Many companies use Section Access, a built-in script security feature, to achieve added security for their QlikView applications. With the recent introduction of the IPhone clients, organizations that wish to use Section Access need to modify their scripts due to some incompatibilities of IPhone clients with existing Section Access syntax. Specifically, IPhone clients do not recognize '*' under NTNAME, but rather require that users' accounts be individually listed.
For example, say an application's current section access looks as follows:
USERID ACCESS PASSWORD NTNAME USER1 USER 123456 * ADMIN1 ADMIN 234567 * USER2 USER 345678 * * ADMIN * MYDOMAINADMUSR
This would work properly with the PC clients (Analyzer, Java, and AJAX). With the IPhone client, however, all users (except ADMUSR) would be allowed to see the list of the documents but would be presented with error "Failed to open document. You are not authorized on the server" when they try to actually open an application. This error is misleading because the user is really not authorized on the document, but actually is authorized on the server. To fix this problem, the Section Access would need to be changed to the following:
USERID ACCESS PASSWORD NTNAME * USER * MYDOMAINUSER1 * ADMIN * MYDOMAINADMIN1 * USER * MYDOMAINUSER2 * ADMIN * MYDOMAINADMUSR
Note that this assumes Section Access users have corresponding NTNAMEs. Authentication of the user would take place when he attempts to open the application in the IPhone client—it is a best practice to leave the password blank by default in the configuration screen of the IPhone client, which will cause the user to be prompted for a password the first time he tries to open an application in a given session. Dual authentication, which looks as follows, also does not work on IPhone clients:
USERID ACCESS PASSWORD NTNAME USER1 USER 123456 MYDOMAINUSER1 ADMIN1 ADMIN 234567 MYDOMAINADMIN1 USER2 USER 345678 MYDOMAINUSER2 * ADMIN * MYDOMAINADMUSR
If you are wondering what should be done about anonymous access over IPhone clients, the answer is that you would need to include the built-in local IQVS_machinename account as an NTNAME. In the preceding example, this would look at follows:
USERID ACCESS PASSWORD NTNAME * USER * MYMACHINEIQVS_MYMACHINE * ADMIN * MYDOMAINADMUSR
The following have not yet been tested:
- How DMS authorization mode would differ in terms of IPhone client Section Access requirements.
- Whether specifying groups, rather than individual user accounts, would work with IPhone client Section Access.