Solved

Permissions for our Filemaker database to Externally authenticated users to only see their own data

Posted on 2011-02-17
12
826 Views
Last Modified: 2012-05-11
I have a teachers database authentication through AD.  I need a privilege set so that teachers can only see their data and their data only when they log on with their External authenicated accounts (AD).  Trouble is I have a company setting up this security for me and they just aren't getting it.  I log on using a user name and password in our AD and they can access the DB but they see everyone else's data.  Bad News of course.  I'm assuming that the External Authentication is working since they can log in but their privilege set is way to high (or I mean they can access way too many records)  They need only read only access to their information.  I can send screen shots of the securities pages if needed.
0
Comment
Question by:SFSDIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 7

Expert Comment

by:kemi67
ID: 34924275
I am not sure I have well understood.
Do you mean they log on using Active Directory (AD)?
For what I rememeber, there is no relation between AD user and FileMaker using, but it could be that this is changed in recent Filemaker versions
Which version of Filemaker are you using?
Are you using a FileMaker Server and FileMaker client enviroment?
How are permissions set on Filemaker?
What is the user name set in the Preferences of Filemaker client?
Are you sure that every Filemaker Client has set the correct user name?

0
 

Author Comment

by:SFSDIT
ID: 34924538
yes, I'm using Active Directory for our external authentication on FileMaker 10 Server advanced.  The DB is set to use either the Filemaker 10 Pro client or IWP.  When our users log on in either way their access is the same can see everyones data.  The company is using the Get (accountname) which should only show that users data when logged in.  
0
 
LVL 7

Expert Comment

by:kemi67
ID: 34924656
It very hard to give a solution without having the DB and checking which permissions are set.
I can only suggest to you to print somewhere the result of Get(accountname) to see if this is what you expect.
Then I suggest to check the permission set on Filemaker database. It is not so simple to set permissions, so check them. Can you post a screen capture of permissions?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 7

Expert Comment

by:kemi67
ID: 34924675
What do you mean for "their own user data"?
Is there a field that identify which user is the record for?
Is such field compared with Get(accountname)?
Is there something wrong the the script that filters data for the user?
0
 

Author Comment

by:SFSDIT
ID: 34924713
I've exported the AccountName field and that table is populated correctly with our Teachers usernames.  The Teachers usernames are populated in a field called AccountName per the calculation Get (AccountName).  

yes, I can send a screen shot of the permissions, although I'll have to do it in about 30 minutes.
0
 
LVL 7

Expert Comment

by:kemi67
ID: 34924768
Usually, in Active Directory the username is in the format DomainName\Username.
Are you sure that in the field is the same format and Get(username) is the same.
That is, is the DomainName always witten (or always not written) in a consistent way?
0
 

Author Comment

by:SFSDIT
ID: 34924791
It looks like it is reading Active Director OK since I can log on with different teachers accounts.  I'm trying my wife's as well as a friend and I can log in to the DB just fine so I know it is authenticating through our AD.
0
 
LVL 1

Expert Comment

by:Nic44683
ID: 34927947
Privilege sets are tied to Active Directory Groups through the "Manage" -> "Security" screen in FileMaker.  Therefore you need to have a group in Active Directory, something like "Database Read Only" to which you put the users you want to only have ready-only access to.  Then in the FileMaker Security screen you would create a new account but switch the "Account is authenticated via" to "External Server" and then make sure the "Group Name" on that screen matches the name of the Group in Active Directory.

On this same screen, you will see "Privilege Set" that would allow you to tie a group to a particular privilege set.  Once you have all of this done:

1.  You would need a creation field for the records that was equal to "Account Name".  
2.  You could then go to the Privilege Set and under "Data Access and Design" you would click on "Custom Privileges.." next to records.
3.  For the particular table that you want users to only see THEIR data you would click on "View" and set to "limited"
4.  For your calculation you would want to match the account name creation field that you specified in your table with the current users account name.

Tha would look something like this:

Table::AccountName = Get(AccountName)

Then as long as "AccountName" in "Table" matched the currently logged in user, they could view that data.
0
 

Author Comment

by:SFSDIT
ID: 34935903
OK I'm losing my mind.  I created a separate Group in my AD and put 2 users in it, my wife's account and mine.    I turned off External authentication and I wasn't allowed to log on, then turned Ext Auth. back on and I was able to, that's good, but just like square one I was able to see all teachers personal details instead of just the logged in user, my wife.  I do have a field which contains the individual users account name to match, but it doesn't see to be matching.   There has to be something wrong with the privilege set although more frustrated than anything right now cause nothing seems to work.  


Filemaker screenshots attached.
FM-Account.png
Privilege-set.png
Limite-view-Calculation.png
0
 

Author Comment

by:SFSDIT
ID: 34935942
Another anomaly is the calculation is telling me it must be boolean.  If I have it set to AccountName = Get ( AccountName ) how can the calculation be correct since it is looking for a 1 or 0, or True or False?
0
 
LVL 7

Accepted Solution

by:
kemi67 earned 250 total points
ID: 34937024
Uhmmm
Is AccountName a calculated field of the table Staff, or is a normal field.
Perhaps there is a problem if the fiedl AccountName (that I don't see in your picture) is calculate.

And another hint: the field Staff.AccountName has the same name of the system variable in Get(Accountname): could be that this is a problem.
Try to change the field name in the Staff Table
0
 

Author Closing Comment

by:SFSDIT
ID: 34937245
Pointed me to the field to look at, did some switching and it worked.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop up windows can be a useful feature of any Filemaker database.  Though best used sparingly, they can be employed in a multitude of different ways, for example;  as a splash screen at login, during scripted processes to control user input, as pick…
Having just upgraded from Filemaker 11 to Filemaker 12 over the weekend, we thought we would add some tips for others making the same move.  In general, our installation went without incident. Please note that this is not a replacement for Chapter 5…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question