Looking for Account Management Sample

[Johnny5]

Hi does anyone have a template or sample file to an account management interface? I want to use the native Filemaker account setup, however, I do not want the accounts admin to always go to the menu and select 'Define Accounts & Privileges'.

I know I can use scripts to allow the accounts admin to create, delete, and modify the priv set for users but I wanted to see if there was an eloquent solution out there.

Also is there a way to script changing privilege sets?

Edited October 24, 2006 by Guest

[Steven H. Blackwell]

Also is there a way to script changing privilege sets?

Delete the Account and then recreate it with a different Privilege Set. By intent and design you cannot dynamically select the Privilege Set through a script.

Steven

[Johnny5]

Hi Steven,

I have been reading many of your posts on here and am considering possibly moving to External Authentication. I have also read both of your tech briefs.

However, for some reasons, I must still create a user specific table where I can store user specific customized data in it for each user. So I would have liked to see an example of an interface where I can have a superuser create, delete, and assign privilege sets for users. Then I guess I would have to create a table in the same script as creating an account to create this user specific record. I guess I can user the username as a key.

Any thoughts?

[Ted S]

Johnny5,

I can speak about Windows external authentication but not Mac. In a Windows environment an individual can be placed into an existing FM group without even cracking open FM. Its all done using ADUC. You simply make the user a member of the proper FM security group.

I have a table in FM with a record for each user. The primary key in that table is the AccountName which is their Windows Username. I do not store any passwords in this table nor do I use it for controlling access. I use native FM security to grant and revoke access to everything in Filemaker.

However as you noted, I need to associate lots of other information to each user such as title, department, home office, phone number, fax number, picture, etc. and keying off the account name is a great way to do it.

I created a startup script that looks for the existence of a user record in that table when the user first logs on. If it doesn't find a record it displays an informative message and closes the connection. This is as close as I come to using it for security. I don't depend on it for security, just ancillary information about the user.

It works well but there is one negative. Almost all of that type of information is already stored in the Active Directory. It goes against-my-grain to duplicate information because you have to keep everything in sync either automatically or manually. You change a name in AD you have to remember to change it in Filemaker and anywhere else too. What I would really like is to pull the info from AD into FM at the beginning of a user's session. I've had some luck with the SmartPill plugin but it is still in beta so I don't want to rely on it.

[Steven H. Blackwell]

I believe this can be done with a piece of VBS middleware that queries Active Directory.

Steven

[Johnny5]

Thanks for the reply Ted. That was precisely what I was worrying about it. If the user name changes in Active Directory, what would I do. I cant exactly delete the user record in Filemaker due to historical reasons as well as what happens if the user leaves and the account is deleted in Active Directory. I have no control over what happens on the Window server so it worries me.

[Johnny5]

Steven,

Is there a sample file of how you implemented a superuser interface?

[Steven H. Blackwell]

Is there a sample file of how you implemented a superuser interface?

What is this? I don't recall mentioning this? Perhaps I am misunderstanding your question.

Steven

[Johnny5]

I was referring to something like this:

http://www.fmforums.com/forum/showtopic.php?tid/179100

I want to create an interface where I can have someone , whom I have designates as a so called Admin or superuser, to be able to add, delete, inactivate, active, or modify user accounts.

[Steven H. Blackwell]

OK, I see what you're talking about now. I don't have any files for this purpose.

Steven