Qlik Sense Security Understand security basics of the new Sense platform 14 October, 2014 Magnus Berg Master Principal Enterprise Architect
Legal Disclaimer This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value and effectiveness of Qlik's products, the introduction of product enhancements or additional products, Qlik s partner and customer relationships, and Qlik's growth, expansion and market leadership, that involve risks, uncertainties, assumptions and other factors which, if they do not materialize or prove correct, could cause Qlik's results to differ materially from those expressed or implied by such forward-looking statements. All statements, other than statements of historical fact, are statements that could be deemed forward-looking statements, including statements containing the words "predicts," "plan," "expects," "anticipates," "believes," "goal," "target," "estimate," "potential," "may", "will," "might," "could," and similar words. Qlik intends all such forward-looking statements to be covered by the safe harbor provisions for forward-looking statements contained in Section 21E of the Exchange Act and the Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those projected in such statements due to various factors, including but not limited to: risks and uncertainties inherent in our business; our ability to attract new customers and retain existing customers; our ability to effectively sell, service and support our products; our ability to manage our international operations; our ability to compete effectively; our ability to develop and introduce new products and add-ons or enhancements to existing products; our ability to continue to promote and maintain our brand in a cost-effective manner; our ability to manage growth; our ability to attract and retain key personnel; the scope and validity of intellectual property rights applicable to our products; adverse economic conditions in general and adverse economic conditions specifically affecting the markets in which we operate; and other risks and uncertainties more fully described in Qlik's publicly available filings with the Securities and Exchange Commission. Past performance is not necessarily indicative of future results. The forward-looking statements included in this presentation represent Qlik's views as of the date of this presentation. Qlik anticipates that subsequent events and developments will cause its views to change. Qlik undertakes no intention or obligation to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. These forward-looking statements should not be relied upon as representing Qlik's views as of any date subsequent to the date of this presentation. This Presentation should be read in conjunction with Qlik's periodic reports filed with the SEC (SEC Information), including the disclosures therein of certain factors which may affect Qlik s future performance. Individual statements appearing in this Presentation are intended to be read in conjunction with and in the context of the complete SEC Information documents in which they appear, rather than as stand-alone statements. This presentation is intended to outline our general product direction and should not be relied on in making a purchase decision, as the development, release, and timing of any features or functionality described for our products remains at our sole discretion. 2014 QlikTech International AB. All rights reserved. Qlik, QlikView, QlikTech, and the QlikTech logos are trademarks of QlikTech International AB which have been registered in multiple countries. Other marks and logos mentioned herein are trademarks or registered trademarks of their respective owners.
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
Qlik Sense Server Basic Platform QMC Hub Proxy (QPS) Repository (QRS) Engine (QES) Scheduler (QSS)
Qlik Sense Server Management Console Security administration is done in the QMC. QMC Hub Streams, security rules, management access rights, Audit Proxy (QPS) Repository (QRS) Engine (QES) Scheduler (QSS)
Qlik Sense Server Certificates Sense CA Certificate is always installed QMC Hub Used to secure and authenticate service communication Proxy (QPS) Encrypt connection strings (LIB) CA Certificate can be exported via QMC. Repository (QRS) Engine (QES) Scheduler (QSS)
Qlik Sense Server Proxy Proxy handles user authentication against identity providers QMC Hub Default Proxy SSL communication uses the internal CA cert. Proxy (QPS) Recommendation! Add a public certificate thumbprint in the proxy! Repository (QRS) Engine (QES) Scheduler (QSS)
Qlik Sense Server Repository User Authorization Repository service synchronize users and groups against directory providers. QMC Proxy (QPS) Hub Repository (QRS) Engine (QES) Scheduler (QSS)
Qlik Sense Server Engine Engine handles Section Access QMC Hub Section Access is authorized against Repository Proxy (QPS) Repository (QRS) Engine (QES) Scheduler (QSS)
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
Proxy The Proxy is NOT a webserver. Proxy relays websocket communication between Engine/Repository and the web browser. Proxy authenticates users against an Identity provider Authentication is done by an authentication module (default port 4244) Custom authentication modules can be created A physical proxy can have several virtual proxy instances Virtual proxy have header and ticket authentication support
Authentication Authorization Proxy (QPS) Repository (QRS) Identity provider User directory Connectors (UDC)
Qlik Sense access control logical flow Proxy (QPS) Identity provider Proxy (QPS) Start Get credentials Verify user credentials Create session Authentication Authorisation Engine (QES) Repository (QRS) Access control System rules Resource presented to user in Hub or QMC Dynamic Data Reduction QV User User Directory Connectors (UDC)
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
User Directory Connectors User Directory Connectors are managed in QMC Connects to several directory providers: Active Directory Generic LDAP SQL ODBC (database) XLS Local Computer Access DB Directory catalogs are synced into Sense database, for performance and Node independence reasons Users and groups are utilized by the Repository access control system Management Authorization
Sync All Remove Sync only existing users checkbox Have a small number of users (below 1500) Most of your user base is using Qlik Sense Selective Sync Sync by use of LDAP filter User Directory Connector setup Progressive Sync Keep Sync only existing users checkbox Most unknown users Only active users in the system Tag Qlik users by a attribute or group Good understanding of whom is using the system
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
Access Control There are two types of Access Control: Resource access control = App level authorization Administrator access control = Administrative access rights based on roles Access Control is based on Rules created and managed in the QMC Rules are created by the Rule Wizard associated with the task at hand Rules can be combinations, like (Group1 or Group2) and Group3 Use audit management in QMC to validates the rules In addition there are Sync Rules used to synchronize data between nodes
User Access control condition Resource Reject Stream App Actions App Object Create Data Connection Read Environment Extentions Update Tasks Delete Device System Rules Publish Custom OS Change owneship Properties Content Export IP Library Accept Request type
Default administrator access levels RootAdmin Security Admin Deployment Admin Audit Admin Content Admin
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
Removed Section Access fields USERID A username that Qlik will prompt when opening the Document PASSWORD A field that should contain an accepted password (clear text) SERIAL A field containing a number corresponding to the Qlik Serial Number NTNAME AccessPoint username or Ticketed identity NTSID A field that should contain a Windows SID NTDOMAINSID A field contain a string corresponding to Windows Domain SID
Section Access Table ACCESS, currently only USER is used USERID The name of the user in the format of UD\UID GROUP Group entries in the QRS synced from a UD or groups injected at the time of authentication. [REDUCTION] is the column to reduce on (* still works) OMIT columns that should not be available to the GROUP or USERID section access; load * inline [ ACCESS, USERID,GROUP, REDUCTION, OMIT USER, QTSEL\flp,*,3,Region USER, *, QVnext,1,Region USER, QVNCYCLES\bbr,*,2, Region ]; section access; load * inline [ ACCESS, GROUP, REDUCTION, OMIT USER, TestGrp1,1, Region USER, TestGrp2,2, Region ];
Document properties does not exist DynamicReduceData : true InitialSelection : false StrictDynamicReduction : true Only work in server edition Limitations Desktop can t open apps with section access (there are no security implemented in Desktop) No document properties Still possible to lock your self out
Qlik Sense Security Overview Authentication and Authorization Proxy security User Directory Connectors Access Control Access control levels in QMC Rule Engine Section Access Standard vs Legacy mode
Standard vs Legacy mode Standard mode Data can only be loaded through lib connect statements Data can only be stored using lib connect statements Insecure functions (like Execute) disabled Legacy mode Backward compatible with v11 scripts Absolute server file system paths in scripts Unsecure functions in script Insecure system variables disabled
Summary Authentication is handled by the Proxy Authorization is handled by the Repository A Sense CA Certificate is always installed Add a public certificate thumbprint into the proxy User Directory Connectors sync against directory providers Security management in QMC is done by rules (rule wizard) Section Access still works in Qlik Sense server (field names have changed) Section Access does not work in desktop Set Engine to Standard or Legacy mode depending on needs
Thank You