5 Replies Latest reply: Jan 13, 2012 10:56 AM by Miguel Angel Baeyens de Arce RSS

    Access Point showing all QVWs to users without proper access to file

      We have setup an external server for users to view reports(qvw) outside of our organization. These users do not have domain rights, but are allowed in to view the access point. However, the users see every single qvw in the system, instead of the 2 or 3 they should see. Is there a global setting that we are missing? We have not added these users to all QVWs. Any help is appreciated.

        • Access Point showing all QVWs to users without proper access to file
          Miguel Angel Baeyens de Arce

          Hi,

           

          The Accesspoint, as any other web server, is available to all users to whom is not restricted. This platitude means that if the folders are available to "anonymous users", "all users", "any user"... you name it, this will show, by default, all documents available in that server. So the first option is to remove NTFS or equivalent security permissions in the folder to all users and leave only those that should be allowed.

           

          But my guess is that you have an Information Access or Extranet Server, so anybody can see some document but not all.

           

          In this case, create a Root folder with permissions to all users or anonymous, and move all the other QVW internal documents to a different, restricted folder, and set this folder as Mounted in the QEMC, System, Setup, QlikView Server, Folders.

           

          Authenticated users will see all documents if they are allowed to (both the root and mounted folders) but anonymous users over the Internet will see only those in the Root folder.

           

          Hope that helps.

           

          Miguel

            • Access Point showing all QVWs to users without proper access to file

              Actually, this will not work. The users are not anonymous, they have accounts in our domain. We also have items that some external meembers will need to see collectively, but we can't allow them to see the other member's data. Even though they have domain accounts, we remove "Domain Users" as their primary group and replace it with a dummy group. This would prevent them from seeing any files using NTFS. We just don't understand why they see these other QVWs when they have not been added to them. I am guessing there is a global setting in the QEMC or QMC that is allowing all users to see all QVWs. Otherwise, we will have to have completely different systems for internal and external users or, at a minimum, have separate web interface servers. Would separate WI servers solve my issue?

              • Access Point showing all QVWs to users without proper access to file

                Are you saying that each external member would need their own mounted folder? Sorry, I am just digesting what you said.

                  • Access Point showing all QVWs to users without proper access to file

                    After further review, our developers have made a mistake. I will mark this answered. thanks Miguel.

                    • Access Point showing all QVWs to users without proper access to file
                      Miguel Angel Baeyens de Arce

                      Okay, let's go a bit deeper,

                       

                      QlikView does neither authenticate nor modify permissions on its own, nor the QlikView Web Server does. If you are using IIS and have some roles configured there, that's another story. So if you go to any of those QVW files, properties, Security, Advanced, Effective permissions, and select one of those public domain users, they will have effective permissions to read, at least.

                       

                      In short: documents keep their permissions according to the AD, and thus is reflected in the Accesspoint. (I.e.: quick test: remove ALL permissions except for the administrator in one document and see whether it appears or not). You can force users to log into the Accesspoint, but again, that authentication is supported by another external security directory (AD in this case), except for the case you are using DMS.

                       

                      DMS means among other things that you have a CUSTOM security directory managed entirely by QlikView, (kind of) overriding the already existing security directory (the AD in this case). If you are using this feature, then permissions for each document are managed in the QEMC.

                       

                      Hope that makes more sense now.

                       

                      Miguel