Introduction
When we started thinking about QVApps we immediately hit an initial question. How can we secure QlikView apps so that developers feel comfortable in selling them online?
As Evan Williams said on an Economist interview some time ago: “We have an itch that we scratch and that becomes the thing.” Not that we dare to compare ourselves to Evan Williams (current CEO of Twitter and one of the founders of Blogger.com), but security was our itch.
It wasn’t an easy answer as with the concept of QVApps we are blurring the line between using QlikView as a “traditional” BI tool and a development platform for generic applications. You certainly understood that we believe that QlikView can become a development platform for applications. We were very pleased to see that some prominent members of the QV community also engaged on this discussion on this thread.
We decided to discuss about the security with our friends from IndustrialCode Box (who are the same guys behind the Qlikster blog). That’s how QVGuard started and how we started exploring more in details the security within QlikView. This image gives you an idea of what you can achieve with QVGuard:
This tutorial is taken from the QVGuard documentation and it originated from our discussions about how to improve the security of QlikView files so that people could feel comfortable in selling their applications online.
You can find QVGuard also on QVApps under the Tools /Add-ons category: QVGuard Studio (Express Edition) and QVGuard Studio (Professional Edition)
Setup Hidden Script
We recommend that you place all your script in a hidden tab. To do this go to the following menu item in the ‘Edit Script’ dialog of QlikView:
Then enter a password for your script:
This will create a new empty hidden script tab:
How to Publish a Secure QlikView App
You should make a copy of your QlikView application which you will then secure so that end users are unable to view or tamper with your scripts, further, the following step will also lock you out from being able to edit the QlikView application’s script, macros and other settings!
Let’s say your application is called “Bank Statement Analyser.qvw”. Save a copy of this and name it “Bank Statement Analyser – Published.qvw”. Open this application and place the cursor at the start of your load script, then on the ‘Edit Script’ dialog click the ‘User Access’ button as highlighted below:
The following form should appear. Ensure you have the checkboxes selected as shown and then click the OK button.
You should then simply enter the word ‘user’ in the first cell and leave the USERID and PASSWORD cells empty. This creates a default user for the document who will not need to enter a username or password when they open your QlikView application.
When you click OK you should have something similar to the following in your QlikView script:
You can now close the ‘Edit Script’ dialog.
Next, go to the ‘Settings’ menu in QlikView and select the ‘Document Properties’ option.
On the form which appears go to the ‘Security’ tab and then ensure that the following options are turned off:
Edit Script
Edit Module
Access Document Properties
Show Progress For Hidden Script
As shown below:
You can of course also turn off other permissions at this point to suit your own requirements.
Next, go to the ‘General’ tab and ensure that ‘Generate Log File’ is also unchecked, as shown below:
As a final precaution, you can password protect the macro module. This is done by clicking on ‘Module Password’ button on the Security tab of the Document Properties dialog in QlikView 9 or my clicking on the ‘Password…’ button of the Macros tab of the Document Properties dialog in QlikView 8.5.
You can now reload your document but before you do this you should double check that you have made the above changes and are doing this reload on a copy of your master QlikView application because this will now lock you out from being able to edit the QlikView application’s script, macros and other settings!
You are now finished. You can distribute your protected application to other QliView users or market it through an online market place such as QVApps.
When you do send your QVGuard protected application to your end user(s), you will probably want to ensure they have installed the QVGuard Client. We would recommend sending them the following links in your communication with them:
http://www.QVGuard.com/download/qvguardclient/ (download page for the QVGuard Client)
http://www.QVGuard.com/docs/qvguardclient/ (user guide for the QVGuard Client)
We will maintain these page urls with the latest download and usage information for the QVGuard Client.
