8 Replies Latest reply: Feb 8, 2012 10:39 AM by Stephen Redmond RSS

    Section Access vs Publisher for Security

      I am looking for some guidance on the best way to implement security for our #1 QV application and the pros and cons for each, Section Access or Publisher.  We have Publisher but I am told it is not configured yet, and I am getting push back to use Section Access instead.  Publisher seems to be the right approach given that Section Access is a bit of a pain to manage as users and data changes.  Also, our App is accessed via an Access Point (IE Plugin) and all users are treated as Users and there is no ADMIN access when using Section Access in an App that is accessed via the Access Point.  Facts:  The app is accessed via the access point (IE Plugin), there are over 50 users for the App and when security is set up there will be 100 users.  There are 2 fields, SalesOrganization, and Division where the restrictions need to occur.  SalesOrganization is the highest level, so let's say we have 5 SalesOrganizations (A,B,C,D,E), and within each SalesOrganizations there are 10 Divisions (1-10); the divisions are the same within each SalesOrganization.  Some users will be able to see all SalesOrganizations and all Divisions, some will be restricted to 1 SalesOrganizations and a few Divisions within that SalesOrganization, and some with have access to all SalesOrganizations, but only a few divisions within each.  Which is better, Publisher, or Section Access, and why?  If I have to use Section Access, any suggestions on the best way to go about it?  Thank you in advance for taking the time to assist.  Sean

        • Section Access vs Publisher for Security
          Stephen Redmond

          Hi,

           

          I am not sure what you have been told that Publisher can do, but I would recommend Section Access for your scenario.

           

          Publisher will allow you to create a separate document off the master document based on one field in that document.  You can also supply security based on a field in the document.  In your case, you could possibly create a field for each user and create 100 spearate documents based on their associations.  However, I feel that might be a bit painful to implement and manage.

           

          On the other hand, users linked to the data via Section access is a lot easier to implement - especially when you have complex rules likes yours.  Section access associations can have multiple associations from the users to different fields (like SalesOrg and Division).

           

          That's my advice.

           

           

          Regards,

           

           


          Stephen

            • Section Access vs Publisher for Security

              Thank you for the reply.  With Section access, would I set it up with 2 fields, username and division so that username Sean = Division 7, username Sean = Division 9 and so on down the line for all divisions?  What about when I have the 2 fields to restrict to, SalesOrganization and Division?  How do I do username Sean = SalesOrganization A, Division 7, Username Sean = SaleOrganization A, Division 8, Username Sean, SalesOrganization B, Division 3, etc, etc, depending on the different scenarios?  Thanks again, Sean

                • Section Access vs Publisher for Security

                  I forgot to add.  With Publisher making a seperate app based on a field.  Can it make a seperate document based on the vaule of that field?  Where I am goin gwith it is this.  In the data, can a field be added based on the values of the SalesOrganization and Division combination?  So, if I could create 3 distinct combinations, Publisher could create 3 apps.  What I understand about section access, each user has to be defined to each field since they are all calssified as USERS as we are accessing the apps via the IE Plugin and that keeps me from setting ADMIN access to the user.  Thanks,

                    • Section Access vs Publisher for Security
                      Stephen Redmond

                      Hi,

                       

                      Just FYI - all users accessing documents via QlikView server, no matter what client, are accessing as "USER".  This is the case whether using Section Access or not.

                       

                      A combo of 5 SalesOrgs and 10 Divisions would give you 50 documents!  You still need to add the Windows security to restrict to different users when the documents are on AccessPoint.

                       

                      ACCESS, NTNAME, ORG, DIV

                      ADMIN, DOM\QVSVC, *, *

                      USER, DOM\user1, 1, *

                      USER, DOM\user1, 2, *

                      USER, DOM\user2, 1, 1

                      USER, DOM\user2, 1, 2

                      USER, DOM\user3, *, 3

                      ...

                       

                      This table doesn't have to be maintained directly in the script, it can be derived from a database or you could maintain it in QEMC.

                       

                       

                      Regards,

                       

                       

                      Stephen

                        • Section Access vs Publisher for Security

                          Hey Steve, really appreciate your input here.  With your example in the last email, would I just have a Sectioon Access piece in the script, or would I also need to use the Section application script as well?  I have the Intro to section access document, so being new at this, I am not sure what I can and cannot do with it.  On my last comment regarding publisher, what my thought was on have the 3 distinct levels of access would be to add a new column to the fact table based on the sales org and div relationship, i.e. if sales org =a and div =3, newcolumn =1, so on and so forth for all combinations.  So in the end, new column would only have 3 values, 1-3, then could I have publisher make 3 different documents based on the values of new column (1-3) and then users can be assigned that way.  Just wondering if this approach is easier than having someone in the business maintain a sectioon access document for all users?

                            • Section Access vs Publisher for Security
                              Stephen Redmond

                              Hi,

                               

                              If you have Section Access, you must have Section Application also.  Section Application is the "normal" part of the script.

                               

                              Sorry, still don't get your combination idea.  But, if it works for you then go for it.  How will you be assigning individuals to the different documents?

                               

                               

                              Regards,

                               

                               

                              Stephen

                                • Section Access vs Publisher for Security

                                  For Publisher your response was, "Publisher will allow you to create a separate document off the master document based on one field in that document." The field would be Division which has 1-10 divisions, so simply without thinking of users, I would get 10 documents 1 for each division. Is that correct?  If so, lets say I add a newfield to fact and I use script to say, if division = 1-4 - newfield =1, if division is 5-7 - newfield = 2, and if division = 8-10 - newfield = 3.  Now, could I set Publisher to create seperate documents based on the field "newfield" and get 3 documents?  And then could publisher assign users 1-25 to document 1, users 26-75 to document 2, and users 76-100 to document 3?