What do you mean by model? Are you trying to restrict access to the document or to data within the document?
If you have separate documents for each model, then you should apply file permissions on each document for only the user groups that make sense.
If you are trying to control access to model data within a single application, then you need to apply Section Access on your load script.
Thanks for the reply.
Let's put it this way:
I have built a model (= document) for Marketing. Just the whole document.
As if by magic, the Windows AD system has a group called Marketing.
So I create a folder within the QlikView document space, called Marketing, and place the model in it (let us say it's called Accounts.qvw).
I go to the Marketing folder, and it has all sorts of permissions/privileges on it. I clear all the ones except the admins/SYSTEM that are required.
I now add the Marketing group. What are the minimum set of privileges/permissions I need to give for a QlikView model to work for Marketing? Is ir Read? Is it Read and Write? Is it Modify and ... etc?
I'm trying to work to a minimum privilege model for security: people should have no more access then they need. Now for all I know, they only need read privilege, and then QlikView will use escalation/impersonation to allow them to write bookmarks (for example). The problem is that the manuals say "use Windows AD to control access" - but what access?
That's the point - I can't find it documented anywhere where Windows security interleaves with QlikViews' security.