12 Replies Latest reply on Mar 17, 2016 5:51 PM by g4guitar

    How to setup different users without using FM Accounts?

    g4guitar

      Currently in Filemaker Pro I know how to create different Accounts (under Security). I have multiple clients who each have their own version of the file. I have one Master file which I develop and then I migrate their data to a new copy of the file using RefreshFM. Each location have their own employees who they want to have access to certain data.

       

      My question. How do I create a setup where a new user can be created within a Location file? So when I upgrade via the master file the user settings for each individual location remain the same as I believe the Filemaker Pro Accounts would resort back to the Master file.

       

      Thank you.

       

       

      Screen Shot 2016-03-04 at 11.26.25 AM.png

        • 1. Re: How to setup different users without using FM Accounts?
          kurt.bleicken

          I was waiting for someone more expert than I am to respond first, but here are my thoughts.

           

          As you know, user accounts, and passwords cannot be imported using RefreshFM. We have the same situation with our solution, so here is what we are going to try. We have a user table and scripts that create new users in that table, assign privilege sets to the user, and create account names and passwords . . . all in the user table. The script then creates new accounts in FM's security system, sets the privilege set and sets the password. We than send the login credentials to the new user.

           

          We will save their password instead of asking the user to set their own password.  Given that, after an import using RefreshFM, we plan to run a script that loops through all the users and recreates their account name and password. This would save the process of creating all new user accounts, etc. And save the users from going through the new user login procedure learning a new password.

          • 2. Re: How to setup different users without using FM Accounts?
            wimdecorte

            Use External Authentication instead?  That way you only need to set up the "groups", not individual accounts.

            • 3. Re: How to setup different users without using FM Accounts?
              kurt.bleicken

              You are probably right Wim, but the instructions intimidated us. As follows:

               

              The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing a distributed directory across an IP network.  A typical use of LDAP is to aid in looking up information from a directory service.  A directory service is a combination of software and hardware that stores, organizes and provides access to information in a directory.  With LDAP, system administrators can centrally manage users, groups, devices, and other data.

              If your organization uses a LDAP compliant directory service you can centrally manage your files hosted with FileMaker Server with your directory service.  Examples of compliant directory services include:

              • Windows Active Directory / Domain
              • Apple Open Directory

              FileMaker Server has a "Directory Service" tab where you can list the FileMaker Server computer in a Directory Service.  This feature helps FileMaker Pro clients find the server on a network but does not play a role in the authentication of users.  In addition, while Windows Active Directory and Apple Open Directory are both considered Directory Services and while they both support the LDAP protocol - this has nothing to do with the "Directory Service" configuration in the FileMaker Server settings.

              So now that we know that LDAP is a protocol for communicating with a supported Directory Service, what is required to configure FileMaker Pro clients and FileMaker Server to use external authentication using the LDAP protocol?  There are several things that are required in order for external authentication to work:

              • 4. Re: How to setup different users without using FM Accounts?
                wimdecorte

                The key in that section is this:

                 

                kurt.bleicken wrote:

                 

                FileMaker Server has a "Directory Service" tab where you can list the FileMaker Server computer in a Directory Service.  This feature helps FileMaker Pro clients find the server on a network but does not play a role in the authentication of users.

                and that means that you can completely disregard anything on that tab and LDAP concepts in general.

                 

                To make EA work all you need is:

                - to flip the toggle in FMS that says "FileMaker and External Accounts"

                - the FMS machine needs to be a member server of the AD or OD (at the OS level - not an FMS setting) if you want to use AD or OD accounts

                - if you don't want to use AD or OD then don't make the FMS machine a member on the OS level; then you can use local accounts and groups that exist in the OS of the machine

                - in the FM file; create "external" accounts to match the groups you want to use.

                 

                It's not as intimidating as it sounds.  You may want to find someone to walk you around it, wouldn't take more than an hour.

                • 5. Re: How to setup different users without using FM Accounts?
                  user19752

                  Do you use FMS for each client?

                  • 6. Re: How to setup different users without using FM Accounts?
                    wimdecorte

                    who is the question for?

                     

                    If for me: yes.  I simply won't deploy without FMS.  The backups are reason enough.

                    • 7. Re: How to setup different users without using FM Accounts?
                      kurt.bleicken

                      Wim, can external authorization be set with a script to set up user accounts and passwords?

                      • 8. Re: How to setup different users without using FM Accounts?
                        wimdecorte

                        Kinda... since the accounts do not exist in FM you're basically talking about scripting the OS to have it add the accounts and set the pws.

                         

                        So it is not by using the FM native account script steps.

                         

                        I'm familiar with how to do that on Windows, not so much on Mac.

                        • 9. Re: How to setup different users without using FM Accounts?
                          Extensitech

                          Can you kick this off from inside the FM client, perhaps with PSOS or some such?

                           

                          If so, is that something you'd be interested in sharing or selling? I'm drinking the kool-aid as far as how AD solves a lot of challenges, particularly for multi-file solutions, but being able to have an administrative FM user set up their own user accounts is a tough one to give up. I realize that we should be able to train the client to set up AD accounts, but our clients don't tend to be that IT-savvy...

                           

                          Chris Cain

                          Extensitech

                          • 10. Re: How to setup different users without using FM Accounts?
                            wimdecorte

                            Extensitech wrote:

                             

                            Can you kick this off from inside the FM client, perhaps with PSOS or some such?

                             

                             

                            Sure you can.  Easy enough to construct a VBscript from inside FM based on FM data.

                             

                            All of this stuff is easily found (I've demoed the VBscript thing a few times over the years). and how to interact with AD is easy to google.  The easiest way is to import from an excel sheet for instance.

                             

                            Don't have any demo files ready for this at this point.

                             

                            An obvious thing to consider of course is that the person executing all of this need to have admin rights to the AD... which is not always a given.  In many (bigger) places where AD is in use, the whole point is that account creation is a process with multiple approval gates etc.

                            • 11. Re: How to setup different users without using FM Accounts?
                              user19752

                              sorry for late, it was (in response to g4guitar), since  I didn't see "server" word in 1st post. I should wrote "location" instead of "client".

                              • 12. Re: How to setup different users without using FM Accounts?
                                g4guitar

                                Thank you Kurt, Thats very helpful and I'd like to give it a go. I have the user table setup with Timestamp, User name and user password fields but where would I go fro there? Is there a tutorial somewhere I could follow?

                                 

                                Thanks again.