Behavior Change API Privileges In Version 16

One of the best new security features in the FileMaker 16 Platform is that, by default, several external Application Program Interfaces (APIs) are off and disabled.  AppleEvents, ActiveX, and FMPURL Perform Script are all still there.  But developers must specifically select and enable them.

This feature prevents unauthorized manipulation and interaction with FileMaker Pro files, both stand-alone and hosted by FileMaker Server.  Such manipulation can be used to alter data, destroy data, create data, run scripts, and in some instances, manipulate the User Interface. Such attacks can have significant impact on FileMaker Platform business solutions as described in FileMaker Security BLOG post found at http://fmforums.com/blogs/entry/1652-security-vulnerabilities-of-filemaker-platform-api’s-an-update/

If developers do use AppleEvents, ActiveX, or FMPURL Perform Script in solutions, and they wish to use FileMaker® Pro 16, then they must now specifically enable the desired Privilege Bit for these APIs.  This can be done on a Privilege Set specific basis.  If developers do not enable these privileges, then the solutions will not perform as designed.  This is true irrespective of whatever settings might have been in earlier versions.

To enable the specific privilege, go to Manage Security and select the Extended Privileges section.  Then check the desired option, as shown here:

Following this practice will allow the specific API to interact with the file as desired.

Steven H. Blackwell

Platinum Member Emeritus, FileMaker Business Alliance