1 / 57

Technical Training Security and Integration M. Biesbroek

Technical Training Security and Integration M. Biesbroek. Objectives. By the end of this session you will be able to... Understand all the moving pieces regarding QlikView Security Explain how Authentication is performed when accessing QlikView

risom
Download Presentation

Technical Training Security and Integration M. Biesbroek

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Technical TrainingSecurity and IntegrationM. Biesbroek

  2. Objectives By the end of this session you will be able to... • Understand all the moving pieces regarding QlikView Security • Explain how Authentication is performed when accessing QlikView • Explain how Document Authorisation is performed & maintained • Explain how “Granular Security” Data Authorisation is implemented

  3. Qlikview is a platform not a tool.... • Some examples before looking at security...

  4. Security only one part of QlikView Integration Data Source Integration • Easy integration with: SQL Server, Oracle, any ODBC/OLE source, Excel, XML, Web Services • Easy integration with: Salesforce.com and SAP Netweaver data sources Web & Application Integration • SharePoint integration using native ‘WebParts’ and DIV tag technology • Open and extensible API’s for AJAX and ActiveX environments • Support for iFrame integration • Extensions: 3rd Party / Custom Visualizations and Functionality (write back) Security Integration • Standard integration with ActiveDirectory, SSO solutions • Directory Service Connectors to all standard and custom LDAPs 3rd party Systems and Processes • API’s for management admin control and integration • External task trigger capability (integration with Tivoli, Control-M etc.) • Version and Deployment control integration

  5. QlikView Business Discovery Platform Business Discovery Apps Presentation Tier QlikView Web Server Operations Finance Sales Marketing Application Tier Data/Business Analysts Developers IT Admins QlikView Server QlikView Management Console QlikView Developer QlikView Publisher Data Access Tier many more… Security Integration 3rd Party Integration Operational Data Sources

  6. A few highlights

  7. Key Definitions we may see (a few of many!) • Domains & Active Directory • SSO • It should mean Sign in once and never again • It often means Sign in every time but use the same id and password • Reverse Proxy, Firewall & DMZs • Firewall filters traffic to servers • Proxy request content on your behalf and can inspect and modify your request • DMZ are sections of networks separated by the above • Encryption • Of data • Between users and servers • Between services

  8. Key Definitions we may see (continued) • Authentication vs Authorisation • Authentication = I am who I say am • Authorisation = What am I allowed to do

  9. How can QlikView solve the security requirement • 3 high level things need to be achieved • Put in place infrastucture to allow users access to the right servers • Present an authenitcated username to QlikView • QlikView doesnt directly authenticate a user we need something else to do that • Handle the the authorisation in the back end • QlikView decides which documents a user is authorised to see • Once they have a document open QlikView decides what data a user can see

  10. Authentication and Authorization

  11. What is Authentication – The Basics Authentication is the act of establishing or confirming something (or someone) as authentic, i.e. that claims made by someone or about something is true.

  12. Authentication Overview The basic principles for customization of authentication in QlikView are flexibility and trust. To achieve flexibility in the authentication of users to QlikView, authentication should be performed outside the QlikView platform. To make this as secure as possible in QlikView, a trust has to be established between the authenticating party and QlikView. Based on this trust, QlikView can trust the identity of the user supplied by the authenticating party. This approach allows QlikView to support a wide number of authentication methods without having to implement them in QlikView.

  13. Ways to let QV handle Authentication Who are you? How did you prove it? • Out of the Box – just works • QlikView Desktop uses your Windows Identity • QlikView WebServer performs NTLM Single Sign on • IIS performs Kerberos/NTLM “Windows Integrated Authentication” • HTTP Header - configuration • Authentication performed by Authenticating Reverse Proxy, OR • ISAPI filter determines identity from eg Encrypted Session Cookie • Ticketing – development integration • Custom Directory (forms authentication)

  14. Authentication – (1) Out of the Box Who are you? How did you prove it? • You log into your PC. • Your PC validates your credentials against eg Active Directory • When you browse to AccessPoint, the WebServer asks your Browser to present an Identity • Windows Integrated Authentication* • Kerberos • NTLM • HTTP Basic Authentication (popup window with Username & Password) • AccessPoint trusts the Identity that the WebServer exposes to it

  15. Authentication – (2) HTTP Header Who are you? How did you prove it? • ExtraNet access to QlikView via Authenticating Reverse Proxy • What is a Proxy or Reverse Proxy * (see next slide) • Proxy determines who you are, then inserts a Header into the request sent from the Browser • ISAPI filter * determines identity from eg Cookie • User logged into other application/portal • Portal set a cookie (possibly encrypted) containing Identity or Session • ISAPI filter intercepts request sent to QlikView,determines Identity from the cookie, inserts a Header into the request sent from the Browser • AccessPoint trusts the Identity that the WebServer exposes to it

  16. Let Proxy Server insert the header A Reverse Proxy is useful for enabling external access to internal websites The Reverse Proxy may use SSL but forward connections to non-SSL websites.Those connections are called “Junctions” Authentication may use a private LDAP or Database but will set an HTTP Header that QlikView can read AccessPoint needs to know the name of the Header that contains the Username

  17. WebTicket flow

  18. WebTicket Architecture • [Optional:] The user accesses the QlikView server. If the user is not authenticated, the user is redirected to the authentication server. • The user authenticates to the authentication server. The authentication server sends information, containing the username and the groups that the user belongs to, to the QlikView Web Server or IIS. In return, the portal gets a WebTicket that is valid for a limited period of time. • Upon successful authentication and WebTicket exchange, the authentication server redirects the user to the QlikView Web Server or IIS with the WebTicket. • QlikView validates the WebTicket and, if valid, the user information is transferred to the QlikView Server. • The user is now logged in to the QlikView platform.

  19. WebTicket Format The ticket is returned in the following format: <Global><_retval_>[WebTicket]</_retval_></Global> where [WebTicket] is the actual ticket that is represented by a string of random bytes. The ticket should then be included in a redirect to: http://[Server]/QvAJAXZfc/Authenticate.aspx?type=html&webticket=[WebTicket]&try=[Try URL]&back=[Back URL] where [Try URL] refers to the URL that the user is redirected to after a successful login, [Back URL] is the URL redirected to after a failed login attempt, and [Server] is the server where the QlikView AccessPoint resides.

  20. WebTicket Configuration • WebTicketswork with both QVWS and IIS, where IIS may be easier and recommended. It may be required to host your login page anyway. • The accounts that is authenticated using webticketsare not Windows accounts and therefore only work with DMS mode. • Windows Authentication • The process or code asking for the ticket needs to be run as or provide a Windows User Identity. • The user needs to be in the “QlikView Administrators” Windows group. • Make sure to only set GetWebTicket.aspx to Windows Authentication. • IP Address White List • When NTLM is not available or appropriate to use a list of trusted IP addresses can be provided. • Anonymous access on everything. • No credentials necessary.

  21. WebTicket Code Example

  22. Authentication - (4) Custom Directory Who are you? How did you prove it? The Custom Directory is an XML Repository of Users and Groups • Maintained* using QMC or WSDL API • Accessed via the Directory Service Connector (DSC) • Stored in CustomDirectoryData.xml at %ProgramData%\QlikTech\DirectoryServiceConnector\ Credentials are prompted by http://localhost/qlikview/login.htm and validated via a query to the DSC Custom Directory users do have access to AccessPoint

  23. Custom Directory

  24. Custom Directory Users are maintained using QMC, or may be via WebServices requests submitted to DSC (4735) WebServer prompts user for Credentials using “login.htm” then validates them using a query to the DSC Custom Users are in a pseudo domain called “Custom\” (may be customised) Use of Custom Directory requires DMS Document Authorisation on QvS (not available with SBE) The Custom Directory can also be useful for QlikView Publisher Distribution Tasks (email lookup)

  25. Authentication – configuration in QMC Always = No AnonymousLogin = Allow Anonymous, add a Login link Never = Always Anonymous NTLM = Windows Integrated Authentication Header = Proxy/ISAPI Authentication Custom = prompt then validate using XML NTLM  Default login page Custom  Alternate login page Header  Custom login page when Header empty

  26. That’s almost all there is to know about Authentication. • A 5-10min “comfort stop” before we proceed to Authorisation?

  27. Authorisation Now that we know who you are, what are you permitted to see/do? QlikView Authorisation is two tiered: • Document Authorisation – what documents may you see & open • NTFS Windows controls File Access • DMS QlikView controls File Access • Data Authorisation (often called “Granular Security”) controls what data IN the document you can analyse • Section Access • Reduction tasks using QlikView Publisher

  28. Document Authorisation - NTFS • QlikView Server checks the Windows permissions of the QVWand caches these for 15 minutes. • Permissions can be set on a folder of QVWs and inherited • Permissions can be set on the specific QVW file • Permissions are recorded using the Security tab in the folder or document properties using Windows Explorer • File permissions can also be set using Publisher Distribution tasks(not available with Server Reload) • Anonymous (everyone) access can be granted to IQVS_hostname account that was created during installation

  29. Document Authorisation - NTFS NB: QlikView Small Business Edition (SBE) supports only NTFS, and does not allow Anonymous connections

  30. Document Authorisation - NTFS The QlikView Distribution Service (QDS) needs read/write access to everything The QlikView Server (QvS) uses the permissions on the AccessPoint folder and the files within for delivery to end users • Change the ownership of D:\Data\QlikView to “QlikView Administrators” • Remove inherited rights from D:\Data\QlikView • Grant Full Control to the Governor or Business Owner of each Project • Grant Read access (as appropriate) to AccessPoint folder • Grant appropriate access to Data and share as \\fileserver\Project • Grant Everyone Read access to www • If using SBE then mount Project as User Document Folder A sample folder organisation to begin your projects with. Clone the whole structure for each project / customer / environment Use relative paths to address artifacts eg XLS, QVD, $(include=..\include\global.txt)

  31. Document Authorisation - DMS • QlikView Server reads the Document permissions from the Meta file associated with the QVW and caches these for 15 minutes. • Permissions are recorded for each QVW file individually • Permissions are recorded using the Authorisation tab in the User Document properties using QMC (only visible in DMS mode) • Permissions can also be set using Publisher Distribution tasks • not available with Server Reload (no Publisher Licence) • only when using Server Distribution tasks (not Folder Distribution).Only the QvS writes to the Meta files. • Must enable “Document Upload” on QvS • DMS supports non-Windows users, eg Identities supplied by Header or Ticket authentication • Groups can be granted access, and this requires that the Directory Service Connector has been properly configured to access the Group Membership repository

  32. Document Authorisation - DMS The first thing that happens after switching to DMS is that no documents are visible in Access Point.Why? Because there are no Meta files yet!

  33. Data Authorisation – Section Access • QlikView Script contains two sections • Section Access • Not always present; must be explicitly declared • Performs Authentication into the Document • Association of User with limited set of Field values • Section Application • Provides the Data Model

  34. Data Authorisation – Section Access - Fields Fields in Section Access • ACCESS USER or ADMIN. Affects access to the Document properties in QlikView Desktop • USERID A username that QlikView will prompt when opening the Document • PASSWORD A field that should contain an accepted password (clear text) • SERIAL A field that should contain a number corresponding to the QlikView Serial Number, eg: 6800 2396 1463 0633 • NTNAME Any AccessPoint username or Ticketed identity can be used for Single SignOn into a QlikView Document. • NTDOMAINSID A field that should contain a string corresponding to a Windows Domain SID, example S-1-5-21-125976590-467238106-1092489882 • NTSID A field that should contain a Windows SID, example S-1-5-21-125976590-467238106-1092489882-1378 • OMIT A field that should contain a list of fieldnames that should be omitted for this specific User. Wildcards may be used, and the list may be empty.

  35. Data Authorisation – Section Access - Wizard It is common to move Section Access to the Password-protected “Hidden Script” Hidden Script is always before the first tab. NTNAME is much saferand recommended rather than using USERID & PASSWORD NTNAME is visible in Layout using OSUser() USERID using QvUser() In the Script Editor: navigate to menu Insert > Section Access > Inline

  36. Data Authorisation – Section Access - QMS • Tables can be centrally maintained within QMC. • Data Authorisation Rules may be sufficiently complex that they are not reusable across many documents • Access the Section Access Tables as a data source at http://nlho-mrw:4780/QMS/AuthTable

  37. Data Authorisation – Section Access – Data Restriction • Only UPPERCASE Field Names from Section Access are visible in Section Application • Field Values of %SEGMENT_KEY should also be passed in UpperCase. • The Associative Data Model applies to Section Access too. It doesn’t have to be just one table. • Section Application here does NOT have a loop/circular join.

  38. Data Authorisation – Section Access – Advanced // Load all Cost Centers "as is" from Source Data [Cost Center Restrictions]:LOAD DISTINCT UPPER([Cost center]) as[%COST CENTER RULE] ,[Cost center]as [%COST CENTER]FROM Data.xlsx (ooxml, embedded labels, table is [Chart of Accounts]); // Find all Cost Center Rules that contain wildcards[Patterns]:LOAD DISTINCT [%COST CENTER RULE]as PatternFROM [http://localhost:4780/QMS/AuthTable] (html, utf8, embedded labels, table is [Cost Center Rules])WHERE Index([%COST CENTER RULE],'*') > 0; // Loop through all Patterns, appending matching Cost CentersLETNumberOfPatterns = NoOfRows('Patterns');FORi = 0 to $(NumberOfPatterns) -1 LET Pattern = Peek('Pattern',$(i),Patterns); CONCATENATE ([Cost Center Restrictions])LOAD '$(Pattern)' as[%COST CENTER RULE] ,[Cost center]as [%COST CENTER]FROM Data.xlsx (ooxml, embedded labels, table is [Chart of Accounts])WHERE WildMatch([Cost center],'$(Pattern)'); NEXT; DROP TABLE [Patterns]; • A wildcard in the eg ROLE column in Section Access resolves to all roles that are listed in Section Access • This may be less than the actual data available in Section Application! • Consider resolving WildCards to actual values in the script.

  39. Data Authorisation – Publisher Reduction Tasks Scenario1: CompanyX has Sales Representatives who want to inspect customer details (buying patterns, etc) while On The Road. They only need access to data of their Customers, but will be disconnected from the Network. Scenario2: BankY has many users at many branches. They want each branch to have access only to their own data. Staff at the branches see only the data that relates to their customers. • Publisher can perform “Reduction and Distribution” tasks so that one large document can be split into smaller documents that contain a subset of the data. • The smaller documents perform better (less data = less RAM) and can be distributed to fileservers & email recipients. • Only available with a Publisher Licence.

  40. That’s the core of Authentication and Authorisation in QlikView • Remaining slides (if sufficient time) cover • Delegated Access to QMC • Network Security • Windows Groups used by QlikView

  41. Delegated User and Task Management

  42. Delegated Access to QMC Scenario1: CompanyX has outsourced their Systems Administration. The Outsourcer does not want CompanyX to interfere with Tuning or System settings but different departments of CompanyX want the ability to manage their own Tasks and confirm Task Status. Scenario2: PartnerY is providing QlikView in a SaaS model to several customers. Those customers are unable to see each others documents but want to manage their own Tasks and confirm Task Status. • Members of “QlikView Administrators” have unrestricted access to the QlikView [Enterprise] Management Console • People who have been granted “Document Administrator” rights on Mounted Folders can see only the Status and Documents tabs in the Management Consoles • They can only view/manage folders of Documents that they have been granted access to Govern • User Documents – see QMC > QlikView Servers > Folder Access • Source Documents – see QMC > Distribution Servers > General

  43. Network security

  44. Network Security – DMZ The Zero Foot Print AJAX client connects only to the Webserver (IIS or QvWS) The Mobile clients (iPhone, Blackberry) connect to the WebServer. HTTPS is recommended for secure authentication. The Internet Explorer ActiveX Plugin tries to connect directly to the QlikViewServer (QvS) but will “Tunnel” via the WebServer if that connection is blocked Regular connections between the WebServer and QvS use 4747/tcp Tunnelled connections are forwarded to the QvS on 4774/tcp

  45. Network Security – Administration The QlikView Administrators requires access to the QlikView Enteprise Management Console(s)http:// serverName :4780 / QMC The Management Service (QMS) connects to all components to request or update their configuration. The QlikView WebServer (QvWS) accepts admin requests at 4750/tcp. IIS listens for User AND Admin requests on 80/tcp, so the Admin URL needs to be modified in QMC QlikView Distribution Service (QDS) “Publisher” looks up Email Addresses and Windows SIDs from DSC QDS connects directly to QvS when performing a Server Distribution task otherwise just File operations using SMB (the protocol used for File Sharing) QDS may also distribute emails via SMTP

  46. Network Security – Data QlikView Developer needs to Borrow a Client Access Licence (CAL) from QvS QlikView Desktop may open documents “Client-Server” as the Plugin does. Data must be retrieved from Datasources by QlikView Desktop while creating documents, and by QDS when reloading. Every Database Vendor provides their own drivers, and has their own Network Port requirements. The QlikView Developer may read Section Access data from files, databases, and also from QMS. QDS reads from same locations when reloading documents. The DSC requires connectivity to the Authorisation Repository (usually AD) using appropriate protocol (LDAP, ODBC, etc) QvS and QDS may read Documents from a File Server (NAS) especially if clustered.

  47. Windows Groups • QlikView Administrators • All services must operate as a member of QlikView Administrators • If running a QlikView service as LocalSystem, grant the SYSTEM account membership of this group • Provides unrestricted access to the Management Console(s) and ability to submit EDX trigger requests to the QDS • QlikView EDX • Members may submit EDX trigger requests to the QDS http://localhost:4720/qtxs.asmx • QlikView Management API • Members may interact with the QMS http://localhost:4799/QMS to automate administration tasks • IIS_IUSRS • IIS Application Pool Identity must be permitted to “Run Batch Jobs”. See SecPol.msc > Local Policies > User Rights Assignment

  48. Review • Authentication • Out of the Box • HTTP Header • Ticketing • Custom Directory • Document Authorisation • NTFS • DMS • Data Authorisation • Section Access • Document Reduction • Firewalls • Management Console

  49. Web Integration

  50. Web Integration – Embed QlikView Integrating with websites • Built on well-documented, open, extensible QlikView AJAX API • Use to render QlikView objects • Use to access underlying QlikView data and methods • QlikView WorkBench is a product that allows developers using MS Visual Studio to embed QlikView objects into .NET websites • Non-.NET leverage AJAX API / Div Tags directly • An entire QlikView application can be embedded into a website using standard iFrame technology

More Related