1 2 Previous Next 15 Replies Latest reply on Jan 6, 2016 12:32 PM by sreese

    Who is logged in (External Accounts)

    bvondeylen

      I am developing a database for our school district and the database needs to keep track of data for individuals. So I need to know who has logged in.

       

      We tie our databases to Active Directory with external accounts.

       

      My problem is people can log in with either a Short Name or a Full Name, and FileMaker (by default on the Mac) enters a Full Name, while on an iPad or iPhone or web interface, the name field is empty and people enter their short name.

       

      So, when I attempt to capture Get (UserName), the contents could differ depending upon how people log in.

       

      For example, I could log in as Bryan VonDeylen or bvondeylen and successfully authenticate against AD, yet Get (UserName) would tell me I am two different people.

       

      How can I setup a database so that I can log in as either Bryan VonDeylen or bvondeylen and get at MY records (and not other people's records)?

        • 1. Re: Who is logged in (External Accounts)
          bvondeylen

          Sorry, I am using Get (AccountName) which will either be a Full or Short name depending upon how the user logs in. Get (UserName) would give me who has logged in on the computer (which may not be the person logging into FileMaker).

          • 2. Re: Who is logged in (External Accounts)
            mikebeargie

            I would setup a corresponding users table, so that on login I could specify a global variable $$user based on a find in that table.

             

            I would then use $$user as the auto-enter for record creation/mod user, as well as for privilege set calculations.

             

            Installing the Accounts module may give you some benefit over managing these types of things:

            http://www.modularfilemaker.org/module/accounts-modular-user-account-management/

            • 3. Re: Who is logged in (External Accounts)
              sreese

              Good Morning,

               

              Are all of your users names first initial last name?

               

              If they are the solution might be a little easier than you think.

               

              If ( Wordcount ( Get (accountname) ) =2 )
              set field GLOBALUSERVARIABLE = left( get ( accountname ) ; 1 ) & leftwords ( get ( accountname) ; 2 )
              Else
              set field GLOBALUSERVARIABLE = get ( accountname )
              End if
              

               

               

              Just a thought

              • 4. Re: Who is logged in (External Accounts)
                bvondeylen

                That is similar to what I am doing but without the variable.

                 

                I have a Globals Table, and I have both AccountName entered into the Global field as users log in.

                 

                Then I do a Find with that Global field and a Users Table with both the Full Name and Short Name in that table.

                 

                Problem is, I then need to enter all our users Full Names in that Table (since we have many users who don't know how their Full Name is entered in AD).

                • 5. Re: Who is logged in (External Accounts)
                  bvondeylen

                  Yes, that would be nice, but no, we have too many people with the same last name and first name initial.

                   

                  So, Lynn Smith and Laura Smith would both be a lsmith which doesn't work. We have about 1,000 staff, so the probability of that happening is pretty high.

                   

                  So that is not an option for this solution.

                   

                  I was hoping there was some way when authenticating against AD that both Full and Short names could be brought over. Would make things much simpler.

                  • 6. Re: Who is logged in (External Accounts)
                    mikebeargie

                    You might need to figure out how to integrate the FMGo side to do a lookup from AD, rather than just having a user enter in what is potentially the duplicate. I haven't really worked with it, but I'd imagine something via a web integration might be possible.

                     

                    That or require the full name as an absolute for logging into the system.

                    • 7. Re: Who is logged in (External Accounts)
                      bvondeylen

                      FMGo does Authenticate against AD. That part is working, and that was the initial problem.

                       

                      On the Mac, the Full Name is auto entered, so people were just typing in their password and authenticating.

                       

                      On the iPhone/iPad, the Name field is empty when logging in (web too), so people naturally type in their short name and password.

                       

                      That was when I discovered the issue. Originally, I was using Get (AccountName) to TAG records as they were being created, and listing records for users based on Get (AccountName).

                       

                      Then we go 3,000 iPads and about 100 iPhones, and I began noticing that people were getting 2 sets of records. One when they logged in with their Mac, and another set when they would log in with their iPad/iPhone. That is when I noticed that Get (AccountName) would get Full Name when they logged in with their Mac, and Short Name when they would log in on the iPad/iPhone.

                       

                      So I had to create a User Table, and enter EVERYONE's Full Name and Login Name to accomplish this. Just more work, and more possibilities of mistakes. Just wish I could pull more from AD when Authenticating…

                      • 8. Re: Who is logged in (External Accounts)
                        jormond

                        mikebeargie,

                        Can you explain how you are using ( and securing ) the use of $$user with privilege set calcs? This has always been a practice I have avoided, because it's not easily secured.

                        Mike Beargie wrote:

                         

                        I would setup a corresponding users table, so that on login I could specify a global variable $$user based on a find in that table.

                         

                        I would then use $$user as the auto-enter for record creation/mod user, as well as for privilege set calculations.

                         

                        Installing the Accounts module may give you some benefit over managing these types of things:

                        http://www.modularfilemaker.org/module/accounts-modular-user-account-management/

                        • 9. Re: Who is logged in (External Accounts)
                          mikebeargie

                          Only when $$user has some effect on data access inside any given privilege set, but not as a replacement for a privilege set itself.

                           

                          EG when record access inside of a privilege set can be granted via calculation:

                          $$user = "someGuy"

                           

                          I don't use it as a substitute for privilege sets, rather as a finer control for them.

                           

                          Of course with filemaker pro advance's ability to modify global variables, there is some risk of someone manually changing $$user to another value, so I usually account for that with some separate logic.

                           

                          Also I rarely use this at all anymore. I try to rely heavily on privilege sets, targeting scripting and interface, and custom menus to lock down solutions. It just seemed like an option for having two possible usernames for the same person in this case.

                          • 10. Re: Who is logged in (External Accounts)
                            wimdecorte

                            bvondeylen wrote:

                             

                            Sorry, I am using Get (AccountName) which will either be a Full or Short name depending upon how the user logs in. Get (UserName) would give me who has logged in on the computer (which may not be the person logging into FileMaker).

                             

                            Get(UserName) has nothing to do with how the user logged in, it is just the name that was set in the FM preferences so it is a very unreliable way of checking the user.

                             

                            Way back about 10 years ago when External Authentication was introduced Steven Blackwell and I wrote a white paper for FM that included a warning about the different ways that a user can log in and what the Get(AccountName) will return:

                             

                            http://www.filemaker.com/downloads/pdf/techbrief_fm8_server_auth.pdf

                             

                            Depending on the platform, he user can log in with the short name, full name, upn name or unc name.

                             

                            If you need to use the Get(AccountName) to identify the user uniquely you have to take all of these into account.

                            • 11. Re: Who is logged in (External Accounts)
                              jormond

                              Gotcha. I figured you were using some tricky to code against it. Just thought it would be good for everyone hear it.

                               

                               

                              • 12. Re: Who is logged in (External Accounts)
                                BowdenData

                                What about pulling the needed information directly from AD and dump it into your user table in FM. I would visualize doing this in an automated way, so it would be up to date. I did this years ago - set up the process to run every night as a scheduled task on the FM server. In my case, I decided against updating the existing table in FM, but rather just deleted all records and pulled down a fresh set of records from the AD each night.

                                 

                                At the time, I did this by using a plugin on the FM server that had the ability to execute command line/terminal functions. I think DSQuery was the function I used. The FM server was running on a Windows box.

                                 

                                Doug

                                • 13. Re: Who is logged in (External Accounts)
                                  sreese

                                  You could user powershell to pull the info and export it from Active Directory and then use a server script to import etc.

                                  • 14. Re: Who is logged in (External Accounts)
                                    wimdecorte

                                    sreese wrote:

                                     

                                    You could user powershell to pull the info and export it from Active Directory and then use a server script to import etc.

                                     

                                    You can do all of that... but you still have to figure out what format the user logged in with and parse it out to do you search.

                                    1 2 Previous Next