Release Date: 6 September 2021

Ebiexperts | Public

SAM User Guide

SAM Version: MVP

Table of Contents

Welcome to SAM

Section Access Manager automates your Section Access for Qlik.
Section Access Manager (SAM)
Section Access (SA)
Qlik Documents, Models, Apps (Apps)
See:
Acronyms & Terminology for more

Introduction

Open

SAM is integrated to Qlik Sense and Qlik Sense Management Console (QMC).
The rapidly increasing number of systems, data and complexity associated with multiple deployment environments such as on-premises/cloud/cloud-hybrid deployments and third-party service offerings via PAAS and SAAS is placing a tremendous administrative burden on the organization to securely and consistently manage access to system data and their associated data assets.

Over the past couple of years, there has been a regulatory and compliance shift towards data-driven organizations, needing to extract valuable information from their data without relying on the traditional project/SDLC IT processes. As a result, self-service capabilities have emerged in the space of Business Intelligence and Analytics, further amplifying the problem of access management as the access is individually managed either in Application-specific Security Groups, roles and permissions and generally managed as code or script which requires a developer to maintain.

Direct data access for consumption into Business Intelligence or Analytics tools is usually independent of the application security definitions. After loading data from the source, another abstraction from the original security specification occurs when the relevant end-users must be granted appropriate permissions on the resulting reports and dashboards. Thus, access management is a problem for IT administrating the security and a business problem, with a demand for faster and timely access to their data to derive valuable insights in time.
Key take away: it will only become more complex thus automation and self-service is an absolute requirement for data governance and authorization.

Section Access Manager Key Points:

• Developer / Application Owner onboarding.

  • Assign admins to receive onboarding requirements and grant of access

• Automatically controls access to application section access configurations based on Qlik role assignments

  • Admins see all applications and developers/application owners see only their own applications

• Scanning of existing and new applications can be set to auto, manual, both or external

  • Section access will automatically be applied to applications that don’t have existing section access script

  • Manual applications will automatically reverse engineer existing section access scripts and convert them to SAM controlled scripts for manual controls

  • SAM can read from external section access database tables and automate the Qlik API integration for customers who have existing Governance Risk Compliance and access management systems

• Automate Section Access between Qlik and SAM

  • Automatically assign section access on a stream level

  • Utilize the visual interface to apply reductions and omits to specific users or user groups

• Exclude streams and development applications where required

• Automated notifications and alerts

  • Admins and Application owners receive automated alerts

    • Developer and Admin access requests

    • Application user access requests

    • Applications in Qlik with Section Access but not controlled by SAM

  • Utilize the SAM Governance Qlik Sense Application to easily audit who has access to which application as well as data level access

What Is Section Access (SA)?

In Qlik you can restrict the data users are able to see, on a user and data row level, by using SA. SA is script within a Qlik App which informs the App which access to provide a user who logs into Qlik and opens a Qlik App. SA works on two levels which are App level i.e., the user can access the App and see all the data, or restricted data level i.e., the user can only see some data within the App removing data the user is not allowed to see. SA is implemented as script within each Qlik App so generally managed by Qlik developers. Many companies use manual script, sheets, databases or write back capabilities to manually manage SA. 

Section Access Challenges:

SA is generally quite static and although easy to manage with a single script per App, changes still need to be applied to the script, sheets, or database tables when users churn within a company. SA is directly linked to a user's access and thus require changes when users join or leave organizations or change their roles within organizations which may require access to different Apps and data.
Small and large companies struggle to manage SA across the business with different self-service and support requirements, and processes for applying changes within Apps which could easily affect various people such as the business stakeholder that requests the change, the service desk agent that logs the change, the developer that applies the change and provides the feedback back up the chain to the agent and stakeholder. This may take time and SA is generally maintenance work thus BAU and not instant and people loose time to insights or exposed to data they should not access.
 
Manually managed solutions such as excel sheets and database table type write back capabilities do not provide the automations required which bring all the changes automatically to the user to quickly effect the change correctly. Standard SA is not self-service i.e., you can manage it in an excel sheet by a business user, but that sheet has to be protected and requires access control on the folder and excel and requires longer time to access and apply the changes by a normal business stakeholder. Some companies run their all their SA as script in the Apps which does not provision for self-service by business users, as business can't script Qlik Apps generally.

SAM ROI:

Assigning SA is also quite a cumbersome process and takes up a lot of time from quite a couple of people in the process, which most organizations don't realize:
With an App 1:5 People Ratio, average USA 22% onboarding/offboarding and 30% internal churn, these are the estimated costs at a standard developer cost and change time allocation of 15 minutes per change:
 
10 Apps & 50 Users: 122% ROI
50 Apps & 250 Users: 153% ROI
250 Apps & 1250 Users: 197% ROI
500 Apps & 2500 Users: 197% ROI
1 000 Apps & 5 000 Users: 345% ROI
 
Time saving is an obvious benefit from SAM as customers can assign Qlik Apps to their business stakeholders who can now manage their own SA directly from SAM without the need to manage excels or database tables or script, SAM will do the change work for you. The additional benefits of meeting regulatory and compliance requirements for data protection are perhaps the larger ROI in most large organizations. Non the less we all must comply with personal data protection requirements.

How SAM Works:

SAM automates your Section Access for Qlik. SAM is a No-code Section Action management solution for Qlik.

 
SAM is integrated to Qlik and synchronizes your Qlik SA related changes between SAM and Qlik. The logical architecture is very straight forward. We provide a standalone and modular option for SAM so what this means is that SAM can be installed as a standalone product or as a module within Ebiexperts WIP where you manage your Qlik Source Control, Versioning, Quality, Publications and Audits.

Please see the following documentation:

• SAM Installation Guide

• SAM Admin Guide

• SAM User Guide (This document)

SAM works with two user types:

Please note: Only users who are allocated these roles on Qlik will be able to access SAM. It does not matter what type of Qlik license you have, you must be assigned the following rights on Qlik to manage your Section Access with SAM.
SAM is a self-service solution for businesspeople, admins, developers to manage their own SA.

• Qlik RootAdmins: System/Service Account Admin users can install, and Admin users can set up the system and monitor the work as well as their own SA

• Qlik AppOwners: AppOwners can manage their own SA, No-code, for their applications either automatically (Auto) or manually (Manual)

SAM provides for two main automation processes:

• Sync Type: Automated scheduled process for collecting changed data from the Qlik servers and Apps

• Scan Type: The process of scanning the App for the metadata and Reverse Engineering (RE) any existing SA scripts

Reverse Engineer (RE)

Reverse Engineer (RE) is a method of connecting to a Qlik App, codifying existing SA as there is a standard best practice way SA should be developed.

• Should your SA follow any of the best practice standards SAM will be able to RE your script and recreate it withing SAM automatically assigning all the data reduction and omit fields on a user level for all users. On success SAM will put your App to Manual mode as the user will manage the data level access manually i.e., assign them to new and changed users using the Qlik data provided within the easy-to-use interface process provided (point & click & rights copy & multi-assign)

• Should SAM not be able to RE your existing SA script in Qlik it will put the App to Unmanaged mode.

• Unmanaged mode means SAM does not manage the SA and your original SA script in Qlik still remains as SAM was unable to RE your script. The user has a couple of options here should they wish SAM to manage the SA.

  • Open the Qlik App and fix the SA in accordance with the best practice methods provided below and E-learning.

  • See Edit App, Scan Type changes options for unmanaged mode change effects.

SAM Errors:

SAM will run into errors from time to time when it is not able to connect to the Qlik server, access the API, unable to access and scan an app or unable to RE the existing SA from the App and so forth. SAM's automated process ensures errors are flagged and raised as tasks for the user to fix.

• Sync Errors: Errors related to connecting to Qlik, Qlik API, network, environment etc.

  • License Error: May require additional licenses or the license code is expired

  • QlikAPIError: Environmental errors such as network, Qlik server is offline or corrupted

• App Scan: The App Scan process will generate errors based on the scan status results or where it fails:

  • ToBeScanned: The App has been flagged by the system for scanning

  • Scanning: The App is currently being scanned

  • Scanned OK: The scan was successful, and Apps can be activated (should you be on a manual global configuration)

• Scan Errors: Errors related to connecting and retrieving the App metadata

  • AppError: Can't access the App

  • ReError: Can't Reverse Engineer (RE) the existing script in the App

Application Wire Frame:

SAM Provides the following interfaces:

• Login Screen

• Active Control

• Admin

• E-Learning

Login Screen:

Open

SAM provides two Login options.

• Qlik user accounts will require a Qlik licensed user account to log into SAM and use their Qlik login credentials to log into SAM.

• SAM provides an authentication between itself and Qlik and in most environments will provide a single sign-on solution, so you only need to shake hands once between the two systems.

Qlik Login:

• This is the general login for all except one user which is the Qlik Service Account for which we provide the second login option.

• Qlik on the Qlik Login button. This will provide another browser window for the Qlik authentication.

• Fill in your Qlik authenticated UserID and password

• The system will automatically return you to SAM when you have successfully authenticated with the Qlik server.

• SAM will automatically login

Admin Login:

The administrator (usually system account user) will use this login when SAM is unable to connect to Qlik but Qlik is up and running. The system admin user can log into SAM using this alternative login option.

Login

When you initially log in you will automatically land on the E-Learning section and be provided with a quick guide help to understand what options are available on your screen.

Menu

The main menu provides a quick navigation to any page within the system.

The user can expand the menu by clicking on the 3 lines icon (hamburger). This will reveal the menu options. The user can select one of these pages to navigate to.

Inactive Pin
 
Active Pin
The user can pin a page, by clicking on the pin icon, so when they log in the next time they will land on the pinned page.

Ebiexperts Logo

The Ebiexperts logo will link you to the Ebiexperts site.

User Elements:

The user elements are to provide some personal options to the user.
User:

The user can click on the user icon to see their login information and user role.

Help Wiki

Click on the help wiki to open a new browser to this document which is published and maintained online.

Exit

Use the exit button to exit the service and log the user out of their session. The user would need to log in again to start another session once logged out.

KPI's

The KPI's provide a view of personal compliance calculated on a user level vs. Total Level. The user and click on the 3 dots to expand the KPI icon to view the total compliance.

• User: (Admins that are not App owners can see Total | Total

  • Compliance: 80% (Total # Manual & Auto App vs. Unmanaged)

  • Managed Apps: 9

  • Unmanaged: 2

  • Issues: 5

• Total Business

  • Compliance: 95% (Total # Manual & Auto App vs. Unmanaged)

  • Managed Apps: 20

  • Unmanaged: 200

  • Issues: 5

Global Search

The global search functionality enables the user to search for any data asset within SAM. Assets are the filters provided:

• Servers

• Streams

• Apps

• Users

• AppOwners

• Data Fields

If you don't activate a filter the search will be global across all the assets and will bring all possible results. If you use a filter, you force the search to one or multiple assets and will provide any global hits on one or multiple defined filters. Clicking on a search result will take the user to the Edit App function.

Search results are presented in columnar fashion as it provides the user with all the information required to find the App that contains what they are searching for.

Active Control

The Active Control section consists of the following sub menus: Active Control, Exceptions and Alerts, User Off-boarding and notifications. When you select Active Control from the main menu you will land on the Active Control sub menu by default.

The User Offboarding feature will only be visible if the feature is active in the admin section.

Exceptions and Alerts

Exceptions andalerts provides a view of the user's issues. Issues are automatically generated by the system based on automation errors from the synchronization issues and errors (Sync Errors) and Application Scan issues and errors (Scan Errors) processes.
As SAM experiences these issues it will automatically log them as lists in this view and provide the user with all the required information and Active Control options to apply the correct fix for the task.
The Exceptions and Alerts Grid provides context for each issue as well as Action Buttons to SingleTouch execute tasks.

User Off-boarding

The Off – Boarding feature is a central function where you can off-board a user from either specific applications or all applications instantly.

Notifications

The notifications section is where we will receive any notifications such as the request for access to applications. By clicking on the green button I will be directed to QMC where I can grant the User access. I can deny the user access by clicking on the red button.

Filters

SAM provides default filters to manage the page.

• Server & Stream Filter

• Filter by Server and then server specific Stream

• Select Error Filter

  • SAM provides some standard errors the user can filter on:

    • Sync Error Type

      • License Error

      • QlikAPIError

    • Scan Error Type

      • AppError

      • ReError

• Select Sync Type Filter

• Filter by Scan Type

• Select Owner Filter (Default: Admin Only)

• Select Owner

  • The Admin users will see the following filter on the page by default. They can filter tasks and based on user as they are able to view all tasks and all Apps.

Active Control Data Grid

The data grid provides contextual information and action button options per task.

Grid Control Panel

The user can manage what they see on the grid layout by adding and removing columns from the gid using the grid control panel.

The Active Control grid provides two grid management options:

Refresh the grid:

The refresh grid option refreshes the cache of the grid enabling new items changed within the session to refresh on the grid.

Grid Layout

The Grid Layout function enables the user to add and remove columns to and from their grid.

Task Buttons:

The data grid provides contextual information and SingleTouch options per task.

SAM understands the error types within the automation as well as the synchronization and scanning processes and provide the user with SingleTouch Action Buttons to manage these tasks as they are automatically generated by the system.

Action Buttons:

Open QMC {Opens Qlik QMC} - This option is only available to Admin users
Open Qlik App Opens the Qlik App in Hub
Rescan Fixed/Removed SA from Qlik?
Change Scan Type Option available if the App has successfully RE before. (dropdown option button)
Remove Task Removes task from Active Control view

Grid Control Panel

The user can manage what they see on the grid layout by adding and removing columns from the gid using the grid control panel.  
The Active Control grid provides two grid management options:

Refresh the grid:

The refresh grid option refreshes the cache of the grid enabling new items changed within the session to refresh on the grid.

Grid Layout

The Grid Layout function enables the user to add and remove columns to and from their grid.

Unmanaged Rescan: You can rescan your App for a Reverse Engineering process at any time. Please see Reverse Engineering section.
App Name: App Name
Server: Server where the App is located
Stream: Stream where the App is located
Scan Type: What automation type has been affected on the app (Auto, Manual, Unmanaged - Managed as script in Qlik)
Owner: AppOwner Name
Metadata: Last synced/scanned

Edit App

When you double click an App, it will open with the App properties view. Management of the Apps are automatically done by SAM on an App level or manually done by the user on a data level. The process of maintaining the SA is broken into different logical steps for the user.

01 | Application Properties

Application Name: Name of the App
Scan Type: Scan Type of the App
Server Name: Server name where the App is hosted
Stream: Stream name where the App is accessible
AppOwner: App owner as set within QMC for the App
Scan Status: The latest App scan status
Scan Type: Change the Scan Type

Please Note: Scan Type

1. Auto: When you don't have SA within an App SAM will automatically put the App to Scan Type to Auto mode which will automatically assign all QMC users with security access to the app with access to the App on an App level (Not data level i.e. not reduction level). This will reflect 1:1 with QMC users assigned to the App and provide all data access to the App.

2. Manual: If your App has existing SA SAM will try to Reverse Engineer the SA and should the SA follow best practice SAM will succeed and switch the Scan Type to Manual mode with your SA assigned per user.

3. Unmanaged: If SAM is unable to Reverse Engineer your SA script from Qlik it will leave the existing Qlik SA script in the App and set the Scan Type to Unmanaged. SAM does not use a license for Unmanaged Apps as we have not been able to RE the SA and have left the existing SA within the App.

   1. Fixing Unmanaged Apps:

      1. You have to fix the SA in your Qlik App so SAM can RE the script. We provide best practice guidelines within our E-Learning section.

      2. Copy your App to WORK

      3. Fix the SA or remove the SA if you can't fix it

      4. Wait for your Scan to pick up the copied App in WORK

      5. The App will have two options depending on what the user did to fix the SA:

         1. Fixed the SA: SAM will RE the App successfully and automatically provide all your SA for your to manually manage going forward. We provide some very easy rights copy paste options as well as Active Control tasks for SingleTouch processing of changes.

         2. Removed the SA: SAM will scan the app but won't detect any SA so it will automatically switch the App Scan Type to Auto which means its automated 1:1 with QMC users, see Auto Scan Type above.

RE Scan Status: Reverse Engineer scan status
Scan Error: Scan errors

External data:

You now have the option to Allow external tables only. This feature enables you to connect SAM to an external system such as user authentication or GRC systems where SAM would read the Section Access information from a specific table. You can force SAM to read from external table only or run SAM as a mix between external table and Qlik QMC.

Click on the next button or the tab link on top to navigate to the next process.

02 | Select Reduction Fields

The user can now apply the selected Reduction Field(s) from the provided Reduction Field(s) list. Reload Metadata: The metadata field provides a view of when last the App was scanned automatically. The user may have recently made changes to the App and the data changes have not reflected yet thus they can't select it in SAM. Click on the Reload Metadata to reload the metadata from the Qlik App to SAM. You will now see all your available Reduction Field options.

03 | Assign Section Access

The user can now assign section access to the App users. The data fields for the reduction dimension will now be available for selection.

 The user can assign the SA on a user level starting with assigning Access rights:

Admin:

Any Admin user in Qlik will automatically be shown as an ADMIN user on the App.
Setting a user as an Admin user in SAM enables that user to see and change the SA settings for the App.

User:

App users will automatically show as USER per line.

Deny:

Any user who has been removed from the App in Qlik will be shown as DENY. The user still exists within the Qlik service but does not have access to the data in this App.

Reduction Fields

The user can now assign Reduction Fields to the App user list by selecting the user and assigning the fields either manually per user or by utilizing the bulk inheritance assignment feature across many users.

Copy User Rights: The User Rights assignment feature is an important one as it is very much a time saving user allocation feature, we will build out even better in next version of SAM. Now the user can select a user, copy the user rights, select multiple other users and paste the user rights to those users. The user will see the copied rights per user as evidence of the correct assignments as well as on the next step where the grid will validate the user assignments.

Omit Dimensions

Omit dimensions are seldom used and we have not allowed for a bulk action. The user can assign Omit dimensions to the user they wish to Omit data from the app all together. This data will never be loaded into the App for these users.

 04 | Review Rights

The user can now review their rights in the grid view provided to validate their SA which will be applied to their App.

Revert Script:

The revert script feature enables the user to put their original Reverse Engineered script back into Qlik and replacing their SAM script and thus SAM work. This will set the App Scan Mode to Unmanaged automatically.

Please Note: This action will replace your SAM SA with the Original Qlik SA which SAM Reverse Engineered.

05 | Active Control

All errors and tasks generated based on changes will be reflected per App in this view. The user can review any issues and tasks for the App and fix those automatically with the SingleTouch action button options before saving and updating the SA by clicking the Finish button.

Admin

The Admin section is only accessible by Admin users set as ROOTADMIN within Qlik or changed within SAM. The Admin section provides the Admin user with an overview of their configurations with the ability to maintain them.

Servers

The Admin user can create and certify your authentication between Qlik servers and SAM service here. Use the grid control panel to create or add a new server and follow the process to activate the server.

Server Grid Control Panel

Servers will be added from the Grid control panel and deleted by using the line delete feature. The user can multi select all and clear all from the grid as well as refresh the cache of the grid should the grid not display properly.

Create Server

The user can create a server by clicking on the + icon on the server grid panel. The server view will change to provide the form for editing the server properties.

Edit Server

Server: Enabled – When a server is enabled SAM will automatically synchronize and scan the server with all its services. If a server is not Enabled, SAM will not connect to the server. Name: Provide a name for the server
URL: Provide a URL for the Server
External Url: Provide an external URL for the server
Authentication: SAM only provides a certificate authentication method for Qlik Sense. Is Default Server: There should always be a default server activated for login. The user is able to change this based on the server status i.e. should the user experience problems with one Qlik Sense server they can activate another server for the login of the users.

Import Certificate: Click on the Certificate button to import the Qlik Sense certificate. Use the Clear button to clear the certificate from the server to load another one.

Streams to exclude

Selecting a stream would mean that you do not want to manage that stream with SAM.

Users to exclude

Development user work applications/dev apps that you wish to exclude.

Users

You can edit users in the user list grid by clicking on a specific user. Click on a user to select the user and display the user properties.

User Grid

The user grid list can be managed with the grid control for selecting columns on the user list.

Global Configurations

License:

This is where you can add your licenses and view your license information.

SAM Configurations:

SAM Auto Gen Script:

• No: Selecting No would mean the user wishes to activate and process each application manually and define whether they are auto or manually controlled.

• Auto: SAM will automatically apply section access to all applications based on QMC stream user access rights.

• Manual: SAM will scan the applications for manual section access and reverse engineer the existing Section Access which will then be controlled by SAM.

• Both: SAM will automatically apply stream level access to all applications which does not contain section access.

You can set the Scan Type automation options per server meaning how you wish the server to handle the automation of the Apps hosted within the server.

External Tables:
You now have the option to Allow external tables only. This feature enables you to connect SAM to an external system such as user authentication or GRC systems where SAM would read the Section Access information from a specific table. You can force SAM to read from external table only or run SAM as a mix between external table and Qlik QMC.

Disable User on/off-boarding:
Disabling the user On/Off-Boarding allows admins to control the on/off-boarding process manually.

You have your app scan limitation in Gigabytes. This is so you can manually manage large apps and thus the RAM consumption on the server.

The default cache cycle time for checking changes in Qlik QMC is set to 30 seconds and the default scan cycle time is set to 1 minute for refreshes.

You can also set you QMC Scan cycle time.

If you want to revert any of your applications, so put them back to what they were originally in terms of script that’s where the revert all button comes into play.

Acronyms & Terminology