Jump to content

Managing Many User Accounts


xochi
 Share

This topic is 2946 days old. Please don't post here. Open a new topic instead.

Recommended Posts

I have a filemaker solution which is going to use WebDirect to allow a low level of access to "many" users, where "many" is going to be between 50 to 100.   This will be in addition to a dozen accounts with direct FileMaker Pro access.

 

I see that in FM13, the Manage Security / Accounts panel still has the same design as was used in FM11 : a single flat Table for all accounts, with columns that do not sort, and no way to group accounts by Privilege Set.

 

I'm worried that with around 100 accounts, this system will be hard to use.

 

I've thought of another way:  create a single "WebDirect" account privilege, and then use another login scheme (such as "Show custom Dialog" ) to do the actual scripted login.    This would require a separate users/password table, but the advantage would be that it there would be no way to accidentally confuse a "normal" user account with a "web only" account.

 

Any advice?

 

 

Link to comment
Share on other sites

Use External Authentication.  That is what is there for.

 

 

At the moment, there is no external authenticator - these are accounts that are already defined inside FileMaker and nowhere else.

 

Additional details & questions which may help:

  • The server is running FMS 13 on Mac OS X 10.9
  • Account info (name/password hash) is communicated with two other servers (one running Linux via MySQL/ODBC, and another running Apache on OS X)
  • The # of "web only" accounts will be under 100.  However, it's possible that could grow to 1000 or even 10,000
  • If you suggest a solution, please also answer whether your recommendation would change depending on the # of additional accounts in use?
Link to comment
Share on other sites

 

At the moment, there is no external authenticator - 

 

There is always one: the OS on the FMS box itself, even if you do not have AD or OD implemented.

 

 

 

 

  • Account info (name/password hash) is communicated with two other servers (one running Linux via MySQL/ODBC, and another running Apache on OS X)

 

How so?  Once the pw is set up for a FM account in the FM security area, you don't have access to the pw or the hash to pass onto MySQL or Apache.

 

Are you maintaining the same accounts in the two other environments?   Then you definitely need to switch to a central authenticator.

 

  • If you suggest a solution, please also answer whether your recommendation would change depending on the # of additional accounts in use?

 

 

That one is easy: External Authentication is made for this kind of deal.  You can add 100,000 users without even having to touch your FM solution. The only thing you need to do in your solution is identify the user roles and create one priv set per role.

Link to comment
Share on other sites

Pay close attention to what Wim is saying.  The process you are describing here:

 

 

I've thought of another way:  create a single "WebDirect" account privilege, and then use another login scheme (such as "Show custom Dialog" ) to do the actual scripted login.    This would require a separate users/password table, but the advantage would be that it there would be no way to accidentally confuse a "normal" user account with a "web only" account.

 

is fraught with vulnerabilities.

 

You might also consider preventing web users from accessing the system via a copy of FileMaker Pro.

 

 

Finally, as a related item, WebDirect will not support more than 50 simultaneous users.

 

Steven

Link to comment
Share on other sites

Once the pw is set up for a FM account in the FM security area, you don't have access to the pw or the hash to pass onto MySQL or Apache.

 

 

I should be more clear:  the account names, passwords, and hashes, are currently stored as data inside a FileMaker table (not as accounts) - it was done this way on purpose since the source data (names, addresses, access level info) originates in FileMaker.    These data are not (yet) stored as actual fileMaker accounts.  I'm considering whether to do this or not, and this is the main issue and why I'm asking for advice.

 

I agree that external authentication might make sense, but the whole point of external authentication is that it is, well, "external" which means I'd have to find a way to export the user data out of filemaker and into the external authenticator, and instead of 3 systems in use, I'd have 4.

 

I could flip the system around (keeping the external accounts ONLY in the external authenticator) but this would add layers of complexity (e.g., we'd have to train one of the staff members to use AD or OD, and they'd have to hand-enter the user data accounts there.)   

Link to comment
Share on other sites

 

I could flip the system around (keeping the external accounts ONLY in the external authenticator) but this would add layers of complexity (e.g., we'd have to train one of the staff members to use AD or OD, and they'd have to hand-enter the user data accounts there.)   

 

You are talking about thousands of accounts, you really should be getting familiar with AD or OD, those things are made for that kind of task.  I would venture to say that NOT doing it adds level of complexity and vulnerability, not the other way around.

 

There is a high level of automation that is offered by those directory services so importing user accounts is straightforward.

Link to comment
Share on other sites

Wim, thanks for the advice.   At the moment, it's less than 100 accounts, so in balance the tradeoffs, I'm leaning towards having a little more complexity on the filemaker side in order to avoid adding another entire piece to the puzzle (and OD server).  But I'll keep your advice in mind in case that 100 looks like it may turn into 1000 or more...

Link to comment
Share on other sites

This topic is 2946 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.