I have many clients who are using QlikView Small Business Edition or Enterprise Edition without Publisher. I'd love for them to add Publisher because I HATE HATE HATE managing file permissions in windows. I love that publisher automatically distributes QlikView documents to the User Documents folder and I can easily change who will receive each file right from the Management Console AND I don't have to remote into the server to do it
Ok, time to end this publisher love-fest and time to get down to the business of designing our security environment when you don't have publisher. I'm writing this post because I spent a good chunk of the other day fixing a problem we had that was caused by a goofed up security configuration(This is called learning from experience because I goofed it up). So after banging my head on the wall trying to figure it out I thought it would be a good idea to share with the interweb.
Here is my use case...
I work for a company who has 25 Named user CALS and 100 Document CALS(Probably not an important detail) There are several departments using QlikView Dashboards Each department includes sensitive data in their Dashboards so they must remain private to the department. There is also a Corporate Dashboard used by the C Suite and the CEO often uses the department dashboards to explore information about some key clients.
Our data is built by first extracting data from the source databases into QVD files. Dimensions are conformed and key fact tables are also built in QVD format. The Conformed Dimensions and Facts are combined into data models based on user requirements and finally the data models are binary loaded into the user applications and presented on Access Point.
A three tier data flow model provides the framework needed to present clear and consistent data to all your applications.
So let's start planning. We want to set up a folder structure to use in our Small Business Edition server to manage user access to their documents, and provide organization for our ETL framework, remember we don't have publisher. Obviously we can get very complicated with this but for the sake of explanation I'm going to make a single directory our starting point, I'll call it "QlikWarehouse".
Applications The Applications folder contains our user facing QlikView documents I always add one folder for each application and I design my security around those folders. You should create a "QlikView Users" group in active directory and assign read/write access to the Applications folder. Then you will override inheritance for "QlikView Users" on the application specific directories and grant read/write access to a group that corresponds to the folder for that application. In the QEMC you will set the Applications folder as the "Root" folder, when you do this the QlikView Server will add several files in the Applications folder, if your users do not have read/write access to these files then they will see login failure errors and you'll get to bang your head on the wall to figure out the problem.
Load Scripts Load scripts is added to the QlikView environment as a mapped meta folder. Mapping it into the QEMC will allow you to set the reload schedule for your data. It is essential that your users do not have access to this folder. If they do you will be exposing documents to the users that will not have any data in them and probably cause nothing but confusion for your users.
Most of the files in the data directory will be QVD files but you must map it because the data model files will live in here but just like the load scripts your users should not have access to this directory.
Active Directory security settings needed to manage your QlikView SBE deployment.
Following this kind of configuration will allow you a couple of advantages.
Management Got a new Application? Create an AD group to go along with it and make it a member of Qlikview Users.
Simplicity Users only see the applications that they have access to, period.
Compatibility This structure is compatible with publisher so if you do decide to expand your Qlikview footprint you'll be ready to go. It won't be a turnkey deployment but this structure is close enough to adapt to the Source Docs/User Docs division in publisher.
I'd like to encourage comments since this is just what I've been doing when I deploy a server, any suggestions, criticism or praise(especially praise) is welcome.
A quick note on the images in this post, I would like to give credit where it is due. Many of the individual icons have been clipped from various presentations I have received from Qliktech however the overall diagrams are my creation(even if not terribly creative).