You can translate the question and the replies:

LDAP User on where clause

Hi everyone, I´ve been searching for a few hours before writing this post but unfortunatelly had no luck, most likely cause it´s not posible or use case it´s so rare but would like the hear the opinion of the community which has more experience. . **What´s the objective?** I need to apply records access rules with a BI tool called Qlik Sense (adversary of Tableau) as clients use it to analyze its data.  . **What´s the problem?** Unlike Tableau which has ldap integration directly when performing the connection (filtering / retrieving all concern data), the service user of Qlik needs to load all records, as it mounts an associative data model in memory, when user connects,  records / columns will be hidden using a functionality called "[section Access](https://help.qlik.com/en-US/sense/May2021/Subsystems/Hub/Content/Sense_Hub/Scripting/Security/manage-security-with-section-access.htm)". Don´t want to bore you with unnecessary tech details, but the main thing is that the user retrieving the information won't  have any restrictions. . Seeing how restriction views such as CATALOG_PERMISSIONS works, creating a view which retrieves the necessary data for Qlik to filter the fact table in the associative data model would be definitely a pain in the . . **What I´m thinking?** I was thinking of creating a simple view which retrieves users for a particular role, let's say as an example role Use_CASE_01 which has a set of rules applied in denodo. Then on Qlik or denodo (making another view) just iterate for each user in that role selecting the views I'm interested with a WHERE clause with that particular user with the aim of using filter security governance by denodo, a more simple way to say it, simulating the connection with the LDAP integration but instead of a connection with a WHERE clause.  . ``` SELECT * FROM Table WHERE systemUser = @user ``` *Note systemUser it's just a label I created for the example* . Hope someone came across with a similar request or can guide me! Thanks in advance
user
19-07-2021 05:37:29 -0400
code

4 Answers

Hi, According the objective described in this question, it is possible to define the row or column level restriction on one or more views. For example, With this option, it is possible to restrict the access to the view “employee” to a user or a group of users belongs to the “developer” role. For more information, refer to the [Row Restriction](https://community.denodo.com/docs/html/browse/latest/en/vdp/administration/databases_users_and_access_rights_in_virtual_dataport/user_and_access_right_in_virtual_dataport/user_and_access_right_in_virtual_dataport#row-restrictions) section of the Virtual DataPort Administration Guide. Also, it is possible to set the query priority based on the connected user or users belonging to a group with the help of Resource Manager rules and plans. For more information, refer to the [Resource Manager](https://community.denodo.com/docs/html/browse/latest/en/vdp/administration/resource_manager/resource_manager) section of the Virtual DataPort Administration Guide. Also, it is possible to integrate the LDAP server with the Virtual DataPort Server to delegates it authentication to the LDAP server. For more information, refer to the [LDAP Authentication](https://community.denodo.com/docs/html/browse/latest/en/vdp/administration/server_configuration/server_authentication/ldap_authentication/ldap_authentication#ldap-authentication) section of the Virtual DataPort Server. Hope it helps!
Denodo Team
20-07-2021 05:24:55 -0400
code
Hi, first thanks for the feedback, unfortunately I think I did not explain myself or I did not get your answer. Let me give an example, as it might help understand my caneats. I created Roles with their privileges, associate users to the Roles * USER01, privileges is that it can see all records of a table named Company * USER02, privileges is that it will reject all rows from company different from ID <> 1 (in other words, it will see only Company with ID 1) . Qlik Sense (tool used by clients) will load all information into memory with a service account with no restricctions at all. In this case it loads a table called "Company_TABLE" . ``` COMPANY_TABLE: Load * INLINE [ COMPANY_ID, NAME 1, Name1 2,Name2 3,Name3 ; ``` Qlik in order to implement security restrictions needs a table which tells who can see what Example: ``` Section Access; Load * INLINE [ ACCESS, USERID, COMPANY_ID USER, AD_DOMAIN\USER01, * USER, AD_DOMAIN\USER02, 1 ; ``` Once the application has finished loading, COMPANY_ID is linked with both tables. USER01, will be able to see all records, as "*" is a wildcard for everything USER02, will be able to see only records that match COMPANY_ID = 1 The downside of how this tool works in contrast to Tableau as an example, is that it needs to load information. When a user logins to Qlik, the session shows only records that match the "Section Access". . How can I create the Session access table for each user in a certain role which will be used by Qlik from denodo? The worst approach and something I starting to see, is the incompatibility between tools for governance access, either change denodo or Qlik (although client already have Qlik licenses) The second worst, is that I'm forced to create a NEW view that replicates the roles rules making loss of the advantage of denodo rules being applied on demand when performing query with active session of user (which as explained before in this case it does not apply as the user performing the query will be a service user with no restrictions). Is there any way to simulate a user session without password or send the "user" as a parameter? Why?, cause if the user is performing the query then denodo rules will apply automatically...is there any doc in your KB that might point me in the right direction? A bit lost here on how can i overcome this. Once again thanks for the prompt response
user
20-07-2021 07:11:09 -0400
Hi, I understand that you have a Denodo view called "Company" with the row restriction applied to the USER02 to read only the rows with company id 1 and USER01 to read all the rows. Whenever you are accessing this view from Qlik application using the service account(which do not assigned any row restriction), it reads all the rows from the company view and load it into the data tables called "CompanyTable" in the qlik sense app. Then with the help of Section access, you are restricting user access to the app. Now, you want to create section access table in the Denodo platform that will be used by the Qlik app. if yes, then it is possible to create a special type of base view called "Materialized Table" and "Temporary Tables" where its schema and its data are completely managed from Virtual DataPort. To know more information, refer to the **[Materialized Tables](https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/creating_derived_views/materialized_tables/materialized_tables)** and [**Temporary Tables**](https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/creating_derived_views/temporary_tables/temporary_tables) section of the Virtual DataPort Administration Guide. If you still need more clarification and you are a valid support user, you may open a Support Case at the [Denodo Support Site](https://support.denodo.com/) and the Support Team will assist you Hope this helps!
Denodo Team
27-07-2021 06:21:28 -0400
code
Hi, so row securtiy are not apply for Qlik app is that correct ?
user
19-06-2023 06:05:24 -0400
You must sign in to add an answer. If you do not have an account, you can register here