OS Level Scripting and Account Privileges: A New FileMaker Server® 11 Feature

[Steven H. Blackwell]

[blurb]

OS Level Scripting and Account Privileges: A New FileMaker Server® 11 Feature

By:

Wim Decorte and Steven H. Blackwell

FileMaker Server and FileMaker Server Advanced both allow for the running of OS level scripts such as VB Scripts, Windows batch files, Shell scripts and AppleScripts. FileMaker Pro developers must manage privileges that such scripts require to execute properly in these instances. Because they are triggered by FileMaker Server they run in the Local System bubble on Windows and the fmserver bubble on Macintosh. Frequently these accounts do not have privileges that the OS level script needs to perform the action a developer might assign it. A frequently encountered example is copying files from the FileMaker Server machine to some other location on the network.

While there have been workarounds to address this issue, often times they are complex and convoluted. In the just released FileMaker® Server 11 Advanced, FileMaker, Inc. added the ability to specify alternate Accounts (and therefore alternate privileges) for OS level scripts. This however raises several new questions. We want to offer some suggestions for best use of this new feature.[/blurb]

1. What is an OS level script?

Both Windows and Mac support various types of OS level scripts; these are typically plain text files containing a few lines of executable code saved with a specific extension so that the Operating System knows how process them.

They can range from simple commands contained in Windows batch files (with either the .BAT or .CMD extension) and Shell scripts on Mac (with the .sh extension) to very complex code in VBscript and PowerShell scripts on Windows and AppleScripts on Mac.

Note that FileMaker Server supports these kinds of OS-level script to be executed from a FileMaker Server schedule:

- batch / command files on Windows

- VBscripts on Windows

- Shell scripts on Mac

- AppleScripts on Mac

2. What is a system level account and why is it needed?

By default FileMaker Server runs under the “Local System” account on Windows and under the fmserver account on Mac. This is done so that security can be kept tight and controlled and to avoid having to use custom accounts that need to be documented and potentially need to be maintained (frequent password changes, account expiration,…).

Using the Local System account (Windows) and the fmserver account (Mac) is the safest possible deployment. It also allows for the FileMaker Server executable to be run with no user actively logged into the server machine, thus enhancing security and performance.

3. What privileges does an alternate Account need to have vis a vis FileMaker Server itself?

Depending on the task that you are automating with the OS-level script, you may require your script to create, copy or move files from different areas on the FileMaker Server machine or from across the network.

On Windows the “Local System” account can reach all files and folders on its own machine but not on the network. On Mac, the fmserver account has even more strict privileges in that it will not be able to create or copy files in folders that it has not been explicitly given rights to, even on the FileMaker server itself.

Rather than changing the account that the FileMaker Server service runs under on Windows or giving the fmserver account or the fmsadmin group access to folders and files outside the normal FileMaker Server folder structure, using FileMaker Server 11 you can now specify explicit credentials to use for FileMaker Server schedules that run OS-level scripts (either by themselves or as part of a script sequence).

4. What are some examples of actions these OS level scripts can now perform more easily than was the case in the past?

The most common command actions in OS-level scripts are pulling files from across the network to the FileMaker Server machine for nightly import routines. Or the reverse, scheduled exports from FileMaker Server that need to be pushed to a network share.

5. Where can I learn more about OS level scripts in FileMaker® Server 11 and FileMaker Server 11 Advanced?

FileMaker Server schedules that use OS-level scripts are covered extensively in VTC’s FileMaker Server video training tutorial [http://www.vtc.com]. Any questions you may have can always be posted to the FileMaker Server section of fmforums.com or the excellent RealTech mailing list.

[JerrySalem]

Using this technique can I get FMS11 to create an instance of Filemaker Client under a different account? (using a batch or applescript)

This would be big, I could get rid of the last remaining Robot machines!

[Steven H. Blackwell]

I don't think so. This feature is for OS level scripts.

Steven

[BrentHedden]

That would be nice Jerry, as I'm having to do the same thing as you are (robot machine) to create PDF reports.

But unfortunately, Stephen is right. It's just to run the OS batch files under a certain account. Which is a big deal, especially if directory access is limited to certain accounts or other restrictions.

[Toadster]

Hi,

FileMaker Pro 11 Advanced

Windows 7

Intel i5

2.53 GHz

Installed Memory 4 GB

62 Bit Operating System

I have this FileMaker Pro 11 Advanced database and then I launch it I get this massage:

FileMaker cannot share files because another user is already sharing files using FileMaker Pro on this computer.

What is happening?

Steve

[Anatole Beams]

Any idea how would I go about triggering an AppleScript from FMS 11?

The FileMaker Applescripting step isn't compatible with FMS, so I can't use that and I have no idea how to set up a system-level script to trigger the script.

Can't find anything in the documentation ... yet!

cheers - Anatole

[Vaughan]

I think that a shell script can run an AppleScript...

My son was playing around the other day, using terminal connected to a machine at USYD which was running terminal to a machine next to me in my house to run AppleScripts to "speak" obscenities at me. :)

[Anatole Beams]

OK - I've just worked around the problem using CRON to schedule the AppleScript at a particular time. But wouldn't it be nice to be able to trigger external scripts from a FileMaker script running on the server?

Edited November 25, 2010 by Guest

[Fenton]

I've not tried this with FMS, but there is a special command for running AppleScript from Terminal, osascript. It has a manual page, and there are a lot of posts at http://www.macscripter.net.

You can include the AppleScript code, but easiest it to point to an AppleScript file. The usual caveats re: "No user interaction allowed" apply to the AppleScript.

osascript ~/desktop/some_AS_file.scpt

P.S. On FMS the file (and path) would need to be in one of FileMaker Servers accessible folders.

Edited November 25, 2010 by Guest