7 Replies Latest reply on Dec 27, 2015 5:00 PM by Mike_Mitchell

    File / Manage / Security

    fentonjones

      I recently upgraded to FileMaker Pro (Advanced) 14, from 12. I notice now that I am now required to enter the [Full Access] Account Name & Password every time I want to view the Manage/Security. I was already logged in with Full Access. While I understand why this may be "good", there are many times when I have wanted to open this area, just to check something; this can sometimes require leaving it, looking somewhere else, then going there again. Having to enter this over and over would be really annoying. Is there any way to turn this off for someone who's already Full Access?


      P.S. FileMaker Pro Advance 14.0.4, Mac OS 10.11.2

        • 1. Re: File / Manage / Security
          Mike_Mitchell

          fentonjones wrote:

           

          I notice now that I am now required to enter the [Full Access] Account Name & Password every time I want to view the Manage/Security...Is there any way to turn this off for someone who's already Full Access?

           

           

          No. It's intended to prevent someone from walking away from his desk with the solution logged in and another person wandering up and having access to change the security. This would allow a hacker to snoop on the solution indefinitely, since he could insert an account and, unless you checked, you wouldn't know anything about it.

           

          Having to enter this over and over would be really annoying.

           

          It could be, and is. There's always a balance between security and convenience. A totally secure solution would be useless, since nobody could get at the information. A totally open solution is equally worthless, because you can't trust what's in it (although it's very convenient). In this case, the vulnerability is just too great to justify not closing it. At least IMHO.

           

          HTH

           

          Mike

          • 2. Re: File / Manage / Security
            fentonjones

            My solution to this problem would be to ask once, forcing the person to log in once again, as Full Access; but not ask them every single time. FileMaker has taken a simple way out of a problem, but have not really thought about what this would mean to a developer, who is doing serious work on the database, and needs to go back and forth quickly between all it's parts.

             

            P.S. Thanks for confirming that there's no way to get past this.

            • 3. Re: File / Manage / Security
              Mike_Mitchell

              How would FileMaker know what “once” constitutes?

              • 4. Re: File / Manage / Security
                fentonjones

                Since in most cases, I would only need some time to do this "switching" from part to part, I would think a time limit would do; I would think that 30 min, or even 15 min, would be a lot better than "every single entry".

                There is no way to look at anything else when the Security is open.

                 

                There is also a PersistentID of the computer, if they're worried about external attack.

                 

                I'm assuming that the FileMaker file is already in [Full Access]; whose Privilege Set cannot be modified, ever, by anyone. [ I suppose it could be deleted however; I believe that is someplace they should ask again. I have never used that myself.]

                 

                Another thing. A person with Full Access could cause so much damage otherwise, like deleting everything in the database, including fields, etc., that whether they messed with privilege sets is not the only problem, by any means.

                 

                I'm not thinking these would be easy for FileMaker to try and make a little easier to use. But I hope they at least think hard about it.

                 

                I imagine I will also become better at remembering what I'll have to type (over and over again). But my fingers will not be happy at it. I think I will also be taking more pictures of the Privilege Sets (but there's so many).

                • 5. Re: File / Manage / Security
                  Mike_Mitchell

                  So if a person walks away from his desk, the screen saver would typically engage in about 10 minutes. (At least, that’s our security policy.) So between the time the computer is abandoned and the time the screen saver engages, anyone can walk up to your workstation and really hose your solution. Basically, a time limit as long as you’re suggesting is more or less useless; you might as well not have the feature.

                   

                  I’m not sure what PersistentID does in this situation. That has little or nothing to do with the scenario in question.

                   

                  It doesn’t matter if the  priv set can be changed. An attacker can simply give himself an account with  privileges and exploit the solution all day long. It’s not a good thing.

                   

                  (And no, you can’t delete it … outside of the Developer Utilities.)

                  • 6. Re: File / Manage / Security
                    fentonjones

                    I'll add one more possibility. Allow [Full Access] to VIEW the Privilege Sets, with no extra dialog (as earlier versions had), but do not allow any add, change, nor copy of Passwords. Attempting to do any would bring up the dialog to log in (again) as Full Access.

                     

                    That would allow you to see what was going on easily, but not let you do anything else. I imagine FileMaker would find that an excessive amount of work, and will never happen. But I'd like it, as I'd only have to "log in again" if it made more sense.

                     

                    By the way, the file(s) I'm looking at are not local, and I am the only one with [Full Access], so the "someone will come up to my computer, and I've left the file open" will never happen.

                    • 7. Re: File / Manage / Security
                      Mike_Mitchell

                      It would also allow an intruder to see what’s going on.

                       

                      And as far as “It doesn’t affect me” goes, FileMaker has more to worry about than your specific situation.

                       

                      If you think it should be changed, submit it over in the Product area.