Embed Size (px)
Citation preview
Qlik Sense Security
Understand security basics of the new Sense platform
14 October, 2014
Magnus Berg
Master Principal Enterprise Architect
Legal Disclaimer This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value and effectiveness of Qlik's products, the introduction of
product enhancements or additional products, Qlik’s partner and customer relationships, and Qlik's growth, expansion and market leadership, that involve risks,
uncertainties, assumptions and other factors which, if they do not materialize or prove correct, could cause Qlik's results to differ materially from those expressed or implied
by such forward-looking statements. All statements, other than statements of historical fact, are statements that could be deemed forward-looking statements, including
statements containing the words "predicts," "plan," "expects," "anticipates," "believes," "goal," "target," "estimate," "potential," "may", "will," "might," "could," and similar
words. Qlik intends all such forward-looking statements to be covered by the safe harbor provisions for forward-looking statements contained in Section 21E of the
Exchange Act and the Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those projected in such statements due to various factors,
including but not limited to: risks and uncertainties inherent in our business; our ability to attract new customers and retain existing customers; our ability to effectively sell,
service and support our products; our ability to manage our international operations; our ability to compete effectively; our ability to develop and introduce new products
and add-ons or enhancements to existing products; our ability to continue to promote and maintain our brand in a cost-effective manner; our ability to manage growth; our
ability to attract and retain key personnel; the scope and validity of intellectual property rights applicable to our products; adverse economic conditions in general and
adverse economic conditions specifically affecting the markets in which we operate; and other risks and uncertainties more fully described in Qlik's publicly available filings
with the Securities and Exchange Commission. Past performance is not necessarily indicative of future results. The forward-looking statements included in this
presentation represent Qlik's views as of the date of this presentation. Qlik anticipates that subsequent events and developments will cause its views to change. Qlik
undertakes no intention or obligation to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. These
forward-looking statements should not be relied upon as representing Qlik's views as of any date subsequent to the date of this presentation.
This Presentation should be read in conjunction with Qlik's periodic reports filed with the SEC (SEC Information), including the disclosures therein of certain factors which
may affect Qlik’s future performance. Individual statements appearing in this Presentation are intended to be read in conjunction with and in the context of the complete
SEC Information documents in which they appear, rather than as stand-alone statements. This presentation is intended to outline our general product direction and
should not be relied on in making a purchase decision, as the development, release, and timing of any features or functionality described for our products
remains at our sole discretion.
© 2014 QlikTech International AB. All rights reserved. Qlik®, QlikView®, QlikTech®, and the QlikTech logos are trademarks of QlikTech International AB which have been
registered in multiple countries. Other marks and logos mentioned herein are trademarks or registered trademarks of their respective owners.
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
Qlik Sense Server Basic Platform
Repository
(QRS)
Scheduler
(QSS)
Engine
(QES)
Proxy
(QPS)
QMC Hub
Repository
(QRS)
Scheduler
(QSS)
Engine
(QES)
Proxy
(QPS)
QMC Hub
• Security administration is
done in the QMC.
• Streams, security rules,
management access rights,
Audit
Qlik Sense Server Management Console
Repository
(QRS)
Scheduler
(QSS)
Engine
(QES)
Proxy
(QPS)
QMC Hub
• Sense CA Certificate is
always installed
• Used to secure and
authenticate service
communication
• Encrypt connection strings
(LIB)
• CA Certificate can be
exported via QMC.
Qlik Sense Server Certificates
Repository
(QRS)
Scheduler
(QSS)
Engine
(QES)
Proxy
(QPS)
QMC Hub
• Proxy handles user
authentication against identity
providers
• Default Proxy SSL
communication uses the
internal CA cert.
• Recommendation!
Add a public certificate
thumbprint in the proxy!
Qlik Sense Server Proxy
Repository
(QRS)
Scheduler
(QSS)
Engine
(QES)
Proxy
(QPS)
QMC Hub
• User Authorization
• Repository service
synchronize users and groups
against directory providers.
Qlik Sense Server Repository
Repository
(QRS)
Scheduler
(QSS)
Engine
(QES)
Proxy
(QPS)
QMC Hub
• Engine handles Section
Access
• Section Access is authorized
against Repository
Qlik Sense Server Engine
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
• The Proxy is NOT a webserver.
• Proxy relays websocket communication between Engine/Repository and
the web browser.
• Proxy authenticates users against an Identity provider
• Authentication is done by an authentication module (default port 4244)
• Custom authentication modules can be created
• A “physical” proxy can have several virtual proxy instances
• Virtual proxy have header and ticket authentication support
Proxy
Identity provider User directory
Connectors (UDC)
Authentication Authorization
Proxy
(QPS)
Repository
(QRS)
Start Get
credentials
Verify user
credentials
Identity provider
Create
session
Access
control
QV User Dynamic Data
Reduction
Resource
presented to
user in Hub
or QMC
Authentication
Authorisation
System
rules
Proxy
(QPS) Proxy
(QPS)
Engine
(QES)
Repository
(QRS)
Qlik Sense access control logical flow
User Directory Connectors (UDC)
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
User Directory Connectors
• User Directory Connectors are managed in QMC
• Connects to several directory providers:
– Active Directory
– Generic LDAP
– SQL ODBC (database)
– XLS
– Local Computer
– Access DB
• Directory catalogs are synced into Sense database,
for performance and Node independence reasons
• Users and groups are utilized by the Repository access control system
– Management
– Authorization
Sync All • Remove Sync only existing users checkbox
• Have a small number of users (below 1500)
• Most of your user base is using Qlik Sense
Selective Sync
User Directory Connector setup
• Sync by use of LDAP filter
• “Tag” Qlik users by a attribute or group
• Good understanding of whom is using the system
Progressive Sync • Keep Sync only existing users checkbox
• Most unknown users
• Only active users in the system
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
Access Control
• There are two types of Access Control:
– Resource access control = App level authorization
– Administrator access control = Administrative access rights based on roles
• Access Control is based on Rules created and managed in the QMC
• Rules are created by the Rule Wizard associated with the task at hand
• Rules can be combinations, like (Group1 or Group2) and Group3
• Use audit management in QMC to validates the rules
• In addition there are Sync Rules used to synchronize data between nodes
User
Resource
Action
Environment
Reject
Accept
Resource
Stream
App
App Object
Data Connection
Extentions
Tasks
System Rules
Custom Properties
Content Library
Actions
Create
Read
Update
Delete
Publish
Change owneship
Export
Access control condition
Environment
Device
OS
IP
Request type
Security
Admin Deployment
Admin
Content
Admin
Audit
Admin
RootAdmin
Default administrator access levels
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
Removed Section Access fields
• USERID A username that Qlik will prompt when opening the Document
• PASSWORD A field that should contain an accepted password (clear text)
• SERIAL A field containing a number corresponding to the Qlik Serial Number
• NTNAME AccessPoint username or Ticketed identity
• NTSID A field that should contain a Windows SID
• NTDOMAINSID A field contain a string corresponding to Windows Domain SID
• ACCESS, currently only USER is used
• USERID The name of the user in the
format of UD\UID
• GROUP Group entries in the QRS
synced from a UD or groups injected at
the time of authentication.
• [REDUCTION] is the column to reduce
on (* still works)
• OMIT columns that should not be
available to the GROUP or USERID
Section Access Table
section access;
load * inline [
ACCESS, USERID,GROUP, REDUCTION, OMIT
USER, QTSEL\flp,*,3,Region
USER, *, QVnext,1,Region
USER, QVNCYCLES\bbr,*,2, Region
];
section access;
load * inline [
ACCESS, GROUP, REDUCTION, OMIT
USER, TestGrp1,1, Region
USER, TestGrp2,2, Region
];
Document properties does not exist
• DynamicReduceData : true
• InitialSelection : false
• StrictDynamicReduction : true
• Only work in server edition
• Desktop can’t open apps with section access
(there are no security implemented in Desktop)
• No document properties
• Still possible to lock your self out
Limitations
• Qlik Sense Security Overview
• Authentication and Authorization
• Proxy security
• User Directory Connectors
• Access Control
• Access control levels in QMC
• Rule Engine
• Section Access
• Standard vs Legacy mode
Legacy mode
• Backward compatible with v11
scripts
• Absolute server file system paths
in scripts
• Unsecure functions in script
Standard mode
• Data can only be loaded through lib
connect statements
• Data can only be stored using lib connect
statements
• Insecure functions (like Execute) disabled
• Insecure system variables disabled
Standard vs Legacy mode
• Authentication is handled by the Proxy
• Authorization is handled by the Repository
• A Sense CA Certificate is always installed
• Add a public certificate thumbprint into the proxy
• User Directory Connectors sync against directory providers
• Security management in QMC is done by rules (rule wizard)
• Section Access still works in Qlik Sense server (field names have changed)
• Section Access does not work in desktop
• Set Engine to Standard or Legacy mode depending on needs
Summary
Thank You
