Permissions for our Filemaker database to Externally authenticated users to only see their own data

I have a teachers database authentication through AD.  I need a privilege set so that teachers can only see their data and their data only when they log on with their External authenicated accounts (AD).  Trouble is I have a company setting up this security for me and they just aren't getting it.  I log on using a user name and password in our AD and they can access the DB but they see everyone else's data.  Bad News of course.  I'm assuming that the External Authentication is working since they can log in but their privilege set is way to high (or I mean they can access way too many records)  They need only read only access to their information.  I can send screen shots of the securities pages if needed.
SFSDITDirector of ITAsked:
Who is Participating?
 
kemi67Commented:
Uhmmm
Is AccountName a calculated field of the table Staff, or is a normal field.
Perhaps there is a problem if the fiedl AccountName (that I don't see in your picture) is calculate.

And another hint: the field Staff.AccountName has the same name of the system variable in Get(Accountname): could be that this is a problem.
Try to change the field name in the Staff Table
0
 
kemi67Commented:
I am not sure I have well understood.
Do you mean they log on using Active Directory (AD)?
For what I rememeber, there is no relation between AD user and FileMaker using, but it could be that this is changed in recent Filemaker versions
Which version of Filemaker are you using?
Are you using a FileMaker Server and FileMaker client enviroment?
How are permissions set on Filemaker?
What is the user name set in the Preferences of Filemaker client?
Are you sure that every Filemaker Client has set the correct user name?

0
 
SFSDITDirector of ITAuthor Commented:
yes, I'm using Active Directory for our external authentication on FileMaker 10 Server advanced.  The DB is set to use either the Filemaker 10 Pro client or IWP.  When our users log on in either way their access is the same can see everyones data.  The company is using the Get (accountname) which should only show that users data when logged in.  
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
kemi67Commented:
It very hard to give a solution without having the DB and checking which permissions are set.
I can only suggest to you to print somewhere the result of Get(accountname) to see if this is what you expect.
Then I suggest to check the permission set on Filemaker database. It is not so simple to set permissions, so check them. Can you post a screen capture of permissions?
0
 
kemi67Commented:
What do you mean for "their own user data"?
Is there a field that identify which user is the record for?
Is such field compared with Get(accountname)?
Is there something wrong the the script that filters data for the user?
0
 
SFSDITDirector of ITAuthor Commented:
I've exported the AccountName field and that table is populated correctly with our Teachers usernames.  The Teachers usernames are populated in a field called AccountName per the calculation Get (AccountName).  

yes, I can send a screen shot of the permissions, although I'll have to do it in about 30 minutes.
0
 
kemi67Commented:
Usually, in Active Directory the username is in the format DomainName\Username.
Are you sure that in the field is the same format and Get(username) is the same.
That is, is the DomainName always witten (or always not written) in a consistent way?
0
 
SFSDITDirector of ITAuthor Commented:
It looks like it is reading Active Director OK since I can log on with different teachers accounts.  I'm trying my wife's as well as a friend and I can log in to the DB just fine so I know it is authenticating through our AD.
0
 
Nic44683Commented:
Privilege sets are tied to Active Directory Groups through the "Manage" -> "Security" screen in FileMaker.  Therefore you need to have a group in Active Directory, something like "Database Read Only" to which you put the users you want to only have ready-only access to.  Then in the FileMaker Security screen you would create a new account but switch the "Account is authenticated via" to "External Server" and then make sure the "Group Name" on that screen matches the name of the Group in Active Directory.

On this same screen, you will see "Privilege Set" that would allow you to tie a group to a particular privilege set.  Once you have all of this done:

1.  You would need a creation field for the records that was equal to "Account Name".  
2.  You could then go to the Privilege Set and under "Data Access and Design" you would click on "Custom Privileges.." next to records.
3.  For the particular table that you want users to only see THEIR data you would click on "View" and set to "limited"
4.  For your calculation you would want to match the account name creation field that you specified in your table with the current users account name.

Tha would look something like this:

Table::AccountName = Get(AccountName)

Then as long as "AccountName" in "Table" matched the currently logged in user, they could view that data.
0
 
SFSDITDirector of ITAuthor Commented:
OK I'm losing my mind.  I created a separate Group in my AD and put 2 users in it, my wife's account and mine.    I turned off External authentication and I wasn't allowed to log on, then turned Ext Auth. back on and I was able to, that's good, but just like square one I was able to see all teachers personal details instead of just the logged in user, my wife.  I do have a field which contains the individual users account name to match, but it doesn't see to be matching.   There has to be something wrong with the privilege set although more frustrated than anything right now cause nothing seems to work.  


Filemaker screenshots attached.
FM-Account.png
Privilege-set.png
Limite-view-Calculation.png
0
 
SFSDITDirector of ITAuthor Commented:
Another anomaly is the calculation is telling me it must be boolean.  If I have it set to AccountName = Get ( AccountName ) how can the calculation be correct since it is looking for a 1 or 0, or True or False?
0
 
SFSDITDirector of ITAuthor Commented:
Pointed me to the field to look at, did some switching and it worked.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.