Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
fishing_weights
Contributor III
Contributor III
‎2023-09-18 10:06 PM

section access not working in Production/ Access Point but works on the local and UAT environment

My section access pass all test phases both on the local machine itself and the UAT test environment. However when I upload it to the "live" production access point. It does not restrict anything. could someone look at the simplify sample I've created and let me know where I've gone wrong please. thank you. 

sample is as my original....

screen shots and code if you dont want to download:

fishing_weights_0-1695088871211.png

fishing_weights_1-1695088896115.png

// Country Grouping
[COUNTRY_LIST]:
NoConcatenate
LOAD * Inline[
country,COUNTRYGROUP
SG,SG
BR,BR
TH,TH
VN,VN
SG,ALL
BR,ALL
TH,ALL
VN,ALL
];
 
// Segment Grouping
[SEGMNT_LIST]:
NoConcatenate
LOAD * INLINE[
level1,LEVELGROUP
D1,D1
D2,D2
D1,ALL
D2,ALL
];
 
[SECTION_ACCESS]:
NoConcatenate
LOAD 
userid,
access,
ctry, 
lvl, 
page
FROM
user_access_file.xlsx
(ooxml, embedded labels, table is Sheet1);
 
[SHEET_ACCESS]:
NoConcatenate
LOAD
UPPER(Trim(userid)) as SHEETACCESS,
page as PAGE
Resident[SECTION_ACCESS];
 
SECTION Access;
NoConcatenate
LOAD
UPPER(TRIM(userid)) as NTNAME,
UPPER(TRIM(access)) as ACCESS, 
UPPER(TRIM(ctry)) as COUNTRYGROUP,
UPPER(TRIM(lvl)) as LEVELGROUP,
UPPER(TRIM(userid)) as   SHEETACCESS
Resident[SECTION_ACCESS]  order by access DESC;
SECTION Application;
 
DROP Table [SECTION_ACCESS];

 

 

 

 

sample.7z
449 Views
0 Likes
1 Solution

Accepted Solutions
marcus_sommer
MVP
MVP
‎2023-09-19 07:47 AM

In response to fishing_weights

Section access mustn't be sorted in any way - each entry will be considered and any prohibition will overwrite all permissions.

If I use section access I apply it quite near the script-start (it's always outsourced in include-variables but they will need other includes for connections/paths/formatting and so on) and doing everything within this part - but in general it could be placed wherever possible and also divided within multiple section access/application areas.

I'm not sure if the domain could be always skipped - especially within a multi-domain environment which may also require certain trust-settings between them and/or by mixing multiple types of authentications like NT and/or custom users and/or per certificates and/or whatever. But ideally there are no differences between the environments - neither by the OS/QlikView releases nor by the various environment/network/security/authentication settings. Looking within the QMC if you could assign the users to a CAL or other permissions may give valuable hints.

Beside the above I think you need at least two accounts for testing the section access. This might be your personal account and service-user account.

View solution in original post

406 Views
3 Replies
marcus_sommer
MVP
MVP
‎2023-09-19 07:03 AM

At first make sure that you have enough BACKUP's of your application without any section access. After this you should enable the option of "strict exclusion" because only this option guarantees that not authorized users don't see confidential data - otherwise it should be more regarded as a kind of usability and not of access control.

Further your section access creates a circular loop. I could imagine that this and/or various synthetic keys may not mandatory bother by a section access but personally I regard them as failure and suggest to resolve them - especially if any unexpected happens.

Before looking for any mistakes within the section access should be a data-check if the section access table and their corresponding section application data are loaded properly. Means to comment the section access; statement to get access to the table within the table-viewer and the UI and then using a table-box + various list-boxes to look on the relevant data and if they are associated as expected. I'm not sure if this will really work in your case because there is this circular loop - with measures it will always fail but by pure associations I'm not sure ...

416 Views
fishing_weights
Contributor III
Contributor III
‎2023-09-19 07:15 AM
Author

In response to marcus_sommer

Hi @marcus_sommer 

Yes that what I am trying to say. it works even with the circular referencing. I've tested it as an actual table iteself and with the section access implemented. Only when it is in QMC users are not being restricted.

some things I've been told but am not sure if its true or if there are unique situations.

1. Section Access; must be sorted by the "access" field

2. SECTION Application; should be the last line of script. nothing other then dropping the temp access table should come after this

3. There is actually no need to put the domain infront of NTNAME. 

I'm unable to test them out individually or see what occurs due to the company's cyber security protocol and can only  view the end result of what I push in via git.

410 Views
0 Likes
marcus_sommer
MVP
MVP
‎2023-09-19 07:47 AM

In response to fishing_weights

Section access mustn't be sorted in any way - each entry will be considered and any prohibition will overwrite all permissions.

If I use section access I apply it quite near the script-start (it's always outsourced in include-variables but they will need other includes for connections/paths/formatting and so on) and doing everything within this part - but in general it could be placed wherever possible and also divided within multiple section access/application areas.

I'm not sure if the domain could be always skipped - especially within a multi-domain environment which may also require certain trust-settings between them and/or by mixing multiple types of authentications like NT and/or custom users and/or per certificates and/or whatever. But ideally there are no differences between the environments - neither by the OS/QlikView releases nor by the various environment/network/security/authentication settings. Looking within the QMC if you could assign the users to a CAL or other permissions may give valuable hints.

Beside the above I think you need at least two accounts for testing the section access. This might be your personal account and service-user account.

407 Views