One of the things that is perhaps most key to anything involving data is security. It is fundamental in QlikView, and Section Access is one of the core components of that security model.
For the uninitiated; Section Access allows you to apply an ‘initial selection’ based on a user account that the user can then not clear or see beyond. This effectively locks your app so users can only see the data they are supposed to. Much has been written on Section Access and you can find lots of information on setting it up – but what I want to look at here is one of the pitfalls with Section Access.
The worst thing that can happen with Section Access is that you can lock yourself, and everybody else, out. Right out.
Section Access applies security at a row and then a document level. This, in a worst case scenario, could mean you don’t have the ability to get back in to your document to access your scripts and visualizations.
Lock outs can occur from a coding error when applying Section Access – or can catch you off guard by occurring due to a data load error. To explain further; if a user can not access any data they can not access the document. If the document contains no data then no one can access it. Most reload failures will cause the load to stop and the document will be left in its prior state (with the old data intact) – but if a table in the load is present but empty this may not happen.
Here are some tips to avoid lock out happening.
The first is simple: back up. Always do this before any Section Access change – but it is good to back up regularly also. Saving a copy of your document without Section Access enabled is the sure-fire way of ensuring you are not locked out. Just make very sure this is secured by your network security and is not put anywhere near your Access Point.
Have a back door login. Typically Section Access will be on domain accounts, ideally at a specified domain SID. A change to user accounts or domain could lock all users out. By adding a user name and password based account also you can gain access should this happen. Obviously this username and password should be secured as per your info-sec policy on other admin passwords (often these are locked in safes until required).
Have some Section Access accounts hard coded in your QlikView load script. Generally accounts are loaded from a database table or flat file. If data from this source is cleared down then no accounts will be loaded – in-line loaded accounts will cause this to not spell disaster.
Test well before closing your document. This simple tip could save you a lot of messing around. When amending Section Access; make your changes, reload and save. The temptation now is to close QlikView and re-open your document to test – don’t do this! After saving your document open a new instance of QlikView and test the document by opening it in the new instance. If you are unable to open the document you still have it open in another window to change the security and try again.
Hopefully these simple tips will save you from pain, expense and tricky explanations to bosses.
As I said at the start there is much written on setting up Section Access – so I don’t want to repeat that here. Just to mention though that any changes to Section Access script or data will require a reload, and setting the options on the Opening tab of the document properties tab are critical.
Also, even with Section Access set up correctly on your document you don’t want someone taking it off site. Make sure you secure all files with Active Directory permissions on the server. This is particularly important with QVD files – that have no other security around them.
Finally, at risk of stating the obvious, security and access restrictions are perhaps the most important things to consider with your QlikView implementation. Make sure you give them the consideration they deserve and always test thoroughly.