4 posts in this topic
Our university hospital IT is mandating that all Mac servers that contain PHI be encrypted using FileVault. There is a longstanding and strong recommendation by FMI and posts on this board advising against this for FM server, although there are also some dissenting voices.
The relevant passage on the FM Knowledge base pages (http://help.filemaker.com/app/answers/detail/a_id/9650) reads:
"FileVault: FileVault is a feature that performs on the fly encryption and decryption of data on your hard drive.. However, this added level of security requires additional processing power. Because of this, it is recommended that FileVault not be used in conjunction with FileMaker Server and your FileMaker databases." (Last Updated: Jan 13, 2016 01:47 PM PST)
2 points to mention: First, no discussion of actual incompatibility or corruption risk, just a requirement for extra processing power, suggesting this is simply a possible performance issue. Some of the comments I heard at Devcon and read here suggest much more serious issues - I would appreciate any information or discussion on the specifics here.
Second, the way FileVault is described, i.e., "on the fly encryption ... decryption" suggests this entry and general discussions recommending against FV use are based on the old FileVault v1, which was replaced with FileVault2 in Lion (!) quite a few years ago. According to a discussion yesterday with Apple tech support (with escalation) the current FV2 uses encryption at rest, not on the fly, making it similar/equal to FM's own encryption offering, and this has been the case since 2011. (http://www.cnet.com/news/about-filevault-2-in-os-x-10-7-lion/)
Nevertheless, a discussion with FM tech support yesterday revealed that FM's position on FV is unchanged, and they did not answer my question if this was based on testing with FV2 (with encryption at rest, which should have no performance or other impact on FMserver after the initial boot up) or simply reflects that FM has not revisited this problem since FV2 came out in 2011.
I would appreciate some clarity on this issue. My IT security people are not satisfied with the explanations I tried to give them describing FM's position and are not willing to substitute their current requirement with a third party solution they know nothing about, unless I can give them a coherent and documented explanation.
I am sure this is one of those simple ones… that has me bamboozled for nearly 2 days now.
I need to limit access of my users viewing only a limited set of "Company" records after they log in. The companies that they are allowed to see are listed in each respective user's profile.
My opening script goes to the user's profile and creates a global variable for each company that they are allowed to view.
When I go to the "Manage Security > Edit Privilege Sets > Records > Custom Privileges > Limited > Script", and use any of those variables (e.g. $$Company01"), the records table returns no records at all (i.e. as if there were no matches). When I test the script and use text for any one (or several) of those companies by name (e.g. "ACME PTY LTD"), the access rules work perfectly.
To be clear: The global variables themselves are correct. I know this this because they work in other scripts absolutely perfectly, so the variables DO match the names in the field.
The script looks like this:
$$Company = Table Manufacturer or
$$Company01 = Table Manufacturer or
$$Company02 = Table Manufacturer or
$$Company03 = Table Manufacturer or
$$Company04 = Table Manufacturer or
$$Company05 = Table Manufacturer
In every respect, the variable matches the actual text, but I can only imaging that there is a problem with my syntax?
By Brad Mathews
I must be doing something wrong here - I can't get record access privileges working right.
I am trying to limit viewing of the Teachers table to the currently logged in teacher.
I have a Teacher Privilege Set and all teachers are assigned this set. I have Custom Privileges set for Records. On the Teachers table I have Limited set on the View privilege. My calculation is 'Login = Get(AccountName)' where Login in a field that holds the login name. No records are accessible, all fields just say <No Access>. Using Data Viewer I have double checked to make sure that the Get(AccountName) value is the same as the value in the Login field.
I have even done this calculation: Login = "Brad Mathews" which I KNOW is a valid field value. Still nothing but <No Access>.
I have attached a screenshot showing all of my settings.
I've been researching how people handle logins for WebDirect and my head is swimming with contradictory information.
On my existing website I have 1,775 users. Their account information is stored in a mySQL database. The account information is little more than username, password, company name, and real name.
For the new WebDirect site, I was originally planning to autologin to the file using an account that only had access to the login screen. Then, use custom dialogue to allow the username and password to be entered. I'd use the username as a relationship between the global and the users table, check that the password matches, then do a relogin to a generic user account that has normal view/edit privileges.
But then I read that you're not supposed to "bypass" FileMaker security. I'm not sure if that counts as bypassing.
Then I figured I'd use a script to step through the existing users table and create accounts in the database for all 1,775 users. But then I read that some people had problems with files that had more than 1,000 user accounts.
So, now I don't know what to do. We're not storing credit card information so it doesn't have to be Ft Knox secure but I don't know what direction to go in. I feel like my first option is good enough but wanted to see what some of you thought.
We do have a SSL certificate for the web server.
My FM database is using AD to determine whether a user has access to the db or not. Once logged in, I've used a set of tables & relationships to identify whether the user sees particular layouts, records within tables etc. This has been fine for the small number of teaching staff that have been accessing it to date.
However, I'm now looking at expanding the db so that students are able to access it too. However, I really don't want to maintain a table with student accountnames (1500 students) in order to identify them as a student instead of a member of staff (default home page is different)
Is there a simple way of doing this once they've logged in. Can FM pull AD credential such as the AD group name they belong to that will allow me to check if they are a student etc.
Or is there something I'm missing and a way easier way of doing this?