Missing something obvious: Create/Delete in custom Privilege Set

[TimR]

I am very new to FileMaker but not databases and development.  I'm having a problem with Create/Delete in custom privilege sets.  Edit/View are working as I would expect.  I'm certain I'm missing something glaringly obvious.

 

I'm currently playing with the 30 day eval of FileMaker Pro 13 and FileMaker Server 13 to create a proof of concept.

 

For the most part, other than some fumbling and the occasional online search to figure out how something is done in FileMaker compared to other environments, everything is working as I would expect.

 

Except for custom Privilege Sets.  As I said, I'm convinced I'm missing something obvious.  Any pointers appreciated.

 

I'm using External Server (Windows A/D) for user authentication in my privilege set and testing on FileMaker Server 13 via WebDirect.  That works.  If I'm a member of the group, I can log in.  If I'm not, log in does not work.

 

If I apply the built in [Full Access] privilege set, my external user can do it all.  If I use the built in read-only, that too works.

 

If I create a custom Privilege Set, both viewing and editing work as I would expect.  If I say the account cannot view, I can't see records in that table.  Conversely, when I say the account can see the records, I can see them.  I can even create custom rules for viewing/editing, and those work exactly as I want and expect.

 

However, I cannot seem to get any custom rule set that allows creation/deletion of records.  I even tried effectively copying the [Full Access] ruleset.  I granted "Create, edit, and delete in all tables" and "All Modifiable" for all layouts.  My externally authenticated user cannot create/delete when using that Privilege Set, but can view/edit all records.

 

Any thoughts, ideas or suggestions welcome.

[Kris M]

Are you building a multi file solution?

The reason I ask is learning how FM handles propagation of permissions across many files is always a headache at the beginning.

You might want to post the file so the denizens of this forum can diagnose the issue

[TimR]

Thanks for the quick reply.  Nope, not multi-file.

 

And, I realize testing this will be difficult because I'm tying the login to an A/D group. 

 

Heck, testing it for me has been a pain because every time I change security to try to get it to work, I have to exit the WebDirect db, close the db in the admin interface, overwrite the db with FM Pro, open the db in the admin interface, and finally open the db in WebDirect to test.

 

If nothing obvious pops up, I'll either post the file or see if I can create a minimal example of what I'm seeing for posting.

[Fitch]

Available menu commands: All?

PS: I suppose it's a "best practice" to close the file when making security changes, but in practice you don't have to. It's pretty much an every day occurrence around here.Make yourself a "re-login" script too.

[Steven H. Blackwell]

OK, first, do not allow externally authenticated users to have [Full Access] to the files.  This is a huge security vulnerability.

 

Second, as Tom Fitch recommends, check the setting in the Privilege Set for Available Menu Commands.  By default, that is set to Minimum.  You may need to set it to Edit Only or to All.

 

Third, you can not duplicate or otherwise create a [Full Access] Privilege Set.  You must use the default one supplied by the product.

 

Please report back as to how this is working after further adjustment.  That way we can continue to assist you to get it working correctly.

 

Steven

[TimR]

Thank you both.

 

The issue was the available menu commands set to minimal.  Changing to all fixed it, and I now know what I need to read up on to understand things better.

 

As I said in my first post, I was certain it was something obvious I was missing.

 

And, Steven, I appreciate the advice.  Ultimately, I had hoped to have a Boolean calculation for edit privileges, but when that wasn't working, I was dropping back the restrictions to try to determine what I was missing.

 

Right now, I'm using the evaluation copy of FileMaker Server, which only allows once connection.  However, now that this forum has helpfully solved my last issue, I will be recommending a purchase.

 

I imagine that as we stumble through our first dbs, I will be back.

 

Thanks again to all!