FileMaker Authentication

FileMaker Security Basics

Using FileMaker securely rests first and foremost on employing and setting up FileMaker's existing authorization features thoughtfully. For hosted and single-user files alike, it is critical that you make sure that all accounts are password protected and that you have set up privilege sets to manage user activities appropriately. This document addresses some of the things that you should consider when setting up user accounts and access control in FileMaker.

Full-Access Accounts

By default, FileMaker files are created with a full-access Admin account with no password. A critical first step is to either set a password for this account, or disable this account in conjunction with creating another (user-specific) password protected full-access account. Beginning with version 15, FileMaker Server provides a setting that will disallow hosting of files that full-access accounts with no password set. We strongly recommend using this setting for all hosted solutions, but note this feature is not available for non-hosted files. After setting authorizations correctly, making sure that your files reside on secure machines is the next critical piece to providing security for your database solutions. Wherever you have data that is sensitive, it is strongly recommended that you host the file on an IS&T managed server.

More About FileMaker Default Account Settings

In addition to having a default Admin account with no password set, FileMaker files are set by default to auto-login with this Admin account. In the File > File Options dialog box > Open tab, uncheck the "Log in using" box. Unless there is a compelling reason to do so, do not set the file to auto-login with a particular account.

Note: While you should not set up files to auto-login with a particular account, users may configure their individual FileMaker Pro client to set a default account name to appear in the login window so that they only need to type their password. This can be done by choosing FileMaker Pro > Preferences (Mac) or Edit > Preferences (Windows), and then in the General tab specify a User Name.

Set Up Individual User Accounts

FileMaker allows for individual user accounts and group privilege sets. All users should have individual user accounts; never employ shared accounts. Setting up privilege sets with appropriate access controls and creating individual user accounts assigned to an appropriate privilege set is the first and best security mechanism available in every circumstance.

Note: Individual users can be given control over their own passwords in FileMaker, but users should be advised against reuse of Kerberos passwords in FileMaker. Forgotten passwords can be reset by a full-access user at any time. See section on External Authentication if you wish to investigate the option of using external authentication to utilize Kerberos authentication and leverage outside resources to manage user groups.

External Authentication with Kerberos at MIT

When hosted with FileMaker Server, databases may be set up to use external authentication, allowing authentication via local server groups and/or LDAP. At MIT, since IS&T-managed Windows servers are part of the MIT WIN Domain (which is an LDAP compliant directory service), databases can be set up with external authentication so that user groups may be defined by Moira groups and users may authenticate to FileMaker files with their Kerberos username and password.

Server configuration

If you intend to use external authentication as a means for access to any of the databases hosted on your server, you must enable the external authentication option on the server. In the server Admin Console, navigate to the Database Server pane > Security tab; under Client Authentication, select "FileMaker and External Server accounts."

Database configuration

There are several steps involved in setting up external authentication for a specific FileMaker database solution (which may be comprised of one or more files).

Identify what types (roles) of users will be accessing the database with external authentication, and to ensure an appropriate privilege set exists or is created for each of these roles. FileMaker privilege sets are defined in the File > Manage > Security > Privilege Sets tab.
Create a Moira group (via WebMoira) for each privilege set identified above. The recommended naming convention is dlcname-fmp-dbname-privsetname; for example, ist-fmp-inventory-readonly. Groups should be set up as a Moira Mailing List, Moira Group, and private. The appropriate group members (database users) may be added now or later. It is also recommended that an additional Moira group is created to be the owner of the other groups; this way one or more designated individuals can maintain the user groups as needed.
Back in the FileMaker database file(s), choose File > Manage > Security > Accounts tab, and create a single user account for each Moira group created above (except for the admin group). In the Edit Account window, set "Account is authenticated via" to External Server, set the Group Name to <moira group name>_group (Important: the _group suffix is required), and assign it the appropriate privilege set.

With the above in place, any users who are a member of the Moira group(s) will now be able to access the database with the group-specific privilege set using their Kerberos credentials.

Important Security Considerations

While it has many advantages, use of external authentication with FileMaker carries its own set of considerations, particularly with regards to security. It is extremely important to be mindful of the following:

In order to commit changes made in the Manage Security dialog in FileMaker databases (when editing accounts and privilege sets), you must enter the credentials of a full-access internal FileMaker account. As such, even when employing external authentication, you must still maintain at least one full-access internal FileMaker account. See the above recommendations for setting up password-secured, full-access FileMaker accounts.
Full-access external accounts are generally not recommended as they are a potential security risk. If an illegitimate user gains physical access to a FileMaker file with a full-access external account, they may easily spoof the external group and gain entry to the file. If you choose to employ a full-access external account, securing the server and any backup locations is of paramount importance. In addition, as noted above, remember that full-access external accounts cannot be used to commit changes made in the Manage Security dialog; this must be done with a full-access internal FileMaker account.
A unique, dedicated Moira group should be created for each FileMaker solution/privilege set combination. Moira groups should not be reused across multiple database solutions. They should also not be used for any other purposes, such as an office email list.

Example Use Case

Let's say the Finance Office in the Department of Important Research (DIR) has a FileMaker database which has three users who should have data entry access. If we want to use a Moira group to manage access for these users, we would probably not want to use the existing dir-finance group for this purpose since that group includes everyone in the office. Instead, we should create a new, dedicated Moira group to define the data entry users for the DIR Finance database. A good name might be dir-fmp-finance-dataentry. Membership would be limited to just those three users. To manage this list, we might want to create a second Moira group named dir-fmp-finance-admin. We can then define the owner of the dir-fmp-finance-dataentry group to be the dir-fmp-finance-admin group. Now, the member(s) of dir-fmp-finance-admin can manage the members of dir-fmp-finance-dataentry and therefore the data entry users for the database. Finally, in FileMaker, we create a new user account named dir-fmp-finance-dataentry_group, configure it to be authenticated via External Server, and assign it the [Data Entry Only] privilege set.

Windows and Single Sign-On

When Windows users are logged into the MIT WIN Domain open a hosted database with external authentication enabled, the database will automatically attempt to log them in using their Kerberos credentials. If the user is a member of any Moira groups (or local server groups) which match an external account defined in the database, they will be automatically logged in with that account. This approximates a single sign-on experience. To bypass this behavior and always get prompted for credentials, the user must hold down the Shift key while opening the database.

There is no equivalent single sign-on behavior for Mac users.

Additional Resources

More information on External Authentication can be found in FileMaker's in-depth guide.

Server-Based Security Features Related to Authentication

Requiring Password-Protected Databases

Starting with version 15, FileMaker Server has a setting for restricting the hosting of databases to those that are password protected. This should be enabled. In the Admin Console, navigate to the Database Server pane > Security tab, and check off "Host password-protected databases only."

Hiding Files

There is also a setting that restricts the display of hosted files to only those files for which a user is allowed access when the user browses a server via the Launch Center or File > Open Remote. When this setting is turned on, the user will be prompted twice for authentication: once to view available files on the server, and again to open a selected file. In the Admin Console, navigate to the Database Server pane > Security tab, and check off "List only the databases each user is authorized to access."