1 Reply Latest reply: Jul 13, 2016 6:50 AM by Kaushik Solanki RSS

    Technical question on how QV Server handles Section Access in the back

    Tim Provinciael

      Hi everyone,


      I'm currently faced with an issue regarding section access. More specifically, for some reason users are getting an "Failed to open document. You don't have access to this document".


      I'm currently suspecting a possible AD issue, so my question is: When a user clicks on a dashboard in the access portal, how does QlikView determine that user's identity?

      Does it validate the user against AD and the check if the name is included in the section access the moment a user tries to open a document?

      Or is the username "stored" somehow when the user initially connects to the portal?


      The reason I'm suspecting an AD issue is because

      1. users still need to log in to the access portal with their AD credentials, and are not automatically recognized. But trying to log in with wrong credentials is not possible (It is however possible to log in with someone else's credentials)
      2. AD is experiencing performance issues
      3. Even when publishing documents to "All authenticated users'" or "all users", users often don't see all the dashboards for some strange reason. Refreshing then all of a sudden shows other dashboards...
      4. I've tried adding usernames manually in the security settings of a published dashboard on the server. Didn't help either.
      5. Publishing the same dahsboard with seciton access removed, but to Named users also doesn't work. For some reason, that user can't see the dashboard
      6. Publishing that same dashboard without section access, but to "all authenticatedusers" works (ie. user can see the dashboard), but when opening he gets a "Failed to open document. You don't have access to this document".



      PS: the service account used for publishing is included in the section access; and then that still wouldn't explain #3, 5 and 6)



      All of the above looks like very strange behaviour, and I can't find a way to explain it currently.


      All input and thoughts on this matter would be highly appreciated.

        • Re: Technical question on how QV Server handles Section Access in the back
          Kaushik Solanki

          Hi Tim,


          Let me first give you answer to your first question about how it works in background.


          When anyone logs in to portal, Qlik Sends the credentials to AD and then AD checks the Authentication of that user. If authenticated, AD sends a positive reply to Qlik and then Qlik Checks the Qlik License against that user. Depending on license Qlik tries to open the application and while opening the application, Qlik Checks the Section Access script for row level Authentication.


          You can go through the attached document for more detail.


          Now can you feed us with some information like.

          1. What version and SR of QlikView you are using.

          2. Did you do the "All the required setting for Section Access" like "Initial Data Reduction Based on Section Access".


          If possible post a sample script.



          Kaushik Solanki