Access Keys:
Skip to content (Access Key - 0)
Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History
<< Previous Version 9 Next >>

FileMaker Authentication

FileMaker Security Basics

Using FileMaker securely rests first and foremost on employing and setting up FileMaker's existing authorization features thoughtfully.  For hosted and single user files alike, it is critical that you make sure that you have only password protected full access accounts and that you have set up your privilege sets to manage user activities appropriately.  This document addresses some of the things that you should consider when setting up user accounts and access settings in FileMaker.  

Manage Full Access Accounts

By default, each file is assigned an admin full access user with a blank password.  Setting the password for the admin account and/or disabling that account is a first critical step!  As of version 15, FileMaker Server now provides a setting that will disallow hosting of files that have non-password protected full-access accounts.  We strongly recommend using this setting for all hosted solutions, but this setting does nothing to protect the data in a file if a non-password protected file can be opened as a stand alone file.  After setting authorizations correctly, making sure that your files reside on secure machines is the next critical piece to providing security for your database solutions.  Wherever you have data that is sensitive, it is strongly recommended that you host the file on an IS&T managed server.  

More about FileMaker Default Account Settings

In addition to each file being set to have a blank full-access Admin account, there is a default setting enabled in the File>>File Options dialog box that you should be aware of and change once you have set up additional password protected accounts in FileMaker.  Unless there is a compelling reason to do so, do not set a default account/password option in your solution.  

[image of File>>FileOptions db here]

Note: A user may set a default log-in account name for themselves under FileMaker>>Preferences.

Set Up Individual User Accounts

Use of shared user accounts is never recommended.   FileMaker provides group privilege sets and individualized user accounts.  Setting privilege sets up with appropriate access controls and then assigning users to individual user accounts is the first and best security mechanism available in every circumstance.   NOTE: Individual users can be given control over their own passwords in FileMaker, but users should be advised against reuse of Kerberos passwords in FileMaker.  Forgotten passwords can be reset by a full-access user at any time.   See section on External Authentication if you wish to investigate the option of using external authentication in FileMaker to manage groups of users.  

External Authentication with Kerberos

FIleMaker server allows for users to be authenticated via Directory Service or through a local domain.  This means that files that are hosted on MIT's Windows domain servers, can be set up to use FileMaker's external authentication feature, allowing users to authenticate using their Kerberos log-in.*   If you intend to use external authentication as a means to access any of the databases hosted on your server,  you must set the authorization options on the server console accordingly.  In addition you will need to add external groups to each file where external authentication is to be used.  The FileMaker Server setting lives in the Security tab available on the Database Server window of the FileMaker Server Admin Console. Select "FileMaker and External Server accounts." This allows you to tie into user accounts and groups either on the host machine itself or on a networked domain controller.

In addition to setting the server to allow for external authentication, you must set up corresponding accounts in your FileMaker database files. These accounts represent user roles, not individual users.  Define the account and assign the authentication method to "External Server" and indicate the appropriate Group to which that user account belongs. The name of this Group with its associated privilege set should match the appropriate group defined on your host OS or domain controller. You must have the extended privilege [istdraft:fmapp] enabled in the associated privilege set for single sign on to work. If you use external authentication, you must have at least one FileMaker account that is separate from the external authentication system. It is recommended that any admin-level accounts not be included in externally authenticated accounts.

*Note :  Clients using FileMaker's external authentication on Windows machines will experience the approximation of single sign on once they have logged into the MIT Windows Domain and will not be prompted to enter their user name and password to access FileMaker files for which they have valid external authentication accounts.

Potential Issues with External Authentication

Management of externally authenticated and Kerberos enabled accounts in FileMaker poses its own set of use and maintenance challenges.  If Kerberized Moira groups are to be used to control membership in externally authenticated groups then the server must be on MIT's WIN domain.  Further, only dedicated FileMaker specific Moira groups for each solution should be used.  Long-term management/maintenance of the externally authenticated group should be discussed before implementation of externally authenticated groups.  If using Moira groups, when configuring the group name in FileMaker append "_group" to the Moira group name.

To approximate single sign-on on OS X, the user's credential must be stored in the keychain. Any user account changes in the FileMaker database file must be correspondingly updated in the keychain manager. Also, be sure that the Group name you identify in your FileMaker accounts matches the Macintosh OS "short" name.

If you have granted the access privilege to a privilege set (FileMaker parlance for a particular set of authorizations or role) that allows users to change their own passwords, this will break the effect of external authentication, not to mention single sign on. The user will have to log into the server, and change the OS account password before being able to access the database. Mac clients will have to update the appropriate keychains.

More information on External Authentication can be found in FileMaker's in-depth guide.

Other security features involving authentication

Hiding file names
You also have the additional security option of only displaying to each user those database files to which that user account is allowed access. If you have not enabled external authentication, the user will be prompted twice for authentication: once to see the appropriate list of files and again to open the desired file.

Protecting access to your FileMaker Server configurations
There is an additional level of authentication available for managing the hosting settings for FileMaker server through the Server Administration Tool. Enable this in the Admin Console tab (in the Admin console under the General Settings section). The three options are to limit access by IP address, set a username and password to use the Server Admin Tool or require that the FileMaker Server administrator be a member of an external authentication group.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Last Modified:

page-info: unable to locate page


Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki