0 Replies Latest reply: Oct 24, 2012 11:27 AM by Amitesh Modi RSS

    Section Access with Active Directory and Single Sign On

      Hi,

      Background: I'm  working on QV10 SR1.

      The users of our QV application access the documents via Access Point through a browser, which is accessed via a URL.

      Users are authenticated via Active Directory. Since Single Sign On is enabled, once the users log on to their Windows machine and type the URL for Access point, they see all the documents they have been given access to by adding their "domain\userID" to the document through QEMC.

      When I connect to Access Point, it tells me I'm logged on as DOMAIN\user_abc

       

      I need to be able to do the following:

      There is a document in which I need to restrict data access for the users based on a column Company Segment.

      Currently I'm restricting access to specific sheets/tabs in the document using the following expression in the Show Sheet --> Conditional dialog box

      =if((OSUser() = 'domain\user_abc'

      OR OSUser() = 'domain\user_xyz'),1,0)

      This works perfectly fine.

       

      In the sheets\tabs visible to user_abc I further need to restrict data access. I tried using Section access but I'm not sure how to connect the Active Directory ID to the USERID or NTNAME. I tried using the following variants of the Hidden Section Access Script but they did not work.

      //Script 1

      Section Access;

      LOAD * INLINE [

          ACCESS, NTNAME

          user1, domain\user_abc

          user2, domain\user_xyz ];

      Section Application;

      LOAD * INLINE [

      NTNAME, CompanySegment 

      domain\user_abc, Segment1

      domain\user_xyz, Segment2   ];

       

      //Script 2 (tried OSUser() in the script based on a similar suggestion by Miguel Angel Baeyens in another thread)

      Section Access;
      LOAD * INLINE [
          ACCESS, OSuser()
          user1, domain\user_abc   
          user2, domain\user_xyz ];

      Section Application;

      LOAD * INLINE [
      OSUser(), CompanySegment

      domain\user_abc, Segment1

      domain\user_xyz, Segment2 ];

       

      Neither of the scripts worked. It keeps asking me for USERID and Password repeatedly.

      When I connect to Access Point, it tells me I'm logged on as DOMAIN\user_abc.

       

      What am I doing wrong? How can I link the AD ID's to NTNAME.

      I do not want to define username and password for each user as we have large number of users.

       

      Any help would be greatly appreciated.

       

      Thanks,

      AM

        • Re: Section Access with Active Directory and Single Sign On
          Daniel Fleisher

          Your first script looks on the right track. The only thing to bear in mind is that the column and volues need to be all capital letters, so try something like this:

           

          Section Access;

          LOAD * INLINE [

              ACCESS, NTNAME, COMPANYSEGMENT

              User, domain\user_abc, SEGMENT1

              User, domain\user_xyz, SEGMENT2 ];

           

          Section Application;

          LOAD * INLINE [

          CompanySegment

          SEGMENT1

          SEGMENT2];

           

          Add whatever other data you need. If your data comes from a source that's not capitalized, just create a new field using the Upper function to capitalize it, and use that for your section access.

            • Re: Section Access with Active Directory and Single Sign On

              Hi Daniel,

              Thanks for your response. As per you suggestion my script now looks like the following but it exhibitied the same behavior as before:

              Section Access;

              LOAD * INLINE [
                  ACCESS, NTNAME , CompanySegment
                  USER, DOMAIN\userabc, SEGMENT1
                  USER, DOMAIN\userxyz, SEGMENT1
                  USER, DOMAIN\userxyz, SEGMENT2
                  ];

              Section Application;
              LOAD * INLINE [
              CompanySegment
              SEGMENT1

              SEGMENT2

              ];

              * Even though you said in your email that "If your data comes from a source that's not capitalized, just create a new field using the Upper function to capitalize it, and use that for your section access." but I read in Introduction_to_Section_Access_-_Rev_1-1  that

              **Note that all data loaded via an external data source must be loaded in upper case in the SECTION ACCESS statement. This does not apply to INLINE data which always will be treated as upper case.

               

              So I did not change CompanySegment to COMPANYSEGMENT. Should I use something like LOAD CompanySegment AS COMPANYSEGMENT before the Section Access script? All values in CompanySegment field however, are uppercase by default.

               

              Also the binary files load happens in the tab after this hidden scripttab and I cannot change the order. Does that matter?

               

              Thanks

              AM