1 2 Previous Next 16 Replies Latest reply on Nov 22, 2015 6:20 AM by Extensitech

    "Modified by" account name from external fmp12 files

    dsr1

      I've split may app into two files, app.fmp12 and tables.fmp12.

       

      Ive done this to make updating my client's installations less painful.

       

      If there are no data store changes then I simply ship the app.fmp12 file. When launched it reads the existing user profiles (duplicated in our tables) renames itself and moves the original app.fmp12 file. Easy.

       

      But there is a snag I can live with, but would much rather put to bed. Record Modification user stamping displays the generic account name used by the external table file.

       

      I can't see any simple way to get the app.fmp12 file's current account name recorded at record modification.

       

      Anyone found a simple work around for this?

        • 1. Re: "Modified by" account name from external fmp12 files
          Mike_Mitchell

          Put the accounts in the data file via a script. Generic accounts are a security risk.

           

          There's a good module for handling user accounts over at ModularFilemaker.org:

           

          http://www.modularfilemaker.org/module/accounts-modular-user-account-management/

          • 2. Re: "Modified by" account name from external fmp12 files
            dsr1

            Thanks Mike,

             

            I was not happy with using a generic account.

             

            I'm checking out your link now. Looks good. Thanks again.

             

            Peter

            • 3. Re: "Modified by" account name from external fmp12 files
              dsr1

              Back again.

               

              The account magagement module is a nice tool, but it does not appear (I have not checked all scripts yet) to address the problem I am facing.

               

              I can quite easily have tables.fmp12 duplicate the user profiles from app.fmp12. What I want to do is have app.fmp12 open tables.fmp12 without the user logging in twice. I can't see any way to Open File with ID and PW parameters.

               

              Sensative data is stored in App.fmp12 tables so the app is protected and has no God account. Tables.fmp12 retains the God account and it's data is not sensative so auto login is "acceptable" with some extra precautions.

               

              My clients average 3.5 users so many do not use Server and quite a few use iPads as single users.

              • 4. Re: "Modified by" account name from external fmp12 files
                CamelCase_data

                Unless I'm missing something, what you are looking for is already covered by standard FileMaker behaviour.

                 

                You normally don't even need an "Open file" script step at all.

                 

                If you have accounts with identical usernames/passwords in app.fmp12 and tables.fmp12, and tables.fmp12 is used as an external data source for app.fmp12, opening app.fmp12 will automatically open tables.fmp12 as a hidden file, using the same username/password entered when opening app.fmp12, without prompting the user.

                 

                The user will be prompted to enter username/password for tables.fmp12 only if it does NOT have an account with the same username/password as app.fmp12.

                • 5. Re: "Modified by" account name from external fmp12 files
                  dsr1

                  Thanks CamelCase,

                   

                  That's perfect. I had the security set up with different user accounts and had not even considered that FM would pass the authentication automatically.

                   

                  Once again I discover more FM built-in smarts that I ahd no idea existed.

                  • 6. Re: "Modified by" account name from external fmp12 files
                    Mike_Mitchell

                    I'm still a little confused by this setup. The purpose for removing the [Full Access] account is not only to protect data. It's to protect the solution integrity. There are hacking tools out there that can break into a file, and, if there's an available [Full Access] account, they can get to your code. Assuming I'm understanding your setup correctly, you have an interface file and a data file (standard Separation Model). Usually, in such a setup, the code - the stuff that makes you money - is what you, the developer, are trying to protect. The data is what the client wants protected. So you're only solving part of the problem. Removing [Full Access] credentials from the data file is good, because it helps protect the data (a hacker can't get a [Full Access] login to the file where the data live). But your proprietary business information is still vulnerable.

                     

                    Further, it may still be possible to access the client's data using a hacking tool. Whatever accounts remain in the file can still be hacked, and whatever data they have access to, a hacker will have access to. The only really sure way to protect it, if you're handing out the file, is to use Encryption At Rest (EAR).

                     

                    I can't see any way to Open File with ID and PW parameters.

                     

                    You can use Open URL for this.

                     

                    My clients average 3.5 users so many do not use Server and quite a few use iPads as single users.

                     

                    How are you sharing the data for 3.5 users without Server? Or are these individual installations (one copy per user)?

                    • 7. Re: "Modified by" account name from external fmp12 files
                      dsr1

                      OK All good so far. I have the user names and passwords securely stored in a table so it's pretty easy to write a script to duplicate the user accounts.

                       

                      It looks like this will require launching of tables.fmp12 so it has the focus to write to security. It would be nice if I could drive the process from app.fmp12 but I can't find a "OnFileOpen" trigger. Does such an animal exist?

                      • 8. Re: "Modified by" account name from external fmp12 files
                        CamelCase_data

                        File > File Options > Script Triggers > OnFirstWindowOpen.

                        • 9. Re: "Modified by" account name from external fmp12 files
                          Mike_Mitchell

                          Note that this works when the first window opens, not when the file opens. If the file opens hidden, it won’t fire.

                          • 10. Re: "Modified by" account name from external fmp12 files
                            dsr1

                            Is a launch file the best approach?

                            • 11. Re: "Modified by" account name from external fmp12 files
                              Mike_Mitchell

                              You can explicitly call a script in another file. You shouldn’t need to rely on a trigger.

                               

                              And using the Open URL script step, you can explicitly set privileges by calling a dedicated account with the appropriate access.

                              • 12. Re: "Modified by" account name from external fmp12 files
                                dsr1

                                Thanks Mike,

                                 

                                I did not realise I could execute a script on another file and have it apply to that file.

                                 

                                This seems to be coming together nicely.

                                 

                                Peter

                                • 13. Re: "Modified by" account name from external fmp12 files
                                  dsr1

                                  Hi Mike,

                                   

                                  I was not happy with less protection on the client data. So your advice is of great value to me. The application was a single file up until a few weeks ago. I split it to simplify updating. My intention is to remove the full access account from the app file, but leave it in place within the data tables for run of the mill clients.

                                   

                                  My smaller clients will limp along with FMPro peer to peer. It actually works very well, all considered. I do present clients with all options but so many will always go with the cheaper solution. It's actually a pretty big ask for a tiny network to install a real server.

                                   

                                  My larger clients (still only 10-20 users at this stage) have no alternative and generally take my advice... eventually... and, if they pay for the service and understand the security implications I can zip them up tightly on an individual basis.

                                  • 14. Re: "Modified by" account name from external fmp12 files
                                    Mike_Mitchell

                                    dsr1 wrote:

                                     

                                    My smaller clients will limp along with FMPro peer to peer. It actually works very well, all considered. I do present clients with all options but so many will always go with the cheaper solution. It's actually a pretty big ask for a tiny network to install a real server.

                                     

                                     

                                    Consider using a hosting service. It's cheap and avoids a host (pun intended) of problems. Peer-to-peer is basically a disaster waiting to happen.

                                    1 2 Previous Next