Jump to content

External Server Authentication and Multiple Group Membership in Win Active Directory


This topic is 700 days old. Please don't post here. Open a new topic instead.

Recommended Posts

  • Newbies

Hi all,

I am not very familiar with External Server Authentication works when a user belongs to more than one group in the Windows Server Active Directory. Need guidance and help to address the issue below.

Let us say that I have two user groups in Windows Active Directory: GroupA and GroupB and a FileMaker Solution named FMProj has Three layouts (i.e., Layout01, Laypout02 and Laypout03).

(1) Users of GroupA can access Layout01.

(2) Users of GroupB can access Layout01  and Layout03 using the if condition in the script (i.e., get(AccountGroup) ="GroupB").

User Jan.Doe is a member of both GroupA and GroupB and we want her to be able to accesss Layout01  and Laypout03 in the context of the FileMaker Solution "FMProj".

At this point, the function of get(AccountGroup) for Jan.Doe returns GroupA only. Hence, Jan.Doe is unable to access Layout03, despite she is both a member of both GroupA and GroupB.

Wonder what would be a good approach to handle this multi-group situation and acheive what we intend to. Advice would be grteatly appreciated.

Regards,

Jim

 

 

 

Link to comment
Share on other sites

When the user is authenticated and the list of Groups is returned by the Identity Provider to FileMaker Server, the user's privileges are determined by the first matching group when the list of groups in FIleMaker Server is viewed by Authentication Order.  This is found in the Accounts tab. Presently there is no combining of Groups. You likely will need to make a new Group to reflect this hybrid scenario.

 

Steven H. Blackwell

Platinum Member Emeritus

 

Link to comment
Share on other sites

The first matching group is determined by how you list your groups. on the FM side;  note the "priority" column in the list of accounts"

 

image.png.4a1144f6af3023f056dc686498a1869f.png

 

FM's security scheme is role-based.  Meaning that each AD Group maps to a single privilege set.  You should manage access to layouts in the privilege set and not in the script.  In your scenario, if the user can find a way to navigate to a layout without using a script then your fake security implementation will fail.

For Jane.Doe's access to work you need to place Group B higher in the FM list than group A.  That way her dual membership will kick in first for Group B and she will get the desired level of access.

 

Link to comment
Share on other sites

  • Newbies

Hi Steven and Wim,

   Really appreciate your advices which are all very helpful. 

    A related question: In Windows Active Directory, a user can be assigned to a primary security group. Wonder if that would have any bearing on the prirotity of External Server Authentication. Thanks.

 

Link to comment
Share on other sites

This topic is 700 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.