Solved: What containers the developers given access to? - Qlik Community

paputzback · ‎2015-07-09

Do you have a QDF administrator that manages the 0.Administration VariableEditor application? If so, then how is security setup on that folder. Do you give Admins full rights and the developers Read or None? Or do all developers get full access to the entire SourceDocs folder and you hope they don't break anything and track every change so it can be rolled back if it affects someone else's project.

I have a similar question for the with 99.Shared_Folders. Should developers have full access or should they have read access and send requests for new objects to the QDF Admin?

I read once that the developer could take his container with him to his local machine and copy changes to the server, but I don't understand how that would work without the parent level 0.Adminsitration and 99.Shared_folders being on their machine.

Currently, the developers work directly off the server and they have read access to 99.Shared_folders. When they need a container I create it and give them full access to it.

Thoughts?

Magnus_Berg · ‎2015-07-10

Hi Phillip, the idea is that only administrators have access to the Admin container. As security is inherited downwards setting different security settings for different containers is quite easy, to prevent security manipulation use change access instead of full controll. The idea of shared is that all developers have access to this resource in test environment so that they can move reusable resources, else there is a risk that developers does not reuse between them. When the app goes into production the reused resources need to be validated and copied into the production shared container by the administrator/system owner.
Hope that this helps.

Best regards

View solution in original post

Magnus_Berg · ‎2015-07-10

Hi Phillip, the idea is that only administrators have access to the Admin container. As security is inherited downwards setting different security settings for different containers is quite easy, to prevent security manipulation use change access instead of full controll. The idea of shared is that all developers have access to this resource in test environment so that they can move reusable resources, else there is a risk that developers does not reuse between them. When the app goes into production the reused resources need to be validated and copied into the production shared container by the administrator/system owner.
Hope that this helps.

Best regards

paputzback · ‎2015-07-13

I am not sure what "Change Access" means in your statement "to prevent security manipulation use change access instead of full control"

I am in a windows environment and when a developer requests a new container I create it and give them full control on it. For \99.Shared, in development, I have given the developers Full control. Nothing has been setup in Production yet.

I have setup the Win 2012 R2 Shares via Server Manager > File and Storage Services > Shares

I have 3 shares

\QV-Docs
Full control on this folder, sub folders and files for the local QlikView Administrators, Local Administrators, Domain service account for QlikView. Inherited from None
Read, write & execute on this folder, sub folders and files for our Vendor's Domain account for their developers inherited from none.
Full Control for Local Administrators
Local Users have Special Inherited from D:\ on This folder and Subfolders
Local Administrators have Full control inherited from D:\ on this folder, sub folders and files
And local Users a again with Read & Execute inherited from D:\ on this folder, sub folders and files
\10.Finance Container
Full control for the Svc account, Admins and the domain role for the Finance Developers inherited from none
\99.shared_folders
Full control for the Vendor's Developer Domain account inherited from \QV-Docs\Sourcedocs\1.development
Full control for the QlikView Service Account, Local Administrators inherited from \QV-Docs\Sourcedocs
Full control for local QlikView Admins inherited from \QV-Docs
Full control for the domain role for the Finance Developers inherited from none
Read & execute for local users inherited from D:\
Special for local users inherited from D:\

It seems like there are some redundant entries. But maybe it is supposed to look like that as I go deeper into the nested folders. I am not sure how you get "Inherited from None", or why the local Users has two entries, one for read and execute on this folder, sub folders and files, and then special on this folder and sub folders.

Magnus_Berg · ‎2015-08-11

Hi Phillip, sorry for late reply ive been on holiday. with change access I mean that the users (other than Admin) have not full access control. The users should not have change permissions and take ownership access in the folder structure.

Will have a look in the documentation and add this if missing.

Hope that this helps.

Best regards

Magnus

paputzback · ‎2015-08-12

Thanks for the update. I think I am close.

Admins have full access to everything in the \QDF. The Admin's full control rights are inherited in every new sub folder that is created.

DEVELOPERs have full access to \99.Shared

And when a Developer asks for a new container. Let's say a Finance container. I create this is the ADMIN variable editor. Then I give the Developer FULL ACCESS to the Container. I assume if I already Shared out \99.Shared then 10.Finance should show up their explorer also.

Magnus_Berg · ‎2015-08-12

Ok, great that you have control of the situation.

/Cheers