0 Replies Latest reply: Nov 3, 2016 9:10 AM by Claudia Huber RSS

    QlikView Directory Service, Active Directory, DMS - prevent "all users" to get access to files / list files

    Claudia Huber

      Hello,

       

      We have a QlikView Setup with many QlikView files and strict security requirements. Usually a user has access to one or more files but nothing else. A user should not even be allowed to see other file names (as our file names already give some information about the content).

       

      As we also add new files and add security settings for this files on a regular basis we want to reduce the possibility to do a wrong setup. Especially we are afraid that somebody might add access for "All Users" or "All Authentificated Users" to a document by accident.

       

      Our Current Setup:

      • QlikView Files - WITHOUT Section Access
      • "DMS authorization" on QlikView Server
      • Directory Service Connector: Active Directory
      • Access to a file is given by changing the Authorization of a file on QlikView Management Console

       

      I wonder if Section Acces can help here adding additional security?

       

      When I understood everything correct we could

      • add section access to our files and restrict the files to certain AD User(s)
      • Ensure we use document property "Filter AccesPoint Document List Based on Section Access"
      • use AD users or groups without password (using field NTUSERS only)
      • use a database table as input for the list of users allowed users for section access (which would then allow me to add restrictions on a database level)

       

      Is it correct that the effect would then be that

      • a user will only see documents in his list were he/she has Section Access PLUS Access on a Document level.
      • so even setting "All Users" in Management Console by accident would not show this file (name) to other users
      • our end users will not be asked again to enter their password when opening the QV file on AccesPoint

       

      Did I oversee other possibilities to do further restrict the access? If yes, would be great if you could give me some hints.

       

      Thx