Hi Steven. Hi Wim.
First of all, thanks for taking the time to frame a complete response and for sharing it with me offline before posting it here. That was very professional and much appreciated.
Secondly, I don't disagree with most of the technical content in your response (although I will offer some friendly debate on a few smallish points, below). In fact, as you know, I specifically referenced your prior white papers on FileMaker Security to make sure a comprehensive source on the subject was readily findable by the reader.
That all said, I want first to respond to what I think is your misreading of the intended purpose of FileMaker Inc.'s series of 'How To' articles.
It's my understanding that these articles were never intended to be overtly technical. I believe their intended voice was "let me show you a neat tip" and the target audience was the novice/intermediate TechNet developer wanting to try something unfamiliar or new. A lot of text was removed or revised in my article to help make the examples we presented more conceptually simple and immediately testable.
I'll admit, I'm totally supportive of the hard work you two (and others) have put in working to demystify and clarify any misconceptions about FileMaker Security in general, and EA in particular. This article was never intended to work against that effort.
That said, I guess I just disagree that ALL the technical nuances and pitfalls you point out are really that important or relevant in THIS particular context.
In short: I agree that we could have worded the fundamental premise better (and perhaps avoided much of this misunderstanding). Admittedly, my focus was more on allowing the developer to stay out of the 'Manage Security' dialog box as the file was moved between the local/development 'server' and the production server. You're right, of course, that they can use a FileMaker account to test the privilege set - but then they could easily mistype the External Group name at deployment and 'bang!' - it's broken. For me a sandbox where I can test both 'who am I?' and 'what can I do?' at the same time is a more satisfactory place to tinker. I agree the word 'mimic' would be a better choice than 'replicate'. I agree a few sidebars might have made certain minor points clearer (e.g., short names vs long names) but they would have also made the article MUCH longer. I agree installing FileMaker Server on a laptop or desktop is generally ill-advised, but I also note it's a GREAT way for a developer to learn how the tools work, and to study for the Developer Certification exam. I disagree that we should ever bring up the Mac OS keychain as an analog of ANY kind to Single Sign On; this is one place where I may be stricter than you two ;-) I note the WorkGroup Manager software for OS X is not technically supported for anything but OS X Server, which we presume most people would not run on their local laptop. As such, I deliberately left it out and opted for the simpler approach using System Preferences.
In conclusion, I think you might overstate the damage done by less-technical articles like this one. While I'd normally argue for dogmatic, hyper-technical accuracy any day of the week (just ask my team!), when I'm in training mode – where I have to let things slide and adopt analogies and examples that will work best for the audience – I've learned to just set that desire for detail aside (for the moment) and focus on basic comprehension.
Thanks again for inviting me to reply,