New age BI tools like QlikView and Tableau are making it easy to access information on the go. With this ease of access, there comes an additional danger – the danger of putting the application in wrong hands. Imagine what can happen if your QlikView application (which stores and presents information for all business critical decisions) falls in wrong hands!
Data Security is one of the top concerns for any Organization, more so for data driven Organizations.
In order to gaurd against this danger, QlikView (& now QlikSense) come with Section Access – a way to decide who can view what information, which objects can be viewed by whom and from which domain etc. These can also be set with help of QlikView publisher. In this article, we will discuss section access and show how it can be applied to a QlikView application.
What is Section Access?
It is a feature used to control the security of QlikView applications. Section access is defined as part of the load script, where we define an authorization table, i.e. a table where you define who gets to see what information and from where. Section access can be of various types, depending on the sensitivity of the information and business comfort:-
- A simple username and password might be sufficient to access some documents
- In some scenarios, you would want specific users in your domain to be logged in specific machines and use certain keys to unlock the information.
- You may also want to restrict access to specific objects and sheets of a document.
- Remove fields from the data model for the specified user (by omitting them).
- Row level data reduction based on authorization mentioned.
In this article, we will cover row level data reduction only and rest of the methods will be discussed in future posts.
Facts before Implementing Section Access:
Here are some basic rules to remember before implementing section access:-
- Backup your application because Incorrect syntax will render your document inaccessible and there’s no possibility of recovering the data or script.
- Section access data (Security table) loaded by an external source (xlsx, txt …) must be loaded by using upper case in the SECTION ACCESS statement.
- Security table contains several user-specific system fields, like USERID, PASSWORD, ACCESS are basic system fields. You can also combine several fields to build the Section Access solution depending on the desired level of security. (To know more about System fields, please refer QlikView Reference Manual).
- Apart from the standard fields, additional fields can be defined to administer data reduction for each user.
For Sachin Dashboard (we had created this application as a tribute to Sachin’s test career), I want to restrict users to see his performance against a particular country only. Look at below security table, it defines the permission to user.
You can see that we have defined 10 users with userid, password, level of access and value for field AGAINSTCOUNTRY, for which these users require access. One of the key things, I want to discuss in the above table is, “*” in Section Access. “*” denotes all values i.e. users, who have access to see all values listed in the table. If a value is not listed in the security table, it will not be available to anyone.
For ACCESS, we have two access levels “ADMIN” and “USER”. ADMIN has privileges to change everything in the document and controls what “USER” can see in the document.
Implementation of Section Access:
Now let’s Implement this section access to an existing document. We will perform this in following steps:-
- Create a copy of existing document because if any thing goes wrong, we have a backup.
- As we know that we are going to apply restriction on row level data based on Against_Country field, so first let’s make sure that it is available in UPPER case. Here, I have converted it to upper case (Changes done to the original table).
- Add a new tab and write script to import Security table followed by Section Access statement using inline table or external file. (We are doing this with external file).
- Save document and then go to Setting —> Document Properties —> Opening tab and turn check box on for “Initial data reduction Based on Section Access” and “Strict Exclusion”.
- Save it and reload. Close the dashboard after the reload.
- Now Open dashboard, here it will ask for User Identification and based on your user permission you will be able to see the results.
- Here, I have given USERID and password of Kunal and i am able to see Sachin Test Career summary only for the country Australia (as mentioned in Security table).
In this article, we have seen an example of how to restrict user to row level data limitation using Section Access. We also looked at what are security feature we should look at while developing or delivering dashboard. I recommend you to apply security feature to document before sharing it with any one.
In future, we will also discuss about other security features like NT domain identification, document properties (Sheets, Object), field level security. It also provides an example of how naming conventions can be used to architect a solution that is more robust and lowers maintenance costs for your QlikView documents.