4 Replies Latest reply on Jul 18, 2017 1:12 PM by wimdecorte

    A.D. win

    Draco

      Hi,

      When linking A.D. with FM, ...

       

      QUESTION:

       

      A )  From the FM scripts I can access the user data in the AD (user name and group name in AD)

       

      or

       

      B )  Each time I want to allow access to an AD user (inside the FM bd) I must create a user (in FM -> External Server) with the same name as the user used in Active Directory, and then use: Get (AccountName ), Get (AccountPrivilegeSetName) ?

       

      Regards

      Draco

        • 1. Re: A.D. win
          KenNewell

          Hope this helps:

          1) Create a group in AD.  I like to name it FM... so that my IT staff now the group is used for FM.

           

          2) Ensure on your server that you are using both FM and External for authentication.  Of course with FMS16 you have two new options but let's ignore them for the time being for this quick and dirty description.

           

          3) On the File select the "Manage Security.

           

          4) Create a User with the exact same name as the AD group.  Select External Server.

           

          5) Set the privs for the group.

           

          That should now allow the user to log in with their AD credentials.  When you select Get(AccountName) you do not get the group name but the individual user is passed through.

           

          A new command was added in FM16 that you can use to get the group name.I think it is Get(GroupName)

           

          Hope this simple overview is what you needed.

          • 2. Re: A.D. win
            wimdecorte

            Draco wrote:

             

             

             

            B ) Each time I want to allow access to an AD user (inside the FM bd) I must create a user (in FM -> External Server) with the same name as the user used in Active Directory, and then use: Get (AccountName ), Get (AccountPrivilegeSetName) ?

             

             

            No.  You don't create individual user accounts in FM, just group accounts that match an existing AD group.

             

            In FM the Get(accountname) will return the AD user account name that the user used.  Keep in mind that it can be one of 3 different syntaxes, so be careful if you use the Get(AccountName) for any record-level-access restrictions.  The user can use:

            johndoe

            johndoe@domain

            DOMAIN\johndoe

             

            depending on how they are trained.  All 3 are valid.

            1 of 1 people found this helpful
            • 3. Re: A.D. win
              fitch

              Another way to put it:

               

              Create your users and groups in AD.

               

              Create matching groups in FM and assign their privileges (specific to that file).

               

              You don't need to create users in FM, only groups.*

               

              *However, full access users should be created and managed in FM, not AD.

              1 of 1 people found this helpful
              • 4. Re: A.D. win
                wimdecorte

                Draco wrote:

                 

                 

                 

                A ) From the FM scripts I can access the user data in the AD (user name and group name in AD)

                 

                 

                 

                No.  You can't access any AD data (as in reading from AD).  But as mentioned, the AD user name that the user uses to log in will be reflected in the Get(AccountName).  If you are using 16 then the new Get(AccountGrouName) will reflect the AD group that the user belongs to.

                 

                In 15 and before many of us name the privilege set the same as the AD group name so that Get(PrivilegeSetName) can be used as a proxy.

                2 of 2 people found this helpful