(For more resources related to this topic, see here.)
Making documents available to the correct users can be handled in several different ways, depending on your implementation and license structure. These methods are not mutually exclusive and you may choose to implement a combination of them.
If you only have named Document users, you can restrict access to documents by simply not granting users a license. If users do not have a Document license for a particular document, they may be able to see that document in AccessPoint, but will not be able to open it.
You will need to turn off any automatic allocation of licenses for both Document licenses and Named User licenses, or the system will simply override your security by allocating an available license and giving the user access to that document.
This only works for Document license users. The Named User license holders can’t be locked out of a document this way as they have a license that allows them to open any number of documents, so they cannot be restricted. The fact that this is user based—a Document license can only be granted to a user, not a group—also means that there is no option to secure by a named group.
This is the most basic, least flexible, and least user-friendly way to implement security. While it will certainly stop users getting access to documents—and it will work in either NTFS or DMS security modes—it can be frustrating for users to see a document that they think can open, but for which they will get a NO CAL error when they try to open it.
The QlikView file will also need to have appropriate NTFS or DMS security so that users would be able to access it. The easiest way to do this is to grant access to a group that all the users will be in, or even allow access to an Authenticated Users group.
Section Access security is a very effective way of securing a document to the correct set of users. This is because a user must be actually listed in the Section Access user list for the document to be even listed in AccessPoint for them.
Additionally, if Section Access is in place, a user cannot even connect by using a direct access URL because they have no security access to the data.
This method of securing documents works well in both NTFS and DMS security modes.
When using the NTLM (Windows authentication via Internet Explorer) authentication method, you can have Group Names listed in Section Access. However, when using alternative authentication, Section Access does not give us an option to secure by group.
As with the license method discussed earlier, appropriate file security needs to be in place in order to allow all the users access the QlikView file.
NTFS Access Control List (ACL)
NTFS (Microsoft’s NT File System) security is the default method of securing access to files in a QlikView implementation. It works very well for installations where all the users are Windows users within the same domain or a set of trusted domains.
In NTFS security mode, the Access Control List (ACL) of the QlikView file is used to list the documents for a particular user. This is a very straightforward way of securing access and will be very familiar to Windows system administrators.
As with normal Windows file security, the security can be applied at the folder level. Windows security groups can also be used. Between groups and folder security, very flexible levels of security can be applied.
By default, Internet Explorer and Google Chrome will pass through the Kerberos/NTLM credentials to sites in the local Intranet zone. For other browsers, such as Safari on the iPad, the user will be prompted for a username and password. When a user connects to AccessPoint and their credentials are established, they are compared against the ACLs for all the files hosted by QVS. Only those files that the user has access to—either directly by name or by group membership—will be listed in AccessPoint.
Document Metadata Service (DMS)
For non-Windows users, QlikView provides a way of managing user access to files called the Document Metadata Service (DMS).
DMS uses a .META file in the same folder as the .QVW file to store the Access Control List. The Windows ACL, which has permissions on the file, now becomes mostly irrelevant as it is not used to authenticate users. It is only the QlikView service account that will need access to the file.
It is a binary choice between using NTFS or DMS security on any one QlikView Server.
To enable DMS, we need to make a change to the server configuration.
In the QlikView Management Console, on the Security tab of the QVS settings screen, we change Authorization to DMS authorization and then click on the Apply button.
The QlikView Server service will need to be restarted for this change to take effect. Once the service has restarted, a new tab, Authorization, becomes available in the document properties:
Clicking on the + button to the right of this tab allows you to enter new details of Access, User Type, and specific Users and Groups.
Access is either set to Always or Restricted. When Access is set to Always, the associated user or group will have access at any time. If it is set to Restricted, you can specify a time range and specific days when the user or group has access.
You can keep clicking on the + button to add as many sets of restricted times as needed for a user or group. The restrictions are additive; that is, if the user only has access on Monday and Tuesday in one group of restrictions, and then Thursday and Friday in another set of restrictions, they will therefore, have access on all four days.
The User Type is one of the following categories:
Essentially no security. Any user, including anonymous, who can access the server will be able to access the file.
All Authenticated Users
For most implementations, this will also be All Users. However, it will not give access to anonymous users. The Section Access would typically be used to manage the security.
This allows you to specify a list of named users and/or groups that will have specific access to the document.
If Named Users is selected, a Manage Users button will appear that allows you to specify users and/or groups.
In this article, we have looked at several ways of securing QlikView Documents—by license, using Section Access, utilizing NTFS ACLs, and implementing QlikView’s DMS authorization.
Resources for Article:
- Common QlikView script errors [Article]
- Introducing QlikView elements [Article]
- Meet QlikView [Article]