Restricting user object creation

A question I often encounter is whether it is possible to restrict the ability to create new sheet objects to only some users (i.e. "Power Users"). This can be accomplished quite simply in version 10 through the QlikView Enterprise Management Console (QEMC) by going to Documents >> User Documents >> Server Objects, selecting "Restricted" and defining which users can create objects. Although this functionality does not exist in the QEMC of version 9, a similar result can be obtained by following the 4-step procedure described in this article.

 

Step 1 - Backup
I strongly suggest that before you begin this procedure, you create a backup copy of your application. This is a best practice whenever you make modification to Section Access since one mistake can accidentally lock you out of your application.

 

Step 2 - Define Section Access rights
Create a section access security script in your application with your Power Users defined as ADMINs and your other users defined as USERs. For a detailed description on how to do this, see pages 506 - 509 of the QlikView Reference Manual. For example:

ACCESS

NTNAME

ADMIN

MYDOMAINUSER1

USER

MYDOMAINUSER2

In this example, USER1 will be an ADMIN (Power User, with the ability to create objects) and USER2 will be a USER (no ability to create objects). Alternatively, you can use wildcards to define all users except for Power Users as USERs:

ACCESS

NTNAME

ADMIN

MYDOMAINUSER1

USER

*

In order for this second example to work, you need to include the following statement in your application to let QlikView know that asterisks are wildcards:

Star is *;

Reload the script.

 

Step 3 - Enforcing Section Access permissions
Once Section Access has been defined, you need to enforce the ADMIN/USER permissions at a document level. To do so, go to Settings >> Documents Properties >> Security. You will most likely want to remove the majority of these permissions. At a minimum, uncheck the following: Add Sheets; Edit Script; and Access Document Properties. Also make sure to check the following: Admin Override Security.

 

Step 4 - Setting sheet permissions
Once document security has been set up, you need to define USER rights at the sheet level. This is where you define restrictions on user ability to create new objects. Right-click on any sheet tab in the tabrow and select "Sheet Properties." Go to the Security tab and uncheck every checkbox (except maybe "Move/Size Sheet Objects" if you want to leave users that functionality). Check the checkbox "Apply to All Sheets."

 

Save and close the QVW file. The next time that the document is opened, the new security settings will apply and users with USER privileges will be unable to add/delete objects or sheets.

This entry was posted in Security. Bookmark the permalink.

2 Responses to Restricting user object creation

  1. Very nice, I like both approaches and if I am understanding correctly, the section access approach could be used in v10 and 11 too.

  2. Vlad Gutkovsky says:

    Chris, that’s correct, yes!

    Regards,
    Vlad

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify via email when new comments are added

Blog Home
Archives