Security Strategy

Now that we have connected various data sources and developed the data model, it is time to think about the security.

Qlik Sense provides a solid security mechanism which helps to restrict access to the Qlik Sense at various levels. Qlik Sense provides the security mainly at four levels:

  • Network security: Provides a secure communication channel between the user and server
  • Server security by providing access to Qlik resources only to authorized users through QMC
  • Process security by providing role based access to make sure proper testing is done for development
  • App security by providing the row and column level data reduction through section access

Let us understand the server security and how Qlik does authentication:

Authentication: Qlik Sense server uses inbuilt proxy and virtual proxy as a gate keeper to allow only the  authenticated user to enter Qlik Sense and access the Qlik resources. This gate keeper can be configured as per the requirement to authenticate the users by using various methods like:

  • Ticketing
  • Sessions
  • HTTP headers
  • SAML
  • Anonymous

Now lets see authorization part of Qlik Sense.

Authorizations: Once the authenticated user gets entry to Qlik Sense, then depending on his authorizations defined, he gets access to the resources of Qlik Sense. This is done using a powerful functionality, that is security rules. Security rules are so powerful that you can build any kind of security. It can be configured at a granular level to provide access to bookmarks and sheet objects.
It can also provide the security using Attribute Bases Access Control (ABAC). So, depending on the user attributes, like group, department and email the security can be provided. Qlik Sense also allows a role based security model, using which the development can be authorized by the concerned person.
The data level security is also possible in Qlik Sense, which is achieved using the concept of section access. Qlik Sense sends the authentication and authorization information to the section access within the application, and depending upon that, Qlik Sense allocates the access to the data.

Following image shows the process through which the security is given:

If an Admin logs in, he will see all the data, whereas when other users login, they will see their respective region data. This security consists of two sections, one is section access and other is section application.

Section access: This is the security initialization statement. It should be followed by the access table which gives the data access information. Lets see the components of the Section access table.

Access: It defines the kind of access the user should have. There can be only two level of access, either admin or user. The user with admin access gets access to all the data in the app, unless specific restriction is defined in the access table. The users with user access get access to only specific data set for which they are authorized. It is a mandatory field.

USERID: It is the username which can be compared with the loginID of the user. It should be in domainusername format.

GROUP: It is the name of the user group. It should match with the user group name fetched using the User directory connection in Qlik Sense. It is used when group level access is needed.

OMIT: This parameter is used to define the column level access to the user. It should contain the name of the field for which the access is restricted to user.

REDUCTION FIELD NAME: This parameter  defines criteria for data restriction. This field should match with the actual data field loaded in the data model.

Following screenshot shows a sample script for Section access:

As you can see in the preceding script, we have given access restriction on the region field. Along with that, we have restricted access to couple of columns for some of the users. So when the Admin logs in, he would see all the data available in the application, whereas if user1 logs in, he will see only INDIA region data, as the field SalesID will be hidden for him and he won't be able to see the field SalesID in the application.

Following are few things to remember when using the Section Access in Qlik Sense application:

  • The field name for the filed on which reduction is given should be in upper case and the data should also be in upper case
  • It is recommended to not apply OMIT restriction on key fields
  • The snapshots are stored as per the data restriction of user who takes the snapshot and can be used by other user in story. When the other user moves from story to the application the data seen is based on rights of that user.
  • When restriction is given only at group level, then it is mandatory to give internal USERID, that is INTERNALSA_SCHEDULER, to enable reload of the script from management console
  • INTERNALSA_SCHEDULER user with ADMIN access should be there in section access table to enable reload of the script from management console

Apart from this security, there are couple of more security options available in Qlik Sense:

Securing the connection string: Qlik Sense allows you to restrict the access to the connection strings using the standard mode. By default, standard mode is enabled; which makes it compulsory for you to use create the library connections first and then use them when connection is needed to data sources.

Securing the script: Qlik Sense also allows you to import the script from file. This lets you provide the security to your script. You can write the script in text file and then import that text file in Qlik Sense, and Qlik Sense will treat the text of that file as Qlik Sense script and execute the script while reolading. To allow this, there are two variables used, Include and Must_Include.

Include and Must_Include are the variables which contain the file name that needs to be treated as script. The syntax is as follows:

              $(Include = Script.txt);
              $(Include=LIB://MyScript/Script.txt);
              $(Must_Include= Script.txt);
$(Must_Include=LIB://MyScript/Script.txt);

When no path is defined, it is assumed to be the current Qlik Sense working directory. You can specify the absolute path or the LIB:// folder path.

The only difference between Include and Must_Include is that the Include statement will not generate an error if the file is not found (it will fail silently), but the Must_Include variable will generate the error if the file is not found.

There are two things to remember when using these variables:

  • They support only folder data connection in standard mode.
  • The syntax is that variable should be within parentheses preceded by dollar sign . You cannot set them as normal variable like Set Include = filename.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset