Permissions for our Filemaker database to Externally authenticated users to only see their own data

Posted on 2011-02-17
Last Modified: 2012-05-11
I have a teachers database authentication through AD.  I need a privilege set so that teachers can only see their data and their data only when they log on with their External authenicated accounts (AD).  Trouble is I have a company setting up this security for me and they just aren't getting it.  I log on using a user name and password in our AD and they can access the DB but they see everyone else's data.  Bad News of course.  I'm assuming that the External Authentication is working since they can log in but their privilege set is way to high (or I mean they can access way too many records)  They need only read only access to their information.  I can send screen shots of the securities pages if needed.
Question by:SFSDIT
  • 6
  • 5

Expert Comment

ID: 34924275
I am not sure I have well understood.
Do you mean they log on using Active Directory (AD)?
For what I rememeber, there is no relation between AD user and FileMaker using, but it could be that this is changed in recent Filemaker versions
Which version of Filemaker are you using?
Are you using a FileMaker Server and FileMaker client enviroment?
How are permissions set on Filemaker?
What is the user name set in the Preferences of Filemaker client?
Are you sure that every Filemaker Client has set the correct user name?


Author Comment

ID: 34924538
yes, I'm using Active Directory for our external authentication on FileMaker 10 Server advanced.  The DB is set to use either the Filemaker 10 Pro client or IWP.  When our users log on in either way their access is the same can see everyones data.  The company is using the Get (accountname) which should only show that users data when logged in.  

Expert Comment

ID: 34924656
It very hard to give a solution without having the DB and checking which permissions are set.
I can only suggest to you to print somewhere the result of Get(accountname) to see if this is what you expect.
Then I suggest to check the permission set on Filemaker database. It is not so simple to set permissions, so check them. Can you post a screen capture of permissions?
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.


Expert Comment

ID: 34924675
What do you mean for "their own user data"?
Is there a field that identify which user is the record for?
Is such field compared with Get(accountname)?
Is there something wrong the the script that filters data for the user?

Author Comment

ID: 34924713
I've exported the AccountName field and that table is populated correctly with our Teachers usernames.  The Teachers usernames are populated in a field called AccountName per the calculation Get (AccountName).  

yes, I can send a screen shot of the permissions, although I'll have to do it in about 30 minutes.

Expert Comment

ID: 34924768
Usually, in Active Directory the username is in the format DomainName\Username.
Are you sure that in the field is the same format and Get(username) is the same.
That is, is the DomainName always witten (or always not written) in a consistent way?

Author Comment

ID: 34924791
It looks like it is reading Active Director OK since I can log on with different teachers accounts.  I'm trying my wife's as well as a friend and I can log in to the DB just fine so I know it is authenticating through our AD.

Expert Comment

ID: 34927947
Privilege sets are tied to Active Directory Groups through the "Manage" -> "Security" screen in FileMaker.  Therefore you need to have a group in Active Directory, something like "Database Read Only" to which you put the users you want to only have ready-only access to.  Then in the FileMaker Security screen you would create a new account but switch the "Account is authenticated via" to "External Server" and then make sure the "Group Name" on that screen matches the name of the Group in Active Directory.

On this same screen, you will see "Privilege Set" that would allow you to tie a group to a particular privilege set.  Once you have all of this done:

1.  You would need a creation field for the records that was equal to "Account Name".  
2.  You could then go to the Privilege Set and under "Data Access and Design" you would click on "Custom Privileges.." next to records.
3.  For the particular table that you want users to only see THEIR data you would click on "View" and set to "limited"
4.  For your calculation you would want to match the account name creation field that you specified in your table with the current users account name.

Tha would look something like this:

Table::AccountName = Get(AccountName)

Then as long as "AccountName" in "Table" matched the currently logged in user, they could view that data.

Author Comment

ID: 34935903
OK I'm losing my mind.  I created a separate Group in my AD and put 2 users in it, my wife's account and mine.    I turned off External authentication and I wasn't allowed to log on, then turned Ext Auth. back on and I was able to, that's good, but just like square one I was able to see all teachers personal details instead of just the logged in user, my wife.  I do have a field which contains the individual users account name to match, but it doesn't see to be matching.   There has to be something wrong with the privilege set although more frustrated than anything right now cause nothing seems to work.  

Filemaker screenshots attached.

Author Comment

ID: 34935942
Another anomaly is the calculation is telling me it must be boolean.  If I have it set to AccountName = Get ( AccountName ) how can the calculation be correct since it is looking for a 1 or 0, or True or False?

Accepted Solution

kemi67 earned 250 total points
ID: 34937024
Is AccountName a calculated field of the table Staff, or is a normal field.
Perhaps there is a problem if the fiedl AccountName (that I don't see in your picture) is calculate.

And another hint: the field Staff.AccountName has the same name of the system variable in Get(Accountname): could be that this is a problem.
Try to change the field name in the Staff Table

Author Closing Comment

ID: 34937245
Pointed me to the field to look at, did some switching and it worked.

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multiple statements in a calculation 4 773
Filemaker import xml 3 169
Filemaker Pro 14 Advanced - Runtime Kiosk to FMpro Server 14 4 280
Simple Search Script in FileMaker 4 51
Pop up windows can be a useful feature of any Filemaker database.  Though best used sparingly, they can be employed in a multitude of different ways, for example;  as a splash screen at login, during scripted processes to control user input, as pick…
Having just upgraded from Filemaker 11 to Filemaker 12 over the weekend, we thought we would add some tips for others making the same move.  In general, our installation went without incident. Please note that this is not a replacement for Chapter 5…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question