Qlik Sense: Secured binary loads

Single Source of Truth, Multi-Layer architecture and Binary Load

The multi layer qvd architecture is the good approach to empower the end-user with an accurate, trustable and reliable Single Source of Truth.

This this context binary loads are a critical part of the approach. They allow the power user to easily access to the proper Data Model while the Data Team can maintain the whole architecture and provide high data quality.

In Sense it is possible to .

For example, with the desktop version:

Binary [C:\Qlik Apps\My Data Model.qvf];

This will binary load “My Data Model.qvf” located on the C drive under “Qlik Apps”.

Sense Enterprise

With Qlik Sense Enterprise, this approach will not work. For security reason it is required in Qlik Sense Enterprise to access files using a “Folder Data Connection”

Using the previous example and assuming that we have defined a Folder Data Connection “Qlik Apps” which point to “C:\Qlik Apps” then the proper binary load script would be:

Binary [lib://Qlik Apps/My Data Model.qvf];

Therefore the question would be, “how can I export into qvf the apps of my Data Model layer when the scheduled reload is finished?”.

Actually, nothing in Sense allows you to do that but you actually not need it.

In sense you can use the app uuid to reference an app. In fact the app is stored in the working directory of the sense server using a qvf named with the app’s uuid (without extension).

In this example, the app “Data Model – Example” has the uuid 193dc96e-0f97-4184-aa76-1a2c08853f4f and is stored in the Sense working directory in a file named 193dc96e-0f97-4184-aa76-1a2c08853f4f

Assuming that an administrator creates a Folder Data Connection named “Apps” which points to the Working Directory of the Qlik Sense server, then the following binary load work:

Binary [lib://Apps/193dc96e-0f97-4184-aa76-1a2c08853f4f];

That works but is an unsecured solution as it gives access to all the apps for every user who have access to that particular Data Connection. This should not be used in a production environment.

So, how to create a secured Binary load, which securely empower the end-user?

Simply by using a Folder Data Connection which point directly to the app itself.

Creating one Data Connection per Data Model, provides a granularity fine enough to easily manage who have access to which Data Model. The Data Model app can then be published in a stream which is only available to the Data Team and refreshed using the standard task management, and the Data Connection gives access to the Data Model app, whiout having to give access to the app it self.

Moreover, thanks to Qlik Sense Enterprise architecture, the app will be sync automatically to all nodes of the cluster.

Quick How To:

  • First step: as Admin, create a folder Data Connection. It does not matter which folder is configured at first into the hub, it will be changed.
  • Second step: In the QMC, edit the Data Connection just created and change the “folder” by the path to the app (inside the working directory)
    *Notes: My Working Directory is “D:\Apps”. As this is a “global” connection I usually remove the name of the owner from the connection name.
  • Third step: Using the security rules, give access to the Data Connection to the appropriate users.
  • Fourth step: Use the following binary load in every app based on this Data Model. Important note there is no file specified, there is no need to as the Data Connection already contains it.

Binary [lib://Data Model – Example];