Vizlib Teamwork has 4 levels of of security access which limit user access to conversations, from App to conversations associated with specific values - App Access, Stream Access, Field Access and Hierarchy Access. Qlik Sense’s built-in security is used to enforce the different security options for Vizlib Teamwork. This article describes the available options and how to apply them for different conversations.
TABLE OF CONTENTS
- App Access (Default)
- Stream Access
- Field Access
- Field Access Setup - Example
- Value Access (Section Access)
- Value Access Script - Example
Note: A Channel is not locked down with access control, see the section on Stream Access to control user access.
App Access (Default)
Users can only access conversations in applications where the user has access. App access is the default security option and always enforced.
Streams have the Secure Stream option disabled on the default stream comments, which means all users have Read and Write access to the stream. If you select Secure Stream (Figure 1), comments will not be accessible unless a user has either Read, Write or Admin access to the stream. To use the Secure Stream settings, you will need to create a Security Rule in the Vizlib Management Console (VMC). For full instructions, please see our article here.
Note: Write Access also grants Read Access. Admin Access also grants Write and Read Access.
Figure 1: Secure Stream
Root Admin or Admin users can review permissions in the VMC User Roles page. You can find more details here.
Field access grants Read and Write access to comments associated with values in fields accessed by users. The type of access depends on the user’s Stream Access role. The stream must have Secure Hierarchy Groups enabled to enforce Field access (Figure 2).
Figure 2: Secure Hierarchy Groups
Note: Hierarchy group fields can only have 100 values or below (Figure 3). For more information about associating comments with fields and values, please read our Hierarchy Groups article here.
Figure 3: Hierarchy Group Fields and Values.
A common use case is to set up Vizlib Teamwork with one user group (Sales Rep) that can add and view comments only on the lowest level (e.g. Region), and another user group (Division Managers) that can post and view comments on all levels. More advanced use cases would include Hierarchy Groups with more levels. Field access can be successfully combined with Values Access to prevent a Sales Rep from seeing another sales reps comments in the same field (Region).
Field Access Setup - Example
- Set up the Teamwork object by Adding a Hierarchy Group (Figure 4). You can find instructions in the article here.
- Enable Secure Hierarchy Groups in the Teamwork Streams settings in the VMC (see Figure 5). Remember to click Save Changes to save the change.
Figure 5: Secure Hierarchy Groups
- Field access uses the Hierarchy Access Custom Property, default value VZB_HierarchyAccess. Custom property names can be configured in the Custom Properties section of Teamwork Settings in the VMC (Figure 6).
Figure 6: Custom Properties
- The Hierarchy Access Custom Property is created by Vizlib Server. To integrate the custom property with Qlik Sense, you need to open the Qlik Management Console (QMC, Figure 7), and add values to the VZB_HierarchyAccess custom property which correspond to the Hierarchy Group fields configured in the Property panel (Figure 4).
Figure 7: QMC Edit Custom Property
- Grant access to users by adding the field values in the VZB_HierarchyAccess Custom Property to the user (Figure 8). Note: Multiple users can be selected at the same time.
Figure 8: QMC Add Field Values
- Only comments associated with the fields the user has access to will be visible. Users that do not have access to the active hierarchy level will see a message that they do not have access to the field and the input will be disabled (Figure 9).
Figure 9: User Denied Access
Value Access (Section Access)
Value Access is configured using a combination of Section Access with dynamic data reduction and Hierarchy Groups. Vizlib Server verifies comments associated with the field values in the Hierarchy Groups and only shows comments for values the user can access , determined by Section Access.
Note: The INTERNAL\sa_repository user must be included as ADMIN in the section access table. Vizlib Server uses INTERNAL\sa_repository to publish bookmarks and security features. If you return an error using Section Access, please consult our Troubleshooting guide here.
Note: Value Access can be enforced with Section Access without enabling Secure Hierarchy Groups.
Value Access Script - Example
To use the example script below, follow these instructions:
Create a new App and paste the script in the Script Editor.
Replace YOURDOMAIN\userA, YOURDOMAIN\userB and YOURDOMAIN\admin with existing users in your Qlik Sense environment.
Load the application.
Add a Bar chart to the sheet with dimension Type and measure Sum([Price]).
Add the Teamwork extension to a sheet.
Add field Type to the Hierarchy Group A.
Note: It’s recommended that you enable Require selections when using Section Access. It’s not possible to limit access to the comments associated with no selections in the field. Those comments will be visible for all users unless Require selections is enabled (Figure 10).
Figure 10: Require Selections
- User A will only see comments associated with Type values Red, Orange and Yellow.
- User B will see comments associated with all Type values except Indigo.
- Admin will see comments for all Type values.
Section Access; SectionAccess: LOAD * Inline [ ACCESS ,USERID ,REDUCTION USER, 'YOURDOMAIN\userA' ,1 USER, 'YOURDOMAIN\userA' ,2 USER, 'YOURDOMAIN\userA' ,3 USER, 'YOURDOMAIN\userB' ,1 USER, 'YOURDOMAIN\userB' ,2 USER, 'YOURDOMAIN\userB' ,3 USER, 'YOURDOMAIN\userB' ,4 USER, 'YOURDOMAIN\userB' ,5 ADMIN, 'INTERNAL\sa_repository', // !!!IMPORTANT INTERNAL\sa_repository is used by Vizlib Server to publish bookmarks ]; Section Application; TableA: LOAD * INLINE [ REDUCTION , Type ,Comments 1 , Red , Value 2 , Orange , Value 3 , Yellow , Value 4 , Green , Value 5 , Blue , Value 6 , Indigo , Value ]; TableB: LOAD Type, Price, MakeDate(Year, Month, 1) as Date INLINE [ Type, Price, Year, Month Red , 100, 2014, 1 Orange , 200, 2014,2 Yellow , 300, 2014,3 Green , 400 ,2014,4 Blue , 500,2014,5 Indigo , 600,2014,6 ];