Dynamic Access Control is a new feature in Windows Server 2012 enabling Windows administrators to customize authorization to file server resources using conditional logic based upon user/device claims and metadata tags.
This may affect QlikView Server installtions in the following areas:
- Reload tasks
- Distribution tasks
- User access to distributed QlikView documents
Reload tasks may fail if Dynamic Access Control is applied to folders configured as Source Document folders for QlikView Distribution Service.
Dynamic Access Control works in conjunction with existing NTFS permissions and the effective permissions will be based on a combination of existing NTFS permissions and Dynamic Access Control logic applied using Central Access Rules.
Ensure effective permissions (combined NTFS and DAC logic) on the folders configured as Source Document folders for the QlikView Distribution Service, result in read/write access for the account running QlikView Distribution Service.
To check the effective permissions on the folder do the following:
- In Windows Explorer, right-click the folder being used as the Source Document folder for QlikView Distribution Service and select Properties
- On the Security tab, click Advanced
- Go to the tab Effective Access
- Click Select a user. Locate the account configured to run QlikView Distribution Service
- Click View effective access and verify the effective permissions will grant the account read/write access to the folder
Distribution tasks may fail if Dynamic Access Control is applied to folder(s) used for distributed QlikView documents, such as mounted folder(s) in QlikView Server or a distribution folder configured for QlikView Distribution Service.
Ensure effective permissions on the folder(s) will grant read/write access to the account running QlikView Server (if distribution is done to a QlikView Server) or QlikView Distribution Service (if distribution is done to a folder).
User access to distributed QlikView documents
It is not possible, in the current version of QlikView, to control access to QlikView documents based on conditional logic built using Dynamic Access Control.
Any Dynamic Access Control affecting user access will be ignored, as the file is never touched in the context of the user. Instead QlikView documents hosted on a QlikView Server will always be read from disk to memory using the account running QlikView Server service and the QlikView Server service will only grant (or deny) access based on NTFS permissions set in the Access Control List.