4 Replies Latest reply: Nov 15, 2016 10:03 AM by Court van de Lisdonk RSS

    Control Access

    Court van de Lisdonk

      Hello,

       

      I could need some help. I’m testing Access Control. Therefore I have build a Qlikview Document named Allowance it has 5 sheets: Start, Information, Dashboard, Dimensions and Controle. I have a QVD, named AccessAllowance. I get this QVD from our DWH-manager.

       

      The rules for the Access are:

      1. 1. There is a qadmin (user = qadmin, password is qadmin).
      2. 2. Identification should be UserName and Password from DomainName or AccessPoint if possible.
      3. 3. When not possible UserName and Password from QVD-file Allowance.qvd should permit allowance.
      4. 4. If field InActive = 0, no access is granted, access is permitted when InActive = -1
      5. 5. If date(Now()) is not between DIMENSIONVALUEVAILEDFROM and DIMENSIONVALUEVAILEDTO no allowance is permitted.
      6. 6. After Allowance is permitted, ALLDIMENSIONVALUESALLOWED should be tested, if when ALLDIMENSIONVALUESALLOWED = 0 the all markers/flags should be activated, when ALLDIMENSIONVALUESALLOWED  = -1 no markers should be activated.
      7. 7. If ALLDIMENSIONVALUESALLOWED = 0, REPORTINGALLOWANCEDEMENSION_PK and DIMENSIONVALUEALLOWED should be tested, because DIMENSIONVALUEALLOWED is/are the value(s) the user is permitted to see of a specific Dimension. It is possible that more then 1 Dimension is permitted and more then 1 values within the Dimension is permitted.
      8. 8. Also if ALLDIMENSIONVALUESALLOWED = 0,  the user is not allowed to see all the sheets, the controle-sheet is only for users with full access.


      At this moment:

      • ·Qadmin can start the document (point 1)
      • ·When someone starts the document, his password is asked. When a wrong password (three times) is given the user gets the message  that he has no access. (point 03).
      • ·Setting the Markers using the IF-statements in works as far I can see (point 06).

       

      I build in point 4 and 5 but I think at the wrong place.

      I’m not so happy with the inline Marker-tables, but at the moment I think there is no other solution.

       

      The IF-statements where REPORTINGALLOWANCEDEMENSION_PK is tested, doesn’t work at all, that’s why I comment them.

       

      I hope some can help me with my access-problems. Perhaps I should ask for a new designed QVD. The QVD is build with the DWH rules as basis. 

       

      I have added my Document and QVD’s

       

      Thanks in regards

       

       

       

       

        • Re: Control Access
          Marcus Sommer

          Section access within qlik worked a bit different of that what do you described as wanted. An user is included within the section access or not and the user had valid dimension-values within the key-fields between the section access and section application part or not respectively the user is or isn't included with dimensions in the OMIT field.

           

          To 1. - 3. you could use SSO - this meant the windows authentication from the OS goes through to the section access which needs only to include NTNAME (beside ACCESS and any key-fields or an OMIT field) without the need of a PASSWORD.

           

          To 4. - 5. this couldn't be included within section access else you need to use these information within a where-clause to exclude those user which aren't active or which time-windows isn't valid anymore.

           

          To 6. - 7. this is the classical section access part which needs to be implemented by the section access key-fields

           

          To 8. This is mainly an additional part of usability and not mandatory a security part. This meant are the data itself not permitted it's harmless if they could access those sheets/objects and are the data not secured the access-control to sheets/objects won't be absolutely safe.

           

          I suggest to take a look here: Section Access.

           

          - Marcus

            • Re: Control Access
              Court van de Lisdonk

              Hello Marcus,

               

              Thank you for your Support.

              Your answer brings new questions.

               

              About 1/3: I will talk will the administrator about that (about rules etc.), Qadmin is already active without any problems

               

              About 4/5: I never worked with a where-clause,  perhaps you can me help with that if it is not to complicated

               

              About 6/8: I watched the examples, I think the QVD I use is not correct because I have 1 column for all Dimensions and one for the Dimension-values. I think I need for every Dimension and its value one column. I have at the moment 4 dimensions, so I think I need 4 columns.

               

              The reasons normal users are not allowed to see all sheets:

              1 sheet will have a selection box for the markers/flags and some tables, normal users are not allowed to use that selection box

              1 sheet will have some control tables and information for designers and developers       

               

              I don’t know if you watched my section access? When I compare my section access with the examples  I saw, my section looks very different  with all the marker tables and so

               

              Perhaps you have a better solution there for me

               

              Thanks in regards,

               

              Court

                • Re: Control Access
                  Marcus Sommer

                  I agree that your section access looked very different to those kinds which I use or which I have seen anywhere. I don't want say that your approach couldn't be implemented - I don't understand your markers/flag logic - but I'm sure that there are easier logics if you followed the examples from the link above. This meant to start with a simple example from the introduction and then to extend this step by step instead of the attempt to implement a role-logic 1: 1 from another tool.

                   

                  To 4/5 - I meant the following:

                   

                  load * from source

                  where InActive = 1 and

                  today() >= DIMENSIONVALUEVAILEDFROM and today <= DIMENSIONVALUEVAILEDTO   

                   

                  To 6/8 - yes you will need to transform (maybe per The Generic Load) your dimensions-field and the corresponding value-field into single columns whereby you here you need a certain logic respectively hierarchy between them to create a proper datamodel (no circular loops or synthetic keys). Further your access-restrictions mustn't be to exclude eachother - one denial and/or missing allowance will prevent the data-access - no further authorization will overwrite them again.

                   

                  - Marcus

                    • Re: Control Access
                      Court van de Lisdonk

                      Hallo Marcus,

                       

                      Thanks for your answer.

                      I just printed the document with generic load, I will try to transform my table using the example in that document

                       

                      After that  I try to transform my section stepby step.

                      Hope I'll manage that with no Problems, Keep you informed

                       

                      Regards

                       

                      Court