Qlik Sense Security. Understand security basics of the new Sense platform. 14 October, 2014 Magnus Berg Master Principal Enterprise Architect

Similar documents
Security Authentication and Authorization What s New in security in QlikView 11. Fredrik Lautrup Ralph Senseny

Enterprise Considerations. Michael Robertshaw Miha Batic

Install and upgrade Qlik Sense. Qlik Sense 3.0 Copyright QlikTech International AB. All rights reserved.

Qlik Sense Architecture

System requirements for Qlik Sense. Qlik Sense September 2017 Copyright QlikTech International AB. All rights reserved.

System requirements for Qlik Sense. Qlik Sense April 2018 Copyright QlikTech International AB. All rights reserved.

System requirements for Qlik Sense. Qlik Sense June 2018 Copyright QlikTech International AB. All rights reserved.

QlikView in Depth - Business Discovery Everywhere QlikView on Mobile platforms. Petra Bloem Marc Huijbregts

Install and upgrade Qlik Sense. Qlik Sense 3.2 Copyright QlikTech International AB. All rights reserved.

System requirements for Qlik Sense. Qlik Sense September 2018 Copyright QlikTech International AB. All rights reserved.

Plan and deploy Qlik Sense. Qlik Sense February 2018 Copyright QlikTech International AB. All rights reserved.

Qlik Analytics Platform

Installation Guide. Qlik Sense Copyright QlikTech International AB. All rights reserved.

Manage Qlik Sense sites. Qlik Sense November 2017 Copyright QlikTech International AB. All rights reserved.

Plan and deploy Qlik Sense. Qlik Sense September 2017 Copyright QlikTech International AB. All rights reserved.

Plan and deploy Qlik Sense. Qlik Sense April 2018 Copyright QlikTech International AB. All rights reserved.

Manage Qlik Sense sites. Qlik Sense February 2018 Copyright QlikTech International AB. All rights reserved.

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Plan Qlik Sense deployments. Qlik Sense June 2017 Copyright QlikTech International AB. All rights reserved.

Plan and deploy Qlik Sense. Qlik Sense November 2017 Copyright QlikTech International AB. All rights reserved.

Server Installation Guide

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

QlikView Technical Library

Intel Unite Solution Version 4.0

Qlik Sense Enterprise architecture and scalability

Cloud Access Manager Overview

Intel Unite. Enterprise Test Environment Setup Guide

Qlik. 10 key elements of a successful data strategy and modern analytics platform. February 2019 Julie Kae Executive Director, Qlik.

Introduction to Section Access

Bring Your Own Device. Peter Silva Technical Marketing Manager

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

CA Single Sign-On and LDAP/AD integration

Deploy. Your step-by-step guide to successfully deploy an app with FileMaker Platform

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

VMware Identity Manager Administration

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

Data protection and security in QlikView

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

Monitor Qlik Sense sites. Qlik Sense November 2017 Copyright QlikTech International AB. All rights reserved.

Intel Small Business Extended Access. Deployment Guide

Configuring Microsoft Windows Shared

Partner Information. Integration Overview Authentication Methods Supported

Qlik Sense Mobile September 2018 (version 1.6.1) release notes

AWS plug-in. Qlik Sense 3.0 Copyright QlikTech International AB. All rights reserved.

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

Requisiti di sistema per Qlik Sense. Qlik Sense June 2018 Copyright QlikTech International AB. Tutti i diritti riservati.

Dell One Identity Cloud Access Manager 8.0. Overview

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

vsphere plug-in Qlik Sense 3.0 Copyright QlikTech International AB. All rights reserved.

Qlik Sense Certification Exam Study Guide

This presentation and the documents incorporated by reference herein contain forward-looking statements regarding future events and our future

April Understanding Federated Single Sign-On (SSO) Process

VMware AirWatch Android Platform Guide

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VMware AirWatch Integration with Microsoft ADCS via DCOM

One Identity Quick Connect for Base Systems 2.4. Administrator Guide

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Qlik Sense Desktop. Qlik Sense February 2018 Copyright QlikTech International AB. All rights reserved.

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Contents Overview... 5 Upgrading Primavera Gateway... 7 Using Gateway Configuration Utilities... 9

Oracle Enterprise Single Sign-on Provisioning Gateway

Desktop Installation Guide

Service Description VMware Workspace ONE

Intel Unite Solution Intel Unite Plugin for WebEx*

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

THE ROAD TO DIGITAL TRANSFORMATION

Qlik Sense Desktop. Qlik Sense September 2018 Copyright QlikTech International AB. All rights reserved.

Symantec Managed PKI. Integration Guide for ActiveSync

EnterpriseTrack Reporting Data Model Configuration Guide Version 17

Symantec Ghost Solution Suite Web Console - Getting Started Guide

Desktop Installation Guide

CA IT Client Manager / CA Unicenter Desktop and Server Management

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments

Leveraging Adaptive Auth and Device Trust for Enhanced Security and Compliance

Secure Held Print Jobs

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

Secure Held Print Jobs. Administrator's Guide

QlikView Nov 2017 V12.2 Prep To Install System Requirements

5348 Vegas Drive Las Vegas, NV 89108, U.S.A. Tel: ; Fax: Website:

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

SAP Single Sign-On 2.0 Overview Presentation

Monitor Qlik Sense sites. Qlik Sense Copyright QlikTech International AB. All rights reserved.

Tivoli Access Manager for Enterprise Single Sign-On

Synchronization Agent Configuration Guide

RSA Identity Governance and Lifecycle Collector Data Sheet For IBM Tivoli Directory Server

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Partner Information. Integration Overview. Remote Access Integration Architecture

QlikView Technical Library

Pre-Installation ZENworks Mobile Management 2.7.x August 2013

ForeScout CounterACT. Configuration Guide. Version 4.1

MicroStrategy & Google

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Enterprise Vault 11 Whitepaper Deploying IMAP Access to Enterprise Vault

Setting Up Resources in VMware Identity Manager

vsphere plug-in Qlik Sense Copyright QlikTech International AB. All rights reserved.

Server Installation ZENworks Mobile Management 2.6.x January 2013

Transcription:

Qlik Sense Security Understand security basics of the new Sense platform 14 October, 2014 Magnus Berg Master Principal Enterprise Architect

Legal Disclaimer This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value and effectiveness of Qlik's products, the introduction of product enhancements or additional products, Qlik s partner and customer relationships, and Qlik's growth, expansion and market leadership, that involve risks, uncertainties, assumptions and other factors which, if they do not materialize or prove correct, could cause Qlik's results to differ materially from those expressed or implied by such forward-looking statements. All statements, other than statements of historical fact, are statements that could be deemed forward-looking statements, including statements containing the words "predicts," "plan," "expects," "anticipates," "believes," "goal," "target," "estimate," "potential," "may", "will," "might," "could," and similar words. Qlik intends all such forward-looking statements to be covered by the safe harbor provisions for forward-looking statements contained in Section 21E of the Exchange Act and the Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those projected in such statements due to various factors, including but not limited to: risks and uncertainties inherent in our business; our ability to attract new customers and retain existing customers; our ability to effectively sell, service and support our products; our ability to manage our international operations; our ability to compete effectively; our ability to develop and introduce new products and add-ons or enhancements to existing products; our ability to continue to promote and maintain our brand in a cost-effective manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of intellectual property rights applicable to our products; adverse economic conditions in general and adverse economic conditions specifically affecting the markets in which we operate; and other risks and uncertainties more fully described in Qlik's publicly available filings with the Securities and Exchange Commission. Past performance is not necessarily indicative of future results. The forward-looking statements included in this presentation represent Qlik's views as of the date of this presentation. Qlik anticipates that subsequent events and developments will cause its views to change. Qlik undertakes no intention or obligation to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. These forward-looking statements should not be relied upon as representing Qlik's views as of any date subsequent to the date of this presentation. This Presentation should be read in conjunction with Qlik's periodic reports filed with the SEC (SEC Information), including the disclosures therein of certain factors which may affect Qlik s future performance. Individual statements appearing in this Presentation are intended to be read in conjunction with and in the context of the complete SEC Information documents in which they appear, rather than as stand-alone statements. This presentation is intended to outline our general product direction and should not be relied on in making a purchase decision, as the development, release, and timing of any features or functionality described for our products remains at our sole discretion. 2014 QlikTech International AB. All rights reserved. Qlik, QlikView, QlikTech, and the QlikTech logos are trademarks of QlikTech International AB which have been registered in multiple countries. Other marks and logos mentioned herein are trademarks or registered trademarks of their respective owners.

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

Qlik Sense Server Basic Platform QMC Hub Proxy (QPS) Repository (QRS) Engine (QES) Scheduler (QSS)

Qlik Sense Server Management Console Security administration is done in the QMC. QMC Hub Streams, security rules, management access rights, Audit Proxy (QPS) Repository (QRS) Engine (QES) Scheduler (QSS)

Qlik Sense Server Certificates Sense CA Certificate is always installed QMC Hub Used to secure and authenticate service communication Proxy (QPS) Encrypt connection strings (LIB) CA Certificate can be exported via QMC. Repository (QRS) Engine (QES) Scheduler (QSS)

Qlik Sense Server Proxy Proxy handles user authentication against identity providers QMC Hub Default Proxy SSL communication uses the internal CA cert. Proxy (QPS) Recommendation! Add a public certificate thumbprint in the proxy! Repository (QRS) Engine (QES) Scheduler (QSS)

Qlik Sense Server Repository User Authorization Repository service synchronize users and groups against directory providers. QMC Proxy (QPS) Hub Repository (QRS) Engine (QES) Scheduler (QSS)

Qlik Sense Server Engine Engine handles Section Access QMC Hub Section Access is authorized against Repository Proxy (QPS) Repository (QRS) Engine (QES) Scheduler (QSS)

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

Proxy The Proxy is NOT a webserver. Proxy relays websocket communication between Engine/Repository and the web browser. Proxy authenticates users against an Identity provider Authentication is done by an authentication module (default port 4244) Custom authentication modules can be created A physical proxy can have several virtual proxy instances Virtual proxy have header and ticket authentication support

Authentication Authorization Proxy (QPS) Repository (QRS) Identity provider User directory Connectors (UDC)

Qlik Sense access control logical flow Proxy (QPS) Identity provider Proxy (QPS) Start Get credentials Verify user credentials Create session Authentication Authorisation Engine (QES) Repository (QRS) Access control System rules Resource presented to user in Hub or QMC Dynamic Data Reduction QV User User Directory Connectors (UDC)

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

User Directory Connectors User Directory Connectors are managed in QMC Connects to several directory providers: Active Directory Generic LDAP SQL ODBC (database) XLS Local Computer Access DB Directory catalogs are synced into Sense database, for performance and Node independence reasons Users and groups are utilized by the Repository access control system Management Authorization

Sync All Remove Sync only existing users checkbox Have a small number of users (below 1500) Most of your user base is using Qlik Sense Selective Sync Sync by use of LDAP filter User Directory Connector setup Progressive Sync Keep Sync only existing users checkbox Most unknown users Only active users in the system Tag Qlik users by a attribute or group Good understanding of whom is using the system

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

Access Control There are two types of Access Control: Resource access control = App level authorization Administrator access control = Administrative access rights based on roles Access Control is based on Rules created and managed in the QMC Rules are created by the Rule Wizard associated with the task at hand Rules can be combinations, like (Group1 or Group2) and Group3 Use audit management in QMC to validates the rules In addition there are Sync Rules used to synchronize data between nodes

User Access control condition Resource Reject Stream App Actions App Object Create Data Connection Read Environment Extentions Update Tasks Delete Device System Rules Publish Custom OS Change owneship Properties Content Export IP Library Accept Request type

Default administrator access levels RootAdmin Security Admin Deployment Admin Audit Admin Content Admin

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

Removed Section Access fields USERID A username that Qlik will prompt when opening the Document PASSWORD A field that should contain an accepted password (clear text) SERIAL A field containing a number corresponding to the Qlik Serial Number NTNAME AccessPoint username or Ticketed identity NTSID A field that should contain a Windows SID NTDOMAINSID A field contain a string corresponding to Windows Domain SID

Section Access Table ACCESS, currently only USER is used USERID The name of the user in the format of UD\UID GROUP Group entries in the QRS synced from a UD or groups injected at the time of authentication. [REDUCTION] is the column to reduce on (* still works) OMIT columns that should not be available to the GROUP or USERID section access; load * inline [ ACCESS, USERID,GROUP, REDUCTION, OMIT USER, QTSEL\flp,*,3,Region USER, *, QVnext,1,Region USER, QVNCYCLES\bbr,*,2, Region ]; section access; load * inline [ ACCESS, GROUP, REDUCTION, OMIT USER, TestGrp1,1, Region USER, TestGrp2,2, Region ];

Document properties does not exist DynamicReduceData : true InitialSelection : false StrictDynamicReduction : true Only work in server edition Limitations Desktop can t open apps with section access (there are no security implemented in Desktop) No document properties Still possible to lock your self out

Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode

Standard vs Legacy mode Standard mode Data can only be loaded through lib connect statements Data can only be stored using lib connect statements Insecure functions (like Execute) disabled Legacy mode Backward compatible with v11 scripts Absolute server file system paths in scripts Unsecure functions in script Insecure system variables disabled

Summary Authentication is handled by the Proxy Authorization is handled by the Repository A Sense CA Certificate is always installed Add a public certificate thumbprint into the proxy User Directory Connectors sync against directory providers Security management in QMC is done by rules (rule wizard) Section Access still works in Qlik Sense server (field names have changed) Section Access does not work in desktop Set Engine to Standard or Legacy mode depending on needs

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback