QlikView Server has two type of Authorization. NTFS and DMS. This article explains how NTFS authorization works by using an example.
In short, QlikView follows this method when validating if a user has access to a document or is allowed to open it:
Is the user authenticated? Do I know who they are? This step is usually performed by Windows or a Single Sign on System
Does the user have file access? With NTFS mode, this step is performed by Windows on disk. The document needs to have the correct Windows file permissions to allow the user to see the document.
Does the user have file access (Section Access)? A second step and a secondary security measure. Section Access is done directly in the document.
Does the user have a license? Checks if the user has a CAL assigned.
In this example, we are using a domain named domain.local
Three users were created:
This example uses Section Access as well. Section Access is not required.
We have a document named SectionAccess.qvw
The document is secured with a Section Access script allowing access to Domain\User1
exists in section access. Domain\User3
doesn’t exist in section access.
The document has "Initial Data Reduction Based on Section Access" Option enabled.
We store SectionAccess.qvw
in the AccessPoint document folder \\dc1\share\Front-end\UserDocuments.
The folder is configured to grand access to Everyone.
This can be changed to give access to specific users or groups, such as User1 or a group that all of our users belong to.
NTFS permissions rely on Windows permissions given on disk.
is stored in the document folder:
Ensure that the Directory Service Connector is correctly connected to the user directory. In our cases, it is the Active Directory named domain.local
. This is necessary for managing CALs and distribution tasks. It does not affect the permissions on disk.
Verify that the QlikView Server is set up to use NTFS authorization.
- Open the QlikVIew Management Console
- Navigate to System > Setup > QVS@yourserver
- Switch to the Security tab
- Check NTFS in the Authorization section.
With the above shown example, User1
will be able to open the document SectionAccess.qvw
, as they are in the Section Access Table and
have access on disk to open the document.
To test, log on to a system using User1.
You can verify the logged on user with the command line whoami
Opening the AccessPoint with this user will show that the userID matches the one in the Section Access table and the Everyone permissions on the file allow file access.
User2 will also be able to open the document.
User3 will not be able to see or open it.