Section Access Security
July 10, 2019
There are a few different use cases for section access. Section access is essentially the ability to restrict the level of data passed out to your front end users. It is the bouncer on the door. If your names not on the list, you aren’t getting in. For example, if you want to build a dashboard that all sales managers have access too, but they can only see their opportunities, this is where section access can help.
With section access you create one dashboard with multiple divisions of data. The dashboard holds ALL the data but restricts each user to just their defined data set. Users do not see any of the filtered out data.
The way Henric Cronström defines it is “a part of the load script where you can define an authorization table, i.e. a table where you define who gets to see what. Qlik uses this information to reduce data to the appropriate scope when the user opens the application.”
Henric Cronström, May 2014
So how do you set up Section Access?
Section access is added to the script and can only be used on Qlik Sense Server. It can be used in QlikView desktop and then accesspoint. I load my section access tab before all the system variables to keep it separate from all other tables. In QlikView you can create a hidden script that is the first tab in the loadscript so people cannot access once added.
In the section access table you need the following columns:
ACCESS, USERID, “DATAFIELD”
ACCESS is the type of access each user needs. ADMIN or USER
USERID is the field that matches the users login. For example DOMAIN\SIMON.JOHNSON
DATAFIELD can be anything. It is a field that links back to your data model and creates the association that limits the data.
An example of this table would be:
ACCESS, USERID, REGION
ADMIN, DOMAIN\SIMON.JOHNSON, NORTH EAST
USER, DOMAIN\GRAHAM.DUNN, NORTH WEST
USER, DOMAIN\KEVIN.MARSDEN, EAST MIDLANDS
You will notice that all the above is in upper case. All section access must be in uppercase, therefore you would then create a duplicate REGION field in your data model using the UPPER() function. In Sense you must also add the Qlik Sense Scheduler service to the above table.
This would be:
ADMIN, INTERNAL\SA_SCHEDULER, *
The * in the REGION field would give the scheduler wildcard access to all listed regions in the table.
This script would give you the ability to create that one dashboard which is then carved up into different sections when opened for complete security.
More complex section access examples are available and help can be found at: