7 Replies Latest reply: Sep 25, 2017 1:30 PM by Steve Dark RSS

    disabling standard mode security problems

    mohammed salman

      Hi All,


      We are using Qlik sense and wanted to know if there are any major security issues we should be knowing if want to enable legacy mode , so that we can run the 'Execute' command in script loads.



      We have a pre-caching app which is C# code and bundled as a .exe.

      We want to run this after the data load happens so that the apps are pre-cached.

      To execute this we need to enable the legacy mode.


      According to the article : http://help.qlik.com/en-US/sense/June2017/Subsystems/Hub/Content/LoadData/disable-standard-mode.htm

      it may create a security risk by exposing the file system.

      Will this cause any major issues? Is this going to expose the filesystem only for Qlik data load scripts?




        • Re: disabling standard mode security problems
          Bill Markham

          As far as I am aware it only exposes the filesystem for Qlik data load scripts...


          ...but I am no expert on Qlik internals and would love to hear a definitive answer from someone who is.

          • Re: disabling standard mode security problems
            Sara Leslie

            Interesting Question. mto perhaps Michael Tarallo can weigh in here.


            Regards, Sara

              • Re: disabling standard mode security problems
                Michael Tarallo

                Hi Guys


                If your load scripts are protected from malicious eyes you should have nothing to worry about. We need to put that disclaimer in there because when you disable standard mode - the full path is exposed in the load script - so instead of seeing:




                You would see:




                NOTE that you would  still need permissions from windows to allow the appropriate access to perform read, write operations.


                So in other words - there is nothing malicious that could take advantage by disabling standard mode.


                Hope this helps:


                When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads as HELPFUL if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads as HELPFUL if you feel additional info is useful to others.




                Michael Tarallo (@mtarallo) | Twitter


                  • Re: disabling standard mode security problems
                    Miguel Angel Baeyens de Arce

                    In addition to what Michael said, LIBraries appear in the QMC and can be governed, i.e.: granted users access to or revoked or disabled. When the script uses the full path and it changes, it is up to the developer to update the connection manually in the script, and it is not reusable by other applications, it must be specified manually again in the script for those apps.


                    This does not imply any security risk per se, but a maintenance effort to bear in mind.


                    Last but not least, the script in Qlik Sense cannot be hidden as of Sep 2017 version -there are other ways of protecting it-, in our case, most of the script is hidden in QlikView apps and using $(Include=) and similar approaches to completely separate the development from the administration, and scripts in QlikView can be reused in Qlik Sense. This may not be your case but worth exploring, too.


                    I'm also using JMeter to cache warm some apps, but I use Windows Scheduler tasks calls instead of the execute for the reasons above among others.

                    • Re: disabling standard mode security problems
                      Steve Dark

                      Hi Michael,


                      Surely the issue is though that the Service Account for running the Qlik services must have access to every where on the file system that any application can load data from.


                      If Standard Mode is turned off then any user who has the ability to edit a load script can load from or write to any location on the file system that the service account can see (as they effectively inherit the service accounts permissions).


                      It would be straight forward for a user to do a for each vFile in FileList('c:\') and then the same for FolderList to get a complete list of files in the file system, from which they can then load from.  As well as loading from, they can also write to - causing damage and injecting data into apps.


                      With Standard mode on you can chose whether or not users can create connections, or just consume existing governed connections.  Without it they don't need to use connections and libraries at all.


                      If you are in a situation where anyone who has permission to write a load script should be able to see the whole file system then all is well.  If, on the other hand, you have users who need to be able to write load scripts, but should only be able to see their own files you have a problem.


                      I'm torn on this topic, as I often need to disable standard mode for clients to be able to do things with the REST connector and/or Qlik Web Connectors, but I am all too aware of the potential pitfalls.


                      I know chrisbrain has some thoughts on this topic also...



                        • Re: disabling standard mode security problems
                          Chris Brain

                          Our interest in this topic was primarily because standard mode also has the effect of preventing you from building http request paths at script runtime so limiting the flexibility of the Qlik Web Connectors. I can see the issue though - presumably you could configure the service account running the Qlik Service to have limited access to the file system.

                            • Re: disabling standard mode security problems
                              Steve Dark

                              Hi Chris, the issue is that the service account needs to have access to all data that it needs to reload through the task scheduler.  This means that you can't give a user access to only part of that data, if Standard Mode is disabled.  The method for doing this with Security Groups on connections is very elegant, but can be effectively circumnavigated if a non-lib load is performed.