Solved: Use of DMS Authorization - Qlik Community

sanchayan · ‎2017-01-28

Hi,

So what I know about DMS Authorization is that :

Authorization to qvws is maintained in QVs internal repository i.e. in the .meta file and to give users access to documents we have to either distribute it to the users in Publisher task distribution or add the user to the Authorization Tab in User Documents.

Used when we need to give access to Non-Windows users, like in case of HTTP Header Authentication or Web Ticket/ Custom Ticket Exchange Authentication.

So now my question comes :

1. If we use NTFS Authorization as well, can we not give access to Non-Windows users?

In our company, we are using NTFS Authorization even in case of HTTP headers and it should work fine as I am not finding any difference between NTFS and DMS Authorization except the case that in one ACL information is stored as a Windows NT Priviledge and in the other in .meta files.

2. So why should we use DMS for users who are accessing documents from different domains i.e. for Non - Windows users ?

Peter_Cammaert · ‎2017-01-31

No, that is not correct. NTFS authorization can be used with Local Directory and Windows NT DSPs as well.
If you enable DMS, you move away from explicit NTFS permission management. DMS will take over (but will still manage some NTFS permissions to get the job done)
I'm not sure. I don't think that the use of Headers forces you to drop NTFS authorization, as Headers only mean to identify users. AFAIK their definition can still be done in AD...

Best,

Peter

View solution in original post

Peter_Cammaert · ‎2017-01-30

Simple.

With NTFS authorization, rights/permissions are assigned to AD-defined users. But external (i.e. "Non-Windows") users do not exist in AD. That's why you need a trick like DMS for which you first create your own set of user definitions (for example, a user directory of type "CUSTOM") and then link them to the proper non-Windows permissions in DMS.

Best,

Peter

sanchayan · ‎2017-01-30

Hi Peter,

1. So you are telling that only when we are using AD as our DSP then only we can use NTFS Authorization right?

2. But for both NTFS and DMS we can look up on any of the directories whether it be CUSTOM or ODBC or AD, to search for the users and distribute the application right?

3. Even in our environment, NTFS authorization is used for QVS and there are 2 external web servers where authentication is through Headers. But I read that when using headers we must use DMS Authorization, is that correct information?

Regards,

Sanchayan

Peter_Cammaert · ‎2017-01-31

No, that is not correct. NTFS authorization can be used with Local Directory and Windows NT DSPs as well.
If you enable DMS, you move away from explicit NTFS permission management. DMS will take over (but will still manage some NTFS permissions to get the job done)
I'm not sure. I don't think that the use of Headers forces you to drop NTFS authorization, as Headers only mean to identify users. AFAIK their definition can still be done in AD...

Best,

Peter