In Part 1 of this blog post we examined the configuration steps required for accepting multiple types of authentication when connecting with a single QlikView Server (QVS). In any multiple authentication scenario, the default document authorization mode must be changed from NTFS authorization to DMS authorization as shown in Figure 1. This is because NTFS authorization relies on Windows file security and Windows (domain or local) user accounts to control document access authorization. In a scenario with multiple authentication types at least one authorization type will include non-Windows users. Therefore, DMS authorization mode is required.
Once the DMS authorization mode is set a new option, “Authorization” will be available in the Document->User Documents screen in the QMC once a document is selected as show in Figure 2.
At this point we have two options for controlling document visibility and access in AccessPoint.
Multiple Directory Service Connectors
If there is a need to specify individual user(s) and group(s) access on an individual document basis, we need to configure a Directory Service Connector for each of the authentication types. Select User Type “Named Users” in the document authorization tab. In Figure 3 we see an example of multiple configured Directory Services in the Manage Users dialog. The access permissions can be granted or denied to users and groups from each Directory service. In this example we see three configured Directory Services, Active Directory (qvtest.local), the local machine windows directory (local://QVSP1) and a QlikView Custom directory.
This solution requires each document to have the Authorization set in this manner. If there are many documents, this can be a time consuming process. This can also be configured in a QlikView Publisher task so that the document authorization is set at the time the document is reloaded and created.
Section Access Document Authorization
Section Access provides another opportunity to simplify the document authorization process. One of the features of Section Access is to show or hide documents in AccessPoint based on the user list in the Section Access table. For this method the following conditions must be met:
- The authenticated username is listed in the Section Access table in the NTUSER column.
- The QlikView document must have “Filter AccessPoint Document List Based on Section Access”
- The document Authorization must also allow the user to access the document.
One important note on using Section Access with multiple authentication types is that the field NTNAME is used to match an authenticated user with any authentication type not just a Windows username as the name implies. This field has a confusing name when you consider adding non-Windows usernames to a column named “NTNAME”. For a short primer on Section Access read this excellent article in the Qlik Community Blog. In my tests, the NTNAME value will match a Windows domain user in the format DOMAIN\UserName both with and without the DOMAIN preceding the username.
Hopefully this post has provided some answers to the questions surrounding multiple authentication types from multiple directory services and differing username formats. I my experience this is a common use case and this provides a means of leveraging and existing QlikView installation for multiple user groups.