- Custom field is any field ytou deifne yourself to link to the rest of your data model (i.e. for automatic data reduction based on an ID that is present in Section Access)
- You don't nee to have a corresponding link-field in your data model. But in that case your custom field becomes pretty useless.
- See before.
- Yes. But that may not be ideal, as you are forcing access to a single Area for all ID's. If you prefer access to multiple areas for some ID's, create a 2-column link table that ties values from your custom field to multiple Areas.
- No, the NTNAME field itself can be used to grant access to a group. QlikView will check whether the current user (ID) belongs to a group listed in Section Access. The custom field is just for linking SA definitions to the correct subset of your data.
I would suggest to try to implement Section Access first by way of an external file or an INLINE table. Just to get the feel of it before you proceed to QMC-based section access.
That isn't really necessary. You can move the Data reduction settings table to Section application, and still keep it in your Hidden Script if you want.
And for your large number of users problem, it's still preferable to keep the definitions in a file or in a database table. Furthermore, you're talking about roles: that would be an ideal Link field. Imagine the following:
Bob = CEO, should have access to everything
Frank = MGR_EAST, should have access only to Areas from the Eastern region
Bill = Sales Exec, should only see his own stuff
In Section Access you load lines for every QlikView end-user, like:
ACCESS, NTNAME, LINK
USER, BOB, CEO
USER, FRANK, MGREAST
USER, BILL, EXEC1
In Section Application, you define a Link table with LINK-Area pairs, like:
Section Access will connect to the LINK field at document-open-time and select the values that should remain. Normal associative behavior will propagate this selection through the whole of your data model. All others will be eliminated
Sorry, I forgot another of your qestions: what happens with multiple tables in QMC Section Access?
That depends on where you load the data. The Section Access area in QMC is just a handy technique to define administrator-configurable rows (and the only one with a nice web interface). IIRC you don't have to even use these tables in section access. So you can load one table in the Section Access-area of your document, and the other in the Section Application-area. Associations will do the rest.
Thanks for the detailed analysis Peter.
Our requirement is to implement role based access to Access Point Users.
Idea is, user group will be from Active Directory.
We want to restrict data depending on few field values, few sheets will be hidden and for some users application will not be accessible.
My concern -
1. If we restrict the data, can we do it through QMC
2. If we do it through QMC, whether for each user group there will be number of Apps created
3. Can it be done through Section access Script, if done so, there will be chances, for each user change in Active directory, there will be need to Reload application.
Please assist me on this, regarding, best approach can be used.
Some answers that may help you in your decision:
- Yes, you can. You can define the second table from my previous post in QMC instead of in your script. That means that your reduction values that selectively link IDs to your data model will be read from a table that is defined in the QMC. But only at reload-time. Changes in this QMC table will only become active after the next reload.
- I don't really understand what you mean. Are you talking about loop-and-reduce? Data reduction with section access works for all users from a single file that contains everything.
- That depends. If you have a SA in your script that uses AD groups instead of user accounts, a change in group membership will not force you to perform a reload, as the group names didn't change. And QV will perform a live check of group membership whenever a user tries to open a document.
I don't get this points
"If you have a SA in your script that uses AD groups instead of user accounts,", what is SA.
I have tried below script -
LOAD * INLINE [
I found that, when the same document is circulated to different user, only QVADMIN user is able to see the section access script.
So, now I try to restrict few data for other users, so i tried this -
LOAD * INLINE [
ACCESS, NTNAME, area_name
ADMIN, QVADMIN, *
USER, *, EAST
Where area_name is one of the field in data model. But when I try with other users, though they were not able to see the section access script, but can see all the data irrespective of area.
Is anything is getting wrong in this case.
Another two things-
1> How we can add User group names in the section access script
2> IF NTNAME is used, then whether it will behave in same way on access point as well.
I have already gone through this document. Thanks for same.
I have also check for the Strict Exclusion flag in the Opening Tab of Document Properties.
I also tried with NTNAMe as DOMAIN\NTNAME, but no luck.
one thing which I observers is, field name is area_name, but everywhere the script is written in caps.
Well, I also tried with AREA_NAME, no luck for same.
One of the (funny) requirements of SA (=Section Access in QlikTech parlance) is that all your field names must be in Capitals. The SA data will be converted to upper case, but if in Section Application you specify link fields in lower case or the data is lower/mixed case, there will be no match.
In Section Application, always name the link field in upper case and specify the field values in that column in upper case as well.
It takes some getting used to, I admit.
Thanks Peter, it works...
Do you have any idea regarding getting getting NT Group name of user in Set analysis.
I have tried with OSUser() function and found that it provides the User doamin name \ user login name details.
What if i would like to to know which user group in active directory it is belonging to.
I want this, we will be hiding few sheets based on user login, but what if there are 500 users.If only one user is added on removed from group, i will need to reload the application.