23 Replies Latest reply: Jul 22, 2013 12:47 PM by Rikab Kothari RSS

    Default user in Section Access

      Hi,

      Is it possible to define a default user in Section access?

      What I'm trying to accomplish is that a number of named users (NTNAME) should see a sheet that is hidden for everyone else without having to specify it for every NTNAME. So if a user isn't named in Section access he or she should get a default access level.

      Thanks

      :) Fredrik

        • Default user in Section Access
          Gordon Savage

          Fredrik,

          If I understand you correctly, then everyone has access to the document and you just want to use section access to control exactly what they see?

          I believe section access searches for a match 'top down' in terms of how the rows are presented to it and the first positive match terminates the search. I think by having a column, called for example 'SeeHidden' then those people you want to see it are defined with their true NTNAME and a value of 'Y' for the column. Anyone you dont want to see the hidden column you use '*' in every column (NTNAME for example) and a value of 'N' for 'SeeHidden'. Its important this row follows any specifically named users. The '*' does of course mean 'all' and needs to be declared in the script with

          Star is *;

          Hope this helps,

          Gordon

            • Default user in Section Access

              Hello Gordon,

              Thanks for your reply. I tried your solution but the '*' users sees everything.

              Cheers

              Fredrik

                • Default user in Section Access
                  Gordon Savage

                  Fredrik,

                  Dont forget that 'section access' is used to automatically reduce the data the user can see, so we need to make the value in the column available in 'section application'. We can do this like so:

                  star is *;

                  SECTION Access;

                  [Access Control]:
                  LOAD NTNAME,
                  NTDOMAINSID,
                  SEEHIDDEN
                  FROM ...

                  SECTION Application;

                  [User detail]:
                  // Make user attributes visible
                  LOAD SEEHIDDEN
                  RESIDENT [Access Control];

                  Now you can use the SEEHIDDEN column to condition the 'show sheet' with

                  SEEHIDDEN = 'Y'

                  Regards,

                  Gordon

                    • Default user in Section Access

                      Hello Gordon,

                      Does this work for you? I tried it and I get the same result as before.

                      Cheers

                      Fredrik

                        • Default user in Section Access
                          Gordon Savage

                          is 'section access' turned on in the document properties> open?

                          I use this technique quite frequently.

                          Gordon

                            • Default user in Section Access

                              Hello Gordon,

                              Yes, 'section access' is turned on. The '*' user is prompted for username and pwd. The '*' user should be able to open the document as there were no section access.

                              Cheers

                              Fredrik

                                • Default user in Section Access

                                  Hi again,

                                  I tried it again and found a typo in the access table.. Now it works :)

                                  Thanks for your help!

                                  Fredrik

                                  "If it doesn't work, try again!"

                                    • Default user in Section Access

                                      Hi,

                                      I'm picking up this thread. I'm trying to achieve same thing as Fredrik, i.e. to give a default user more access than a named user by access rights defined in the section access. From what I can conclude from testing a bunch of cases, this is how it works:

                                      1 - (If named user and default user (*) both are defined as ADMIN or both defined as USER: The user will gain the broadest access possible from the combination of the two access definitions.

                                      2 - (If named user is defined as USER and default user (*) is defined as ADMIN: the user will gain the rights defined to default, i.e. the ADMIN rights overwite the USER rights.

                                      Given that the named user is a USER, this basically means that if the default user in NOT ADMIN and if the default user is given access to a smaller data set, everything will work fine. However, if the default user is ADMIN or if the defined access is wider than for the named user (what I´m trying to achieve), it will not work. Does anyone have a good work-around to solve this problem?

                                      Thanks,
                                      David

                                       

                                        • Default user in Section Access
                                          Gordon Savage

                                          Hi David,

                                          As I mentioned before, I think the access rights are granted on a top down approach which terminates the search so if what you are seeing contradicts this then I am surprised.

                                          I'm not quite sure what you are trying to achieve but I think its a bad idea for a default user to have ADMIN access. I would ensure that any access to an ADMIN enabled profile always had a definite authentication.

                                          Regards,

                                          Gordon

                                            • Default user in Section Access

                                              Hi Gordon.

                                              Thanks for your quick answer. I agree with you on not letting default be ADMIN, however, that doesn't solve the problem. Let me examplify with some code:

                                              star is *;
                                              SECTION ACCESS;

                                              AccessControl:
                                              load * inline
                                              [NTNAME, ACCESS, ID
                                              MR_BROWN, USER, SE
                                              *, USER, US
                                              ];

                                              SECTION APPLICATION;

                                              UserDetails:
                                              Load ID
                                              resident AccessControl;

                                              Country:
                                              Load * inline
                                              [ID, Country
                                              SE, Sweden
                                              US, USA
                                              UK, United Kingdom
                                              ];

                                              I want Mr Brown only to see Sweden. But running the above script, Mr Brown will in fact see both Sweden and the US. With other words, he picks up the access rights both from the row where he is explicitely named and from the default user row. It doesn't seem like qlikview breaks off at the first positive match but rather reads the whole table and grants all applicable rights.

                                              So how do I get my explicitly named users to be excluded from the default user settings?

                                              Cheers,
                                              David

                                               

                                                • Default user in Section Access
                                                  Johan Idh

                                                  Use OTHERSYMBOL instead of *.

                                                  SET OTHERSYMBOL=+;

                                                  and replace your * with a + for the default user.

                                                    • Default user in Section Access

                                                      Hi John,

                                                      Thanks for your answer. I still can't get it to work though. With the following code, only MR_BROWN will be able to open the application, i.e. the othersymbol = + doesn't work as a wildcard for the default user.

                                                      Section ACCESS;

                                                      SET OTHERSYMBOL = +;

                                                      AccessControl:
                                                      load * inline
                                                      [NTNAME, ACCESS, ID
                                                      MR_BROWN, USER, SE
                                                      +, USER, US
                                                      ];

                                                      What am I doing wrong?

                                                      /David

                                                        • Default user in Section Access
                                                          Nathan Furbank

                                                          I am experiencing the same problem.

                                                          The 'OtherSymbol' approach does not work as David has already mentioned.

                                                          The 'Star is *;' approach does work but only when the user's NTNAME is not already specified in the table - once again pointed out by David and also the original problem from Fredrik.

                                                          Fredrik - what was the typo that you found?

                                                          Gordon - you mentioned the Section Access works on a top-down basis but this seems incorrect - am I experiencing a bug? (QV 9 SR4)

                                                          Thanks for any help offered.

                                                            • Default user in Section Access
                                                              Nathan Furbank

                                                              Quick Update:

                                                              I have now noticed that the problem only occurs when the same 'Access' value is used. In the following example the qlikview NT Name will work as planned but the nathan NT Name will be linked to both the HIGH and LOW groups and therefore on load no default selection is made. Change the nathan ACCESS Level to 'ADMIN' and the user will only be linked to the HIGH group.

                                                               

                                                              Section Access;
                                                              Access01:
                                                              LOAD * INLINE [
                                                              ACCESS, NTNAME, SYSGROUP
                                                              ADMIN, qlikview, HIGH
                                                              USER, nathan, HIGH
                                                              USER, *, LOW
                                                              ];

                                                              Section Application;
                                                              Application01:
                                                              LOAD * INLINE [
                                                              SYSGROUP
                                                              HIGH
                                                              MEDIUM
                                                              LOW
                                                              ];

                                                               

                                                                • Default user in Section Access

                                                                  Hello,

                                                                  Don't remeber exactly what the typo was but I think it was only a miss spelling.

                                                                  Having tested this a bit more I have come to the same conclusion as Nathan.

                                                                  Cheers/ Fredrik

                                                                    • Default user in Section Access
                                                                      Nathan Furbank

                                                                      Thanks Fredrik - will pass this on to support to see if they think this is a bug.

                                                                        • Default user in Section Access
                                                                          Gordon Savage

                                                                          I have looked for confirmation of what I believe(d) is the 'top down' authentication but cannot find proof. I think it might have been in a Qliktech scripting course but I actually threw the course notes away recently after years of gathering dust.

                                                                          I have never encountered the specific circumstances we are talking about here but I am sure I didnt dream it!

                                                                          Regards,

                                                                          Gordon

                                                                            • Default user in Section Access
                                                                              Nathan Furbank

                                                                              I hope you don't have any dreams about QlikView Gordon Big Smile

                                                                              What you say makes sense and also is proven correct in the scenario I mentioned where the Access Level is ADMIN for the user but USER for the '*' (Rest of them) Group - the 'search' stops there. I can't believe that the scenario I detailed has not been noticed before. If it is a bug it must mean that QV users don't make use of Section Access in this way - can't believe that either.

                                                                              Will see qht QlikTech say. Thanks,.

                                                                              • Re: Default user in Section Access
                                                                                Miguel Angel Baeyens de Arce

                                                                                Hello,

                                                                                I see one thing here: "*" in section access doesn't mean "all values for field" but "all listed values" for that field, meaning that in the following example:

                                                                                 

                                                                                STAR IS *;
                                                                                
                                                                                SECTION ACCESS;
                                                                                
                                                                                LOAD * INLINE [
                                                                                ACCESS, USERID, PASSWORD, COUNTRY
                                                                                ADMIN, ADMIN, ADMIN, *
                                                                                USER, USER1, USER1, BE
                                                                                USER, USER2, USER2, ES
                                                                                USER, USER3, USER3, UK
                                                                                ];
                                                                                
                                                                                SECTION APPLICATION;
                                                                                
                                                                                Countries:
                                                                                LOAD * INLINE [
                                                                                COUNTRY, Name
                                                                                UK, United Kingdom
                                                                                BE, Belgium
                                                                                DE, Germany
                                                                                ES, Spain
                                                                                US, United States
                                                                                FR, France
                                                                                ];
                                                                                

                                                                                 

                                                                                 

                                                                                 

                                                                                ADMIN won't see all countries, but those listed in the section access: BE, ES, UK regardless being ADMIN. Instead,

                                                                                 

                                                                                ADMIN, ADMIN, ADMIN,

                                                                                (note the null value for the COUNTRY field) will see any value from that field.

                                                                                 

                                                                                 

                                                                                Hope shed some light.

                                                                                EDIT: Corrected the COUNTRY field name in the Countries table.

                                                                                  • Default user in Section Access
                                                                                    Nathan Furbank

                                                                                    Interesting Miguel - makes sense for the COUNTRY field in this example as the Section Access would not know all the values in the Countries table.

                                                                                    But when a * (Star) is used in the ACCESS, USERID, PASSWORD fields I think the functionality must be different. For example, in the real world I am using NTNAME:

                                                                                    Section Access;
                                                                                    Access01:
                                                                                    LOAD * INLINE [
                                                                                    ACCESS, NTNAME, SYSGROUP
                                                                                    ADMIN, qlikview, HIGH
                                                                                    USER, nathan, MEDIUM
                                                                                    USER, *, LOW
                                                                                    ];

                                                                                    In this example, anyone can open the document and they will be placed in the SYSGROUP 'LOW'. But this also causes the problem I am experiencing which is e.g. nathan user placed in both 'MEDIUM' and 'LOW' groups.

                                                                                     

                                                                                    EDIT: If the * in the above example is replaced with a blank (null) then any user not explicitly listed will be prompted for username/password for which nothing exists and therefore will not gain access to the document.

                                                                                     

                                                                                      • Default user in Section Access
                                                                                        Miguel Angel Baeyens de Arce

                                                                                        Hi Nathan,

                                                                                        Actually you have to add all users to your section access, because that's the behavior when there are more than one lines matching your user. Think of a different scenario when SYSGROUP (your reduction field) allows more than one possible value and you do want a user to have access to more than one value. There is no way to do that than creating two different lines with the same access, userid and password but different reduction field values, so it's how the section access syntax works.

                                                                                        But further to your question, you can create a section access loading all users from your active directory instad of creating an inline table, reading directly using the OLE DB provider for Microsoft Directory Services and building your section access from

                                                                                         

                                                                                        CONNECT TO [Provider=ADsDSOObject;User Id=Domain\YourUser;Password=YourPassword];
                                                                                        Users: LOAD cn;SQL SELECT cn FROM 'LDAP://SERVER.DOMAIN'


                                                                                        Hope that helps