7 Replies Latest reply: Jun 13, 2012 1:15 PM by Miguel Angel Baeyens de Arce RSS

    QVS: Overriding System CAL Rights?

    Steven Bain

      Hiya Guys,

      If my understanding of QlikView Server is correct:

      1. System CALs give Users administration rights to see ALL Documents;
      2. Document CALs give non-administration Users rights to see individual Documents;

       

      If this is the case, my question is:

       

      How do I add a "Test Dashboard" Document to the QV Access Point which only a subset of Administrators have access to? (ie: I only want one Administrator to be able to see a development Dashboard for approval before it goes live).

       

      Any suggestions/ideas/better informed information will be greatly appreciated  :-)

       

      Cheers,

       

      Steve.

        • Re: QVS: Overriding System CAL Rights?
          Miguel Angel Baeyens de Arce

          Hi,

           

          Your understanding is pretty correct, except for there are no "administrators" license. However, the Named User CAL, that allows any assigned user to open any number of QVW files, can be leased so the user can open locally using Desktop those QVW files and modify them. This does not happen with Document CALs.

           

          Having said this, if you want to add security, you can create a simple section access table either using NTNAME field or USERID and PASSWORD so only those users in this table will be able to open it, even to see this file in the AccessPoint document list.

           

          Check this post and this other thread among many others on how to create a section access and how it works.

           

          Hope that helps.

           

          Miguel

            • Re: QVS: Overriding System CAL Rights?
              Steven Bain

              Hiya Miguel,

               

              Thanks for your reply - this sounds very much like the correct answer!  I will check your links.

               

              So, the CALs under "System" are known as "Named User" CALs? - and they are only to allow privileges of Desktop access for local development? (with the side-effect of giving access directly via QV Access Point also?).

               

              I am new to QlikView and am picking-up an implementation which has been set-up by a consultancy firm... it sounds like they've actually set this up incorrectly? - and if "Admins" require access to all available Dashboards (just to give them a power trip!) then they should be assigned individual "Document" CALs for each Dashboard?

               

              Is this correct?

               

              Cheers,

               

              Steve.

                • Re: QVS: Overriding System CAL Rights?
                  Miguel Angel Baeyens de Arce

                  Hi Steve,

                   

                  Yes, licenses under System ar known as Named User CALs. Their main goal is to allow one user to access any number of QlikView documents at a time from the same session (i. e.: you can open 10, 20 documents on your browser). The side effect is that since there are more and more Server deployments, and the product has been improving, to make easier the licensing thing, you don't need to purchase additional licenses if you want to develop. You can borrow a license from the server for 30 days that will allow you to open and modify any other licensed QVW file.

                   

                  If those "Admin" users need to see all documents (or a number larger than 2 documents) then assign them Named User CALs. My suggestion is that, taking into account scalability and further implementations of new dashboards, use as many Named User CALs as you can instead of Document CALs.

                   

                  A Document CAL allows one user to see only one document. If this same user needs tomorrow to see another document, he will spend another Document CAL, and so on.

                   

                  Of course, there are cases where the use of QlikView is restricted to a very limitied area of the company (for example) or to a very specific country, and the Document CAL may make sense here.

                   

                  Hope that makes a bit clear the licensing.

                   

                  Anyway, do not hesitate to contact your partner manager or sales rep in order to get the most suited answer to your scenario.

                   

                  Miguel

                • Re: QVS: Overriding System CAL Rights?
                  Gary Strader

                  Section Access might be overkill for specifying which users can see which applications in AccessPoint.  A simpler solution would be to set authorization on the filesystem for NTFS, or authorization on the document for DMS.

                    • Re: QVS: Overriding System CAL Rights?
                      Steven Bain

                      Thanks Gary,

                       

                      This is probably more suited to my question actually - but the information and links Miguel has pointed me to will make good reading!

                       

                      I never even thought of adding a "Development" folder within the Access Point file-structure and only allowing access to those Users who require it.  I briefly read about DMS today - but I think I need to investigate this further... isn't this something to do with QV Publisher?... the company I am working for do not have a license for this (yet) - so it appears!

                       

                      Cheers,

                       

                      Steve.

                        • Re: QVS: Overriding System CAL Rights?
                          Gary Strader

                          Simple distinction - if you're planning on authenticating and authorizing users based on Active Directory users and groups, you will be using "NTFS mode".  Then authorization (who can see which dashboards in AccessPoint) is controlled by setting file system permissions on the .qvw files for those AD users and groups.  NTFS is the default setting.  DMS is used for custom auth, so you're probably not using that.  DMS does not have anything to do with Publisher in this context.

                           

                          It's common and best practice to set up an AccessPoint folder hierarchy and apply the AD user and group permissions in such a way to make it easy for you to manage application visibility based on organizational groups or departments.

                          • Re: QVS: Overriding System CAL Rights?
                            Miguel Angel Baeyens de Arce

                            Hi Steve,

                             

                            I have to agree with Gary: if the thing is to separate "development" from "production" in the same server, probably using a mounted folder with different permissions makes more sense. Section Access will add more complexity that, although it may be required in the future, is not a must to control who sees what file.

                             

                            In regards to security, QlikView relies on the OS. In the case of NTFS is very clear: even if you have assigned a license to a user, if this account does not have read permissions, the user will not be able to even see the document listed. But there is another option that means to make QlikView your security directory, and that's what DMS is intended for. You don't need Publisher in order to make DMS work, but you do need an Enterprise Edition license of QlikView Server. Small Business Server only allows NTFS authentication.

                             

                            DMS will then allow you to create your own groups and users with their own passwords, instead of using the OS. This might be a good idea in some cases, but it doesn't make any sense in some other cases, it all depends on your scenario, number of users and how do you plan to increase the deployment.

                             

                            Hope that gives you an idea.

                             

                            Miguel