliminated

                     

                    Peter

                      • Re: Custom field in Section Access Management
                        Peter Cammaert

                        Sorry, I forgot another of your qestions: what happens with multiple tables in QMC Section Access?

                         

                        That depends on where you load the data. The Section Access area in QMC is just a handy technique to define administrator-configurable rows (and the only one with a nice web interface). IIRC you don't have to even use these tables in section access. So you can load one table in the Section Access-area of your document, and the other in the Section Application-area. Associations will do the rest.

                         

                        Peter

                          • Re: Custom field in Section Access Management
                            Mrudul K

                            Thanks for the detailed analysis Peter.

                             

                            Our requirement is to implement role based access to Access Point Users.

                            Idea is, user group will be from Active Directory.

                             

                            We want to restrict data depending on few field values, few sheets will be hidden and for some users application will not be accessible.

                             

                            My concern -

                                 1.     If we restrict the data, can we do it through QMC

                                 2.     If we do it through QMC, whether for each user group there will be number of Apps created

                                 3.     Can it be done through Section access Script, if done so, there will be chances, for each user change in Active directory, there will be need to Reload application.

                             

                            Please assist me on this, regarding, best approach can be used.

                             

                             

                            Regards,

                            MK

                              • Re: Custom field in Section Access Management
                                Peter Cammaert

                                Some answers that may help you in your decision:

                                 

                                1. Yes, you can. You can define the second table from my previous post in QMC instead of in your script. That means that your reduction values that selectively link IDs to your data model will be read from a table that is defined in the QMC. But only at reload-time. Changes in this QMC table will only become active after the next reload.
                                2. I don't really understand what you mean. Are you talking about loop-and-reduce? Data reduction with section access works for all users from a single file that contains everything.
                                3. That depends. If you have a SA in your script that uses AD groups instead of user accounts, a change in group membership will not force you to perform a reload, as the group names didn't change. And QV will perform a live check of group membership whenever a user tries to open a document.

                                 

                                Best,

                                 

                                Peter

                                  • Re: Custom field in Section Access Management
                                    Mrudul K

                                    I don't get this points

                                    "If you have a SA in your script that uses AD groups instead of user accounts,", what is SA.


                                    I have tried below script -

                                    Section Access;

                                    LOAD * INLINE [

                                        ACCESS, NTNAME

                                        ADMIN, QVADMIN,

                                        USER, *

                                    ];

                                    Section Application;

                                     

                                    I found that, when the same document is circulated to different user, only QVADMIN user is able to see the section access script.

                                     

                                    So, now I try to restrict few data for other users, so i tried this -

                                    Section Access;

                                    LOAD * INLINE [

                                        ACCESS, NTNAME, area_name

                                        ADMIN, QVADMIN, *

                                        USER, *, EAST

                                    ];

                                    Section Application;

                                     

                                    Where area_name is one of the field in data model. But when I try with other users, though they were not able to see the section access script, but can see all the data irrespective of area.

                                     

                                    Is anything is getting wrong in this case.

                                     

                                    Another two things-

                                    1> How we can add User group names in the section access script

                                    2> IF NTNAME is used, then whether it will behave in same way on access point as well.

                                     

                                    Please assist.

                                     

                                    Regards,

                                    MK

                        • Re: Custom field in Section Access Management
                          Bill Britt

                          Hi,

                           

                          Check this out and see if it will help you any.

                           

                          bill

                            • Re: Custom field in Section Access Management
                              Mrudul K

                              Hi Bill,

                               

                              I have already gone through this document. Thanks for same.

                               

                              I have also check for the Strict Exclusion flag in the Opening Tab of Document Properties.

                              I also tried with NTNAMe as DOMAIN\NTNAME, but no luck.

                               

                              one thing which I observers is, field name is area_name, but everywhere the script is written in caps.

                              Well, I also tried with AREA_NAME, no luck for same.

                               

                              Please assist.

                               

                              Regards,

                              Mrudul

                                • Re: Custom field in Section Access Management
                                  Peter Cammaert

                                  One of the (funny) requirements of SA (=Section Access in QlikTech parlance) is that all your field names must be in Capitals. The SA data will be converted to upper case, but if in Section Application you specify link fields in lower case or the data is lower/mixed case, there will be no match.

                                   

                                  In Section Application, always name the link field in upper case and specify the field values in that column in upper case as well.

                                   

                                  It takes some getting used to, I admit.

                                   

                                  Peter

                                    • Re: Custom field in Section Access Management
                                      Mrudul K

                                      Thanks Peter, it works...

                                      Do you have any idea regarding getting getting NT Group name of user in Set analysis.

                                       

                                      I have tried with OSUser() function and found that it provides the User doamin name \ user login name details.

                                       

                                      What if i would like to to know which user group in active directory it is belonging to.

                                       

                                      I want this, we will be hiding few sheets based on user login, but what if there are 500 users.If only one user is added on removed from group, i will need to reload the application.

                                       

                                      Please assist

                                       

                                      Regards,

                                      MK