Architecture and Security Architecture and Security Enterprise Considerations
Michael RobertshawMiha Batic
Legal Disclaimer
This Presentation contains forward-looking statements, including, but not limited to, statements regarding the value and
effectiveness of QlikTech's products, the introduction of product enhancements or additional products and QlikTech's growth,
expansion and market leadership, that involve risks, uncertainties, assumptions and other factors which, if they do not
materialize or prove correct, could cause QlikTech's results to differ materially from those expressed or implied by such
forward-looking statements. All statements, other than statements of historical fact, are statements that could be deemed
forward-looking statements, including statements containing the words "predicts," "plan," "expects," "anticipates," "believes,"
"goal," "target," "estimate," "potential," "may", "will," "might," "could," and similar words. QlikTech intends all such forward-
looking statements to be covered by the safe harbor provisions for forward-looking statements contained in Section 21E of
the Exchange Act and the Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those
projected in such statements due to various factors, including but not limited to: risks and uncertainties inherent in our
business; our ability to attract new customers and retain existing customers; our ability to effectively sell, service and support
our products; our ability to manage our international operations; our ability to compete effectively; our ability to develop and
introduce new products and add-ons or enhancements to existing products; our ability to continue to promote and maintain
our brand in a cost-effective manner; our ability to manage growth; our ability to attract and retain key personnel; the scope
and validity of intellectual property rights applicable to our products; adverse economic conditions in general and adverse
economic conditions specifically affecting the markets in which we operate; and other risks more fully described in QlikTech's
qlikview.com
2
economic conditions specifically affecting the markets in which we operate; and other risks more fully described in QlikTech's
publicly available filings with the Securities and Exchange Commission. Past performance is not necessarily indicative of
future results. The forward-looking statements included in this presentation represent QlikTech's views as of the date of this
presentation. QlikTech anticipates that subsequent events and developments will cause its views to change. QlikTech
undertakes no intention or obligation to update or revise any forward-looking statements, whether as a result of new
information, future events or otherwise. These forward-looking statements should not be relied upon as representing
QlikTech's views as of any date subsequent to the date of this presentation.
This Presentation should be read in conjunction with QlikTech's periodic reports filed with the SEC (SEC Information),
including the disclosures therein of certain factors which may affect QlikTech’s future performance. Individual statements
appearing in this Presentation are intended to be read in conjunction with and in the context of the complete SEC Information
documents in which they appear, rather than as stand-alone statements.
© 2011 Qlik Technologies Inc. All rights reserved. QlikTech and QlikView are trademarks or registered trademarks of Qlik
Technologies Inc. or its subsidiaries in the U.S. and other countries. Other company names, product names and company
logos mentioned herein are the trademarks, or registered trademarks of their owners.
Architecture and Security
• Michael Robertshaw
– Enterprise Architect
• Miha Batic
qlikview.com
3
– Expert Services Consultant
• Twitter: #BDWT2012
Agenda
• 1 – Physical Architecture
– Single server
– Scaling
– Example Implementations
• 2 – Security
qlikview.com
4
– Authentication
– Authorisation
• 3 – Data / Artefacts
• 4 – Administration
– Lifecycle
– OTAP
– Delegation
– EDX
• QlikView Publisher Reload Task executes the Script in the QlikView Document and loads Data into the Document
• QlikView Server loads the document into RAM for fast delivery of Layout and Data to connected Clients
• Publisher can distribute PDF
Architecture: QlikView Back-End
qlikview.com
5
• Publisher can distribute PDF (extra license) or QVW to Email Recipients and to Disk.
• Document tasks are configured using QlikView Management Console (AJAX)
• Document tasks can be scheduled internally by time or prior task status, or externally using an Enterprise Scheduler
Single Server
Single Server
“Server Reloads” (No Publisher LEF)
Typical Starting Point
qlikview.com
6
Typical Starting Point
24GB RAM4+ Cores100GB Hard Disk
Separate Front End from Back End
Improve SecurityReduce Resource Contention
Two ServersPublisher LEF required
Phase in FileServer/NAS or
qlikview.com
7
Phase in FileServer/NAS or use Back End Host for all Storage
Perform Document Development on Back End via Terminal Services Client
Scale Out Front End for High Availability
Two Front End hosts- Each has WebServer and QvS- Load Balancer distributes Web- AccessPoint distributes QvS
Publisher LEF required
qlikview.com
8
All hosts access Documents, Config on FileServer/NAS
Perform Document Development on Back End via Terminal Services Client
MRW
Example: Pharmaceuticals Manufacturer
qlikview.com
9
https://eu1.salesforce.com/0012000000I7SDT
Example: Coatings Manufacturer
qlikview.com
10
https://eu1.salesforce.com/0012000000I7SyJ
Example: Hardware Manufacturer
qlikview.com
11
Hardware Considerations
• Use Virtualisation cautiously � Assists with DR but not Performance
– Use Dedicated Resource Pool, Disable Memory Ballooning
• Avoid AMD � surprisingly poor performance on large hosts
• Avoid NUMA (QPI) � Memory Access performance degrades
qlikview.com
12
• Typical Starting Point
– 24GB RAM
– 4+ Cores
– 100GB Hard Disk
MBC
Authentication
Out of the Box
Internal users login to AD then use NTLM
ConfigurationExternal users login to
Proxy then use Header
qlikview.com
13
Development
Integration into Other
authenticating
application uses WebTicket
One WebServer per Authentication
Method
Authorisation
Document Authorisation – what documents may you see & open
- NTFS Windows controls File Access
- DMS QlikView controls File Access
Data Authorisation (often called “Row Level” or “Granular” security)
qlikview.com
14
Data Authorisation (often called “Row Level” or “Granular” security) controls what data IN the document you can analyse
Dynamic data Reduction using Section Access
Static data reduction using Loop & Reduce
Data Architecture
/QVX
qlikview.com
15
Self Service
BI
Self Service
BI
Business DiscoveryBusiness Discovery
Folder Organisation
qlikview.com
16MRW
Document is created
Document is deployed to QlikView Publisher
Document is Reloaded A personalized copy of the document is created
Document Security is applied to the personalized document
QlikView
Developer
Document is enhanced
QlikView
Publisher
Workflow / Lifecycle
qlikview.com
17
QlikView
Client
The document is distributed to QlikView Server
to the personalized document
The documents is available for on-line analysis
Documents are shown to the user if they have sufficient permissions to view it
Users try to access the documents User credentials are checked
Users analyzes the document
Users submit feed-back on the document
QlikView
Server
WebServer
Content Promotion (Change Control, OTAP)
qlikview.com
18
•IT (or Outsource Partner) administers the Server
Configuration using QEMCQlikView Administrators
Delegated Administration
qlikview.com
19
•Business Units administer their Documents without ability to break things
Accessing QEMC as hr-admin
QlikView 10/11 System Monitor v3.2
qlikview.com
20
Event Oriented Scheduling
qlikview.com
21
Event Orientedinstead of Best Guess Schedule
So .... the Questions I ask:
1. Who are the User Communities?
a) Are they Internal or External? � Proxy, Firewalls, ExtraNet?
b) How do they Authenticate? � OOTB / Header / Ticketing? Multiple WebServers
c) Where are they defined? � can we use that for Document Authorisation?
2. How do they Access QlikView? How frequently?
qlikview.com
22
a) Iframe, WebParts, Workbench? � special integrations may be needed
b) Mobile Devices? � Document Design and Connectivity considerations
c) Offline Usage (roaming)? � Need Named CALs
3. Service Level Agreements (SLAs)
1. High Availability requirements? � Clustered QvS, WebServers
2. Frequent or Business Hour reloads? � separate Publisher server
4. Who are the Content Administrators? � Delegated access to QEMC
Stay Qonnected
• Michael Robertshaw, [email protected]
• Miha Batic, [email protected]
qlikview.com
23
Thank You