4 Replies Latest reply: Aug 25, 2009 12:25 AM by Sue Allen RSS

    LOOPHOLE IN SECTION ACCESS???

      We have a major problem. We have SECTION ACCESS created based on a field named CLIENT_ID and are using Active Directory accounts, however a userid that has no data whatsoever is able to see ALL clients' data.

      The application has "initial data reduction based on section access" checked but "strict exclusion" unchecked. (Checking strict exclusion seemed to make the security go haywire and was asking the user for a QV user name and password after they entered their AD user name / password). "Reduce data" on the Security tab is also checked.

      SECTION ACCESS;
      LOAD * INLINE [
      ACCESS, NTNAME, CLIENT_ID, BILL_TO_NDCS
      ADMIN, CRENT\SALLEN, *, *,
      ADMIN, CRENT\QLIKUSER, *, *,
      USER, "CRENT\SCE XXX Users", XXX, *

      There is NO data whatsoever with CLIENT_ID XXX OR BILL_TO_NDCS beginning with XXX, hwoever, when we log into the application under a userid in the CRENT\SCE XXX Users group, we are seeing ALL DATA.

      This is an urgent problem / bug. If a client has no data, they should not see anything. They should never see other data!?!?!?

        • LOOPHOLE IN SECTION ACCESS???

          When you set the field you are limited data on (user id) to * it is a wild card field and means they can see all data.

          I'm useing section access in the same way and do not have this issue. Do not use * in any field unless you want that user to see all available data in the document.

           

            • LOOPHOLE IN SECTION ACCESS???

              I figured it out... I had no data at all that the section access was joining to. Since it can't join to a null, it was showing that client everything. I created a client ID table in the section application that has all client IDs (regardless of whether they have any data elsewhere) and it now works as I expected it. Weird loophole.

                • LOOPHOLE IN SECTION ACCESS???

                  Hello, I comment to you that we create a document excel and it is there where we give the accesses for module, I attach an example, probably could be useful.

                  ---------------------------------------------------------------------

                  Section Access;
                  LOAD
                  [ACCESS],
                  NTNAME
                  FROM [D:\qv\access.xls] (biff, embedded labels, table is [Modulo A$]);
                  Section Application;

                  ----------------------------------------------------------------------------------------------

                  Format of file:

                  ACCESS NTNAME
                  Admin rsmigi\qlikview
                  User rsmigi\lwalton

                   

                   

                    • LOOPHOLE IN SECTION ACCESS???

                      Thank you. I found out that the issue was the the key data file which my SECTION ACCESS field was joining to had no data for that client_id. I believe that since QV cannot join to a null, the SECTION ACCESS data did not link to anything, thereby allowing the user to see all data.

                      Nasty loophole IMHO.