3 Replies Latest reply: May 30, 2016 12:31 AM by Ross Biggar RSS

    End user leases user cal rather than doc cal

    Ross Biggar

      Our deployment uses a combination of ntfs and section access for security. all except one app has section access in the script.

       

      For a new app (MDR.qvw) I've deployed i stipulate define 'mdr-user' ad group as having user access in section access. User A and B are both members of the 'mdr-user' ad group.

       

      On QMC I've limited the doc cal to one but with dynamic cal assignment.

       

      So user A opens MDR.qvw in chrome and I see in QMC that he has consumed a doc cal.

       

      Couple of days later I ask user B to open MDR.qvw from AccessPoint using chrome. I was hoping to see User B has now consumed that doc cal. instead I see he has leased a user cal (user B was not previously  in the list of Assigned CALs on QMC>>System>>Licenses>>Client Access Licenses(CALs)>>Assigned CALs) but once he opened MDR.qvw suddenly his account appeared.)

       

      Upon further investigation I see that a couple months ago he used another application  - AssetsAndLiabilities.qvw. I review this app and see that there is no section access in the script.

       

      1. Does the lack of section access in AssetsAndLiabilities.qvw mean anyone with a windows account and password could see the AssetsAndLiabilities.qvw?
      2. I have checked the security on windows file explorer - for source doc version of AssetsAndLiabilities.qvw there is a list of ad groups listed with read access (User B is in on of these ad groups) - so are those members carried over into the list of 'authenticated users' I see on the user doc version of AssetsAndLiabilities.qvw?
      3. Is the absence of section access in AssetsAndLiabilities.qvw the reason he consumes a user cal rather than a doc cal
      4. What governs the list of apps a user see's  when opening AccessPoint? I suspect if is governed by section access (must have ADMIN or USER permission) but i want to be 100% sure.

      Thanks

      Ross

       

       

       

        • Re: End user leases user cal rather than doc cal
          Damian Waldron

          Hi Ross,

           

          As an FYI I have forward this to CS Australia to reach out with you. I would recommend we look at this from a health check perspective.

           

          Personally I believe using DMS and having publisher maintain permissions is preferable to NTFS. This provides a single place for an audit trial. Also I thought that is what we setup a few years ago.

           

          My thoughts on your points.

          1. Access point permissions has changed a little bit, however I am fairly certain that the ability to view a document is controlled by either the NTFS or DMS permissions. In your case it is the NTFS permissions. Section Access should limit who can open the document.

          2. Security should not be on the Source Documents version of the application. It should be the permissions on the User Documents version. Again assuming that the environment is as it was a number of years ago. However I would recommend using publisher to specify the permission with the DMS permissions. This will allow you to verify authorisation via just the QMC rather than the QMC, NTFS and also the Access Control List.

          3. I am not sure on this. However I believe the highest available license is assigned with Dynamic Assignment on.

          4. Refer to point 1. Note that hte concept of ADMIN or USER is not applicable for Access Point. This is only applied to the Desktop Client.

           

          If you have any questions then please contact me directly.

           

          Damian