Vizlib Teamwork has a range of security options which limit the users access to conversations, from App to conversations associated with specific values. Qlik Sense’s built-in security is used to enforce the different security options for Vizlib Teamwork. This article describes the available options and how to apply them for different conversations. There are 4 levels of access currently available for Vizlib Teamwork.
Note: A Channel is not locked down with access control, see the section on Stream Access to control user access.
App Access (Default)
Users can only access conversations in applications where the user has access. App access is the default security option and always enforced.
Streams have the Secure Stream option disabled on the default stream comments, which means all users have Read and Write access to the stream. It’s possible to manage user access by setting a security rule in the Vizlib Management Console (VMC). For full instructions about setting a security rule please see our article here.
Note: To enable the Secure Stream setting, you need to create a security rule first.
If you enable the Secure Stream setting (Figure 1), stream comments will not be accessible unless a user has either Read, Write or Admin access to the stream.
Figure 1: Secure Stream
Click the blue User Access button to open the User Access screen. Use the Role dropdown to grant the user access to the stream (Figure 2).
Figure 2: User Access
Note: Write Access also grants Read Access. Admin Access also grants Write and Read Access.
Field access grants Read and Write access to comments associated with values in fields accessed by users. The type of access depends on the user’s Stream Access role. The stream must have Secure Hierarchy Groups enabled to enforce Field access (Figure 3)
Note: Hierarchy group fields can only have 100 values or below. Please read our article on Hierarchy Groups to learn more about associating comments with fields and values.
Figure 3: Hierarchy Group Fields and Values.
A common use case is to set up Teamwork with one user group (Sales Rep) that can add and view comments only on the lowest level (e.g. Region), and another user group (Division Managers) that can post and view comments on all levels. More advanced use cases would include Hierarchy Groups with more levels. Field access can be successfully combined with Values Access to prevent a Sales Rep from seeing another sales reps comments in the same field (Region).
Field Access Setup
2. Enable Secure Hierarchy Groups in the Teamwork Streams settings in the VMC (Figure 5). Remember to click the Save Changes button to restart Vizlib Server.
Figure 5: Secure Hierarchy Groups
3. Field access uses the Hierarchy Access Custom Property, default value VZB_HierarchyAccess. Custom property names can be configured in the Custom Properties section of Teamwork Settings in the VMC (Figure 6).
Figure 6: Custom Properties
4. The Hierarchy Access Custom Property is created by Vizlib Server. Add values to VZB_HierarchyAccess in the QMC corresponding to the Hierarchy Group fields configured in the Property panel of the Teamwork Object (Figure 7).
Figure 7: QMC Edit Custom Property
5. Grant access to users by adding the field values in the VZB_HierarchyAccess Custom Property to the user (Figure 8). Note: Multiple users can be selected at the same time.
Figure 8: QMC Add Field Values
6. Only comments associated with the fields the user has access to will be visible. Users that do not have access to the active hierarchy level will see a message that they do not have access to the field and the input will be disabled (Figure 9).
Figure 9: User Denied Access
Value Access (Section Access)
Value Access is configured with a combination of Section Access with dynamic data reduction and Hierarchy Groups. Vizlib Server will verify the comments associated with the values in the fields in the Hierarchy Groups and only show comments for the values that the user has access to, determined by Section Access.
Note: The INTERNAL\sa_repository user must be included as ADMIN in the section access table. Vizlib Server uses INTERNAL\sa_repository to publish bookmarks and security features. If you return an error using Section Access, please consult our Troubleshooting guide here.
Note: Enabling Secure Hierarchy Groups is not necessary to enforce Value access with Section Access.
To use the example script below, follow these instructions:
Create a new App and paste the script in the Script Editor.
Replace YOURDOMAIN\userA, YOURDOMAIN\userB and YOURDOMAIN\admin with existing users in your Qlik Sense environment.
Load the application.
Add a Bar chart to the sheet with dimension Type and measure Sum([Price]).
Add the Teamwork extension to a sheet.
Add field Type to the Hierarchy Group A.
Note: It’s recommended that you enable Require selections when using Section Access. It’s not possible to limit access to the comments associated with no selections in the field. Those comments will be visible for all users unless Require selections is enabled (Figure 10).
Figure 10: Require Selections
- User A will only see comments associated with Type values Red, Orange and Yellow.
- User B will see comments associated with all Type values except Indigo.
- Admin will see comments for all Type values.
Section Access; SectionAccess: LOAD * Inline [ ACCESS ,USERID ,REDUCTION USER, 'YOURDOMAIN\userA' ,1 USER, 'YOURDOMAIN\userA' ,2 USER, 'YOURDOMAIN\userA' ,3 USER, 'YOURDOMAIN\userB' ,1 USER, 'YOURDOMAIN\userB' ,2 USER, 'YOURDOMAIN\userB' ,3 USER, 'YOURDOMAIN\userB' ,4 USER, 'YOURDOMAIN\userB' ,5 ADMIN, 'INTERNAL\sa_repository', // !!!IMPORTANT INTERNAL\sa_repository is used by Vizlib Server to publish bookmarks ]; Section Application; TableA: LOAD * INLINE [ REDUCTION , Type ,Comments 1 , Red , Value 2 , Orange , Value 3 , Yellow , Value 4 , Green , Value 5 , Blue , Value 6 , Indigo , Value ]; TableB: LOAD Type, Price, MakeDate(Year, Month, 1) as Date INLINE [ Type, Price, Year, Month Red , 100, 2014, 1 Orange , 200, 2014,2 Yellow , 300, 2014,3 Green , 400 ,2014,4 Blue , 500,2014,5 Indigo , 600,2014,6 ];