3 Replies Latest reply on Apr 1, 2014 7:25 AM by wimdecorte

    Individual user authentication via Active Directory

    tcwaters

      The ability for Filemaker to use Active Directory for authentication is awesome, amd works great for me when I'm using an AD group. However, is there a way to have/allow individual users to authenticate and have privs unique to that user? Do I need to make an AD Group with only that one user in it so I can have a Filemaker Privilege set matched to that user?

       

      And lastly, I'm guessing if a user is in multiple AD groups, the one which is listed first on the "Accounts" screen is the one the user will be authenticated by, correct?

       

      THX

        • 1. Re: Individual user authentication via Active Directory
          taylorsharpe

          The general answer is no.  The correct procedure is to make more refined groups to assign a User ID to for FileMaker privileges.  Usually the default company groups are not refined enough for the privileges I need in FileMaker and I usually have to add a number of Active Directory Groups just for FileMaker privileges.  I have a habit of preceeding them all with "FM_" so I know which ones oare FileMaker groups. 

           

          While you can't change privileges directly, you can always "Get ( AccountName )" to find the User ID logged in and use a Script to perform actions in "[Full Access]" mode that they couldn't normally under their privilege group.  Or you could have a script log them out into a special privilege group automatically based on their current User ID. 

           

          There are some scripting workarounds, but they often are not great and sometimes there are ways to work around the security that you dont' want done.  That is why using Privilege Groups the way they are supposed to be used is best. 

           

          I often get the User ID to do some custom things for an individual like someone who always wants their screen zoomed to 150% or resized a particular way on startup or to run a special report and you don't need a Privilege group just for that.  Just use the "Get ( AccountName )" to see who is logged on to make the script do something for that particular person. 

          • 3. Re: Individual user authentication via Active Directory
            wimdecorte

            tcwaters wrote:

             

             

             

            And lastly, I'm guessing if a user is in multiple AD groups, the one which is listed first on the "Accounts" screen is the one the user will be authenticated by, correct?

             

             

            First on the "Accounts" screen when you look at it in "authentication order", that's a choice at the lower right corner.