1 of 1 people found this helpful
You have the right setting in FM server. Go ahead and enable that. It means that when a user selects "Open Remote" and selects your FM server, they will only see listed databases that they have access to. Depending on your setup, they might get prompted to enter their username/password upon selecting the Open Remote menu option. Once they put that in, then the dialog box will only show those dB's that they have access to.
In the case of the databases that are setup with Guest access, then those will likely show up as available to everyone. I can't remember the last time I ever created or managed a dB that had Guest access turned on, so not 100% sure on this.
I think this is going to be a big steaming mess to be honest. It's those ones with Guest turned on that are what I'm concerned about.
I'm having a hard time finding any detailed user guide on how all this manifests itself, based on how the file is set up.
BowdenData, when you said "
they might get prompted to enter their username/password upon selecting the Open Remote menu option. Once they put that in, then the dialog box will only show those dB's that they have access to", this is exactly the kind of detail I'm trying to find in a guide or document from Filemaker but haven't found.
I'm also concerned with what will happen while people are currently accessing these files? What will happen if I select that checkbox while people are here doing their work with those files?
1 of 1 people found this helpful
You should click that box in FMS that says "List only the databases each user is authorized to access."
With that setting in place, when a user goes to Open Remote, the user will be prompted to enter credentials. The user will then see only those databases for which the credentials are valid.
However, from a bigger perspective, I'd suggest taking a deeper look at your databases. By default, the Guest account assigns a predefined "Read Only" privilege set. If that's what the users are logging in with, they wouldn't be able to modify any of the data in the databases, so none of the data would ever be changed by users. Login to one of the databases that you can just open with a double click. Modify some data. If you're allowed to modify it...then either the previous developer assigned a different privilege set to Guest, or the files have been set to open with a default account (which might or might not be "Guest").
It sounds to me like the security for the whole system needs to be looked at in depth. All users are anonymous, they all have the same privileges, and my guess is there are holes which would provide vulnerabilities.
Turning that setting on or off will not affect users currently logged in.
If a user clicks on Open Remote, and then selects the Guest option instead of Account option, the user will see all files which have the Guest account turned on. I personally do not ever use the Guest account.
You COULD go to the new user's computer, and for the Open Remote Host setting, you could click the option to "Show only these files", and then type in the names only of databases that user should see. It's not ideal, but that user wouldn't see databases not listed. The user could very easily reverse that though.
I've spoken to the IT director, and he's trying something out, setting the visibility using Group settings via Windows. He has our work group assigned to a Group in Active Directory already. However the visibility to the FM server was all domain users, which includes my work group, plus a lot of other people. Hopefully limiting it to just the work group using the AD settings will take care of it. Waiting to hear back from him now.
Active Directory tells me Windows, which tells me that it's possible that the previous developer may have used External Authentication in the databases.
Are you SURE that the databases are all set up with Guest accounts? Are you SURE that double clicking logs a user in as Guest? I have an uneasy feeling that things are set up differently than you're thinking.
I'm going to open each one I suspect that is set up that way and be sure before I go ahead with anything else. The first two I looked at were setup with Log In Using Guest Account...and Allow Credential Manager to save password.
( BTW, changing the permission from domain to group made no difference.)
When these files were created, it was done in FileMaker 5 or older, and at the time, there was no Active Directory set up here at this organization.
Login as the Full Access account if you can. Go to File>Manage>Security. Take a look at the accounts that are set up. If it's like you're thinking, then my guess is there is one Guest account and one Admin account. If there are other accounts, see what their assigned privilege sets are.
Because you do have Active Directory, and the files are served, External Authentication would be available to your organization, and EA is by far the most secure and preferred method. Making a switch to EA would be relatively easy, and would provide you with very robust security.
The security guide is a great resource. You can find it at: