Permissions for our Filemaker database to Externally authenticated users to only see their own data

Posted on 2011-02-17
Last Modified: 2012-05-11
I have a teachers database authentication through AD.  I need a privilege set so that teachers can only see their data and their data only when they log on with their External authenicated accounts (AD).  Trouble is I have a company setting up this security for me and they just aren't getting it.  I log on using a user name and password in our AD and they can access the DB but they see everyone else's data.  Bad News of course.  I'm assuming that the External Authentication is working since they can log in but their privilege set is way to high (or I mean they can access way too many records)  They need only read only access to their information.  I can send screen shots of the securities pages if needed.
Question by:SFSDIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5

Expert Comment

ID: 34924275
I am not sure I have well understood.
Do you mean they log on using Active Directory (AD)?
For what I rememeber, there is no relation between AD user and FileMaker using, but it could be that this is changed in recent Filemaker versions
Which version of Filemaker are you using?
Are you using a FileMaker Server and FileMaker client enviroment?
How are permissions set on Filemaker?
What is the user name set in the Preferences of Filemaker client?
Are you sure that every Filemaker Client has set the correct user name?


Author Comment

ID: 34924538
yes, I'm using Active Directory for our external authentication on FileMaker 10 Server advanced.  The DB is set to use either the Filemaker 10 Pro client or IWP.  When our users log on in either way their access is the same can see everyones data.  The company is using the Get (accountname) which should only show that users data when logged in.  

Expert Comment

ID: 34924656
It very hard to give a solution without having the DB and checking which permissions are set.
I can only suggest to you to print somewhere the result of Get(accountname) to see if this is what you expect.
Then I suggest to check the permission set on Filemaker database. It is not so simple to set permissions, so check them. Can you post a screen capture of permissions?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 34924675
What do you mean for "their own user data"?
Is there a field that identify which user is the record for?
Is such field compared with Get(accountname)?
Is there something wrong the the script that filters data for the user?

Author Comment

ID: 34924713
I've exported the AccountName field and that table is populated correctly with our Teachers usernames.  The Teachers usernames are populated in a field called AccountName per the calculation Get (AccountName).  

yes, I can send a screen shot of the permissions, although I'll have to do it in about 30 minutes.

Expert Comment

ID: 34924768
Usually, in Active Directory the username is in the format DomainName\Username.
Are you sure that in the field is the same format and Get(username) is the same.
That is, is the DomainName always witten (or always not written) in a consistent way?

Author Comment

ID: 34924791
It looks like it is reading Active Director OK since I can log on with different teachers accounts.  I'm trying my wife's as well as a friend and I can log in to the DB just fine so I know it is authenticating through our AD.

Expert Comment

ID: 34927947
Privilege sets are tied to Active Directory Groups through the "Manage" -> "Security" screen in FileMaker.  Therefore you need to have a group in Active Directory, something like "Database Read Only" to which you put the users you want to only have ready-only access to.  Then in the FileMaker Security screen you would create a new account but switch the "Account is authenticated via" to "External Server" and then make sure the "Group Name" on that screen matches the name of the Group in Active Directory.

On this same screen, you will see "Privilege Set" that would allow you to tie a group to a particular privilege set.  Once you have all of this done:

1.  You would need a creation field for the records that was equal to "Account Name".  
2.  You could then go to the Privilege Set and under "Data Access and Design" you would click on "Custom Privileges.." next to records.
3.  For the particular table that you want users to only see THEIR data you would click on "View" and set to "limited"
4.  For your calculation you would want to match the account name creation field that you specified in your table with the current users account name.

Tha would look something like this:

Table::AccountName = Get(AccountName)

Then as long as "AccountName" in "Table" matched the currently logged in user, they could view that data.

Author Comment

ID: 34935903
OK I'm losing my mind.  I created a separate Group in my AD and put 2 users in it, my wife's account and mine.    I turned off External authentication and I wasn't allowed to log on, then turned Ext Auth. back on and I was able to, that's good, but just like square one I was able to see all teachers personal details instead of just the logged in user, my wife.  I do have a field which contains the individual users account name to match, but it doesn't see to be matching.   There has to be something wrong with the privilege set although more frustrated than anything right now cause nothing seems to work.  

Filemaker screenshots attached.

Author Comment

ID: 34935942
Another anomaly is the calculation is telling me it must be boolean.  If I have it set to AccountName = Get ( AccountName ) how can the calculation be correct since it is looking for a 1 or 0, or True or False?

Accepted Solution

kemi67 earned 250 total points
ID: 34937024
Is AccountName a calculated field of the table Staff, or is a normal field.
Perhaps there is a problem if the fiedl AccountName (that I don't see in your picture) is calculate.

And another hint: the field Staff.AccountName has the same name of the system variable in Get(Accountname): could be that this is a problem.
Try to change the field name in the Staff Table

Author Closing Comment

ID: 34937245
Pointed me to the field to look at, did some switching and it worked.

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop up windows can be a useful feature of any Filemaker database.  Though best used sparingly, they can be employed in a multitude of different ways, for example;  as a splash screen at login, during scripted processes to control user input, as pick…
Conversion Steps for merging and consolidating separate Filemaker files The following is a step-by-step guide for the process of consolidating two or more FileMaker files (version 7 and later) into a single file with multiple tables. Sometimes th…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question