Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

This topic is 3821 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted

The system I'm working on has always used user initials for the Account Name, which I'm aware is a pretty bad practice, but it was implemented long before my time. As the company grows, it becomes more and more of a hassle, as people obviously share initials, and we have to use some "creative" solutions.  I'd like to update the system to use a different ID system (their network ID, which is usually their firstname.lastname, sometimes with an initial, but always 100% unique). I believe I need to write a script for this that loops through each record in my password manager file, creates a new account with the new ID (which I will end up manually inputting into a new field) and then deactivates the old account that used initials. Is there anything I'm missing as far as making this cleaner and/or easier to accomplish?

Posted

The fact that you are using a "password manager file" probably indicates a very significant vulnerability in your system.

 

Presuming you are using FileMaker Server, you can use it to authenticate your users and then admit them to the files with appropriate designated privileges.  This is a one-time set-up initially.  Then all you have to do is add or remove Accounts in one place.

 

Steven

  • Like 1
Posted

I'm not familiar with how to do this. Is there a document or white paper you might be able to point me to? (This system was on FM 4 when I started working on it, so many of its conventions are WAY WAY inefficient, to say the least.)

 

I do currently only set up accounts and passwords in the Password Manager file - it runs a script that loops through every file and creates/enables/disables/deletes accounts when needed, and users update their passwords using the same system. They don't ever actually change their password file-by-file.


And it's probably poorly named, because it does not store passwords at all - it puts them in a variable and updates each file with the password chosen by the user, but does not store the passwords. It's actually named "User Manager" but it's called "Password Manager" in pretty text for the users to make it clear what they can do in that file.

Posted

OK, that's a lot better.  Be sure to error trap for files that don't get reset.

 

As for the External Server Authentication part, there is a lengthy Tech Brief on that topic that may still be on the FIleMaker web site. There is also the External Server Authentication forum here on FM Forums. If you cannot find this paper, please let me know.

 

Several years ago, I wrote in my Security BLOG about External Server Authentication:

 

http://fmforums.com/forum/blog/13/entry-83-the-power-and-advantages-of-external-server-authentication-with-filemaker-server/

 

Please come back and ask any more questions about this if you have them.

 

Steven

Posted

Thank you for this reply. I read your blog post and have printed it to discuss with my IT folks as well.

 

Here is a question that is probably quite simplistic, because I am not really a "networking" person. I am a self-taught FileMaker person. :)

 

If we set up external authentication for our FileMaker files, can an individual be part of two separate groups?

 

In detail, say I have an administrative assistant who sometimes helps with data entry in finance. As it stands now, I end up making a new privilege set in FileMaker that has the privileges of both my "admin" group and my "finance" group, but this is cumbersome and results in some very specialized privilege sets that are only being used by one person.

 

With external authentication set up, would I be able to just add that Admin person to the Finance "group" in addition to the Admin group, so that she could perform all the functions of both? I believe this is done in our network environment for other softwares, which is what prompts me to wonder if this would work with FileMaker as well. It would definitely simplify my life if possible.

Posted

A user can indeed belong to multiple groups on the EA side BUT he will only get the privileges associated with one of them.

 

The core concept here is that no person can have two different roles.  You can not have the ability to do something and at the same time NOT have the ability to do something.

In your example, the combination of the two roles (admin assistant and finance data entry) is a role in itself and needs its own privilege set (and its own group in EA).

  • Like 1

This topic is 3821 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.