administering user accounts

[TASC]

Hi,

I am new to filemaker 9 security. Is there a way to give a user access to create accounts and change privilege sets and passwords only? I don't want this user to have full access to the file. I just want them to be able to manage user access to the database.

So I would have a user called Administrator who could create a new user and select a privilege set for that user and set the user's password.

Thanks in advance for any feedback.

Constance

[bcooney]

Absolutely! However, you need to build it. This is a step-by-step how to from the FM Advisor site. You may need a subscription to read this, but it'll be well worth it. User Account Management System

Yikes! Just saw that you're in FM6. I'm not sure if this article will help or confuse. The principles are the same but the functions may not be available in FM6. Upgrade FM?

Edit: Your profile says FM6, but you start off saying you're in FM9.

Edited November 10, 2007 by Guest

[Steven H. Blackwell]

Sure.

This can be done by use of any of the Account steps in ScriptMaker. Or, if you're using FileMaker Server, just use External Server Authentication and pass the Accounts off to the Server.

You can read more about all this in the Security Tech Brief or in the Server External Authentication Tech Brief.

Steven

[Steven H. Blackwell]

I would be very cautious of any approach advocated that does not closely adhere to the FIleMaker Pro or FileMAker Server developed system. Most, if not all, of these ersatz systems are easily crackable.

Steven

[bcooney]

The Advisor article isn't an ersatz system. It simply shows how to use the Account script steps in action.

[TASC]

Thanks for your reply. We are just now upgrading to fm9. Yikes is right! It's quite a process, but we'll get there,

Thanks again for your suggestions.

Constance

[TASC]

Thanks Steven, for your suggestions. This is exactly what I ended up doing, using scripts. However, there is one thing I have not figured out how to do. How do you change an existing user's privilege set through a script? Can you?

Constance

[Fenton]

No. But, if you've scripted creation of accounts, you'll find that it's even easier to script deletion of an account. All you need is the account name. So what you do is delete the account (in all files, via the script), then recreate the same account with the different privilege set. It takes very little time to delete an account, even in multiple files.

If you don't know their the password (and you likely wouldn't in a secure setup), then you can create the account with a temporary (simple) password, and check the option to have the user create their own password the first time they log in. They would need to have the access privilege to do that.

The end result, from the user's point of view, is they get their same account and password back, with a shiny new privilege set -]

[Steven H. Blackwell]

Of paramount importance in any of these approaches is the need to [color:red] trap for and to manager errors that will almost inevitably occur, especially in a multi-file environment. This is just one of the reasons for recommending External Serever Authentication.

Steven