Jump to content

External Authentication with multiple databases and security groups


This topic is 3937 days old. Please don't post here. Open a new topic instead.

Recommended Posts

  • Newbies

I am looking to use External Authentication (Active Directory) on my server-hosted filemaker files. The problem is that I have multiple filemaker files and each file has its own security settings. A user can have access to many filemaker databases and the privilege set varies with the databases. To achieve the level of granularity in the security settings, it seems that I will need to create an AD group for each privillege set for every database.

 

Is there a better way to do this that will reduce the number of AD groups? Can External Authentication be used for just authentication and a different mechanism used for authorization.

Link to comment
Share on other sites

I did this a couple of years ago with multiple solutions that shared several files, with many users using both solutions.

 

It gets complex, and there is no real way to decrease the complexity without decreasing the security.

 

A couple of things:

 

1) Identify separate "solutions" and give them unique names. Identify which files are linked to each solution, which users need access to the solution, and what the access is. Create separate EA groups for each Solution_Access combination. If you have dozens of access levels for each file: simplify.

 

2) In each file, add the EA groups and set the authentication order so that the groups with most access are top. This ensures that the files open with the most access needed for each user.

 

3) The magic of making all this work happens when you create the EA groups for each Solution_Access and add users to them.

 

An example to illuminate the issues:

 

Natasha uses the Invoices solution as admin. However she only needs read access to the Marketing solution. Both of these solutions link to the Contacts file: through the Invoices solution she has write access but through the Marketing solution she has read-only access.

 

Natasha occasionally has a problem where the Contacts file is locked and things don't work properly in Invoices. This occurs when she opens the marketing solution first, before opening the Invoices solution: the Contacts file will open read only and it STAYS read only for the entire session even after opening other solutions.

 

The fix is to ensure that every user always open each file with the MAXIMUM user access they are entitled to across all solutions. This is achieved in by using external authentication and making a group for every solution and access level (e.g., Invoices_Admin, Invoices_User, Invoices_Read).

 

Then in each file, make sure that the external authentication accounts are in the correct authentication order: from MOST to LEAST. Then as each user opens the files, they will automatically get the correct access.

Link to comment
Share on other sites

Hi,

 

As you are using multiple files in your application you need to define a fixed group of users' privileges for all the files which should be same through out all the files. By doing this a particular user which is having an account with same account and password will activate through out the application and whenever user try to access other file with in current file it will no more ask for entry of a account name and password.

 

for example

----------------

Having Files File-A, File-B & File-C

 

Security setup in File-A is

 

User Account       Pass word      Privilege

------------------     --------------     -----------

Programmer        P11                Full Access

SalesMgr            SM11              Sale

Staffs                  SFF                Staff

Data_Entry         DT2                Data Entry Only

 

 

Security setup in File-B & File-C should be

 

User Account       Pass word      Privilege

------------------     --------------     -----------

Programmer        P11                Full Access

SalesMgr            SM11              Sale

Staffs                  SFF                Staff

Data_Entry         DT2                Data Entry Only

 

So when user login as SalesMgr in File-A can access File-B as SalesMgr without asking for the credential.

 

Hope this will give you some information to move in correct direction.

 

with regards,

Link to comment
Share on other sites

Hi,

 

As you are using multiple files in your application you need to define a fixed group of users' privileges for all the files which should be same through out all the files.

 

 

No, you do not NEED to make user's privileges fixed across files. It does make things less complex, but it's not necessary.

Link to comment
Share on other sites

 Can External Authentication be used for just authentication and a different mechanism used for authorization.

 

That's already what happens.

 

EA is ONLY for authentication (who are you).

Authorization (what are you allowed to do) is handled by the FM privilege set

 

So you define your "roles" as privilege sets and then assign those to whatever number of AD groups you need

 

It is not uncommon to have one AD group per priv set per file, but it certainly is not a requirement.

Link to comment
Share on other sites

  • Newbies

Thanks everyone for the replies and sorry for posting in the wrong section.

 

I got the confirmation on some thoughts I had and also picked up some ideas to work on for now.

Link to comment
Share on other sites

This topic is 3937 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.