6 Replies Latest reply: Jan 15, 2018 7:51 AM by Jason Michaelides RSS

    Direct Discovery for Section Access

    Jason Michaelides

      Hi all,


      Has anybody tried using Direct Discovery on Section Access? Is it possible? I don't need to refresh my app's data more than a few times a day, but the security must be up-to-the-minute (preferably real-time from source, hence DD).





        • Re: Direct Discovery for Section Access
          Jonathan Dienst

          Perhaps a binary load followed by a re-application of the section access? I don't think DD data is available at the time of load, so I doubt you can apply section access using DD.

          • Re: Direct Discovery for Section Access
            Marcus Sommer

            I think it won't be possible in this way because section access will only applied by opening an application and not by reloading it. Should an access-control happens on a reload-process the access-control would need to be transferred to user-depending where-conditions - possible but expensive and probably with some side-effects.


            If a regular reloading or closing/reloading/opening is rather not suitable I could imagine that instead or additionally to a section access an access-control could be applied over field- or variable-flags - which are set/changed per DD - and which are serving as conditions for sheets/objects and dimensions/expressions plus as true/false-flags within the expressions.

            Of course such an implementation will be quite expensive, too and providing only a full access-contol if the user couldn't create/adjust objects/variables because otherwise a (more experienced) user could bypass this logic.


            - Marcus

              • Re: Direct Discovery for Section Access
                Jason Michaelides

                Thanks Marcus. I think OSUser() in Set Analysis will be the way to go. I was hoping to avoid for the reasons you’ve given, however given this will be a mashup in a DMZ I think it’ll be ok. I just need to check it can’t be bypassed!


                Thanks For the suggestions sir.



                  • Re: Direct Discovery for Section Access
                    Steve Newman

                    Another common approach that is more dynamic is to move to a “group” based security model that allows you to dynamically change groups when the user logs in. This allows you to have, up to minute security applied to Qlik applications when the user logs into Qlik.


                    For example, lets say that you secure your data by zip code (postal code). You could create a Section Access table, dynamically for every zip code (postal code) in your data. When a user logs in, you could assign groups to the user (either from your security source, LDAP, etc... or via a UDC pulling from a database). For example, you could add 100 zip codes (postal codes) to user1 and 269 to user2.


                    Since your zip codes in your data don’t change, except during reloads, you don’t have to worry about extra reloads. However, since your users access rules can changes 1,000’s of times a day (theoretically) you can change those more dynamically.


                    Also, don’t forget you can create compound groups using a typically REDUCTION technique discussed in other articles.


                    I have implemented similarly in environments with 5,000+ groups without problems.


                    Hope that helps.