Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

External Server Authentication and Multiple Group Membership in Win Active Directory

Jim808
in oAuth and External Server Authentication

Featured Replies

  • Newbies

Hi all,

I am not very familiar with External Server Authentication works when a user belongs to more than one group in the Windows Server Active Directory. Need guidance and help to address the issue below.

Let us say that I have two user groups in Windows Active Directory: GroupA and GroupB and a FileMaker Solution named FMProj has Three layouts (i.e., Layout01, Laypout02 and Laypout03).

(1) Users of GroupA can access Layout01.

(2) Users of GroupB can access Layout01  and Layout03 using the if condition in the script (i.e., get(AccountGroup) ="GroupB").

User Jan.Doe is a member of both GroupA and GroupB and we want her to be able to accesss Layout01  and Laypout03 in the context of the FileMaker Solution "FMProj".

At this point, the function of get(AccountGroup) for Jan.Doe returns GroupA only. Hence, Jan.Doe is unable to access Layout03, despite she is both a member of both GroupA and GroupB.

Wonder what would be a good approach to handle this multi-group situation and acheive what we intend to. Advice would be grteatly appreciated.

Regards,

Jim

 

 

 

When the user is authenticated and the list of Groups is returned by the Identity Provider to FileMaker Server, the user's privileges are determined by the first matching group when the list of groups in FIleMaker Server is viewed by Authentication Order.  This is found in the Accounts tab. Presently there is no combining of Groups. You likely will need to make a new Group to reflect this hybrid scenario.

 

Steven H. Blackwell

Platinum Member Emeritus

 

The first matching group is determined by how you list your groups. on the FM side;  note the "priority" column in the list of accounts"

 

image.png.4a1144f6af3023f056dc686498a1869f.png

 

FM's security scheme is role-based.  Meaning that each AD Group maps to a single privilege set.  You should manage access to layouts in the privilege set and not in the script.  In your scenario, if the user can find a way to navigate to a layout without using a script then your fake security implementation will fail.

For Jane.Doe's access to work you need to place Group B higher in the FM list than group A.  That way her dual membership will kick in first for Group B and she will get the desired level of access.

 

  • Author
  • Newbies

Hi Steven and Wim,

   Really appreciate your advices which are all very helpful. 

    A related question: In Windows Active Directory, a user can be assigned to a primary security group. Wonder if that would have any bearing on the prirotity of External Server Authentication. Thanks.

 

No it does not.

It's the order of the accounts (groups) in the FM file that determines which one FM will use first.

Create an account or sign in to comment

https://fmforums.com/topic/108886-external-server-authentication-and-multiple-group-membership-in-win-active-directory/
Go to topic listing

Important Information

By using this site, you agree to our Terms of Use.

I accept

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.