Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Permissions for our Filemaker database to Externally authenticated users to only see their own data

Posted on 2011-02-17
12
814 Views
Last Modified: 2012-05-11
I have a teachers database authentication through AD.  I need a privilege set so that teachers can only see their data and their data only when they log on with their External authenicated accounts (AD).  Trouble is I have a company setting up this security for me and they just aren't getting it.  I log on using a user name and password in our AD and they can access the DB but they see everyone else's data.  Bad News of course.  I'm assuming that the External Authentication is working since they can log in but their privilege set is way to high (or I mean they can access way too many records)  They need only read only access to their information.  I can send screen shots of the securities pages if needed.
0
Comment
Question by:SFSDIT
  • 6
  • 5
12 Comments
 
LVL 7

Expert Comment

by:kemi67
ID: 34924275
I am not sure I have well understood.
Do you mean they log on using Active Directory (AD)?
For what I rememeber, there is no relation between AD user and FileMaker using, but it could be that this is changed in recent Filemaker versions
Which version of Filemaker are you using?
Are you using a FileMaker Server and FileMaker client enviroment?
How are permissions set on Filemaker?
What is the user name set in the Preferences of Filemaker client?
Are you sure that every Filemaker Client has set the correct user name?

0
 

Author Comment

by:SFSDIT
ID: 34924538
yes, I'm using Active Directory for our external authentication on FileMaker 10 Server advanced.  The DB is set to use either the Filemaker 10 Pro client or IWP.  When our users log on in either way their access is the same can see everyones data.  The company is using the Get (accountname) which should only show that users data when logged in.  
0
 
LVL 7

Expert Comment

by:kemi67
ID: 34924656
It very hard to give a solution without having the DB and checking which permissions are set.
I can only suggest to you to print somewhere the result of Get(accountname) to see if this is what you expect.
Then I suggest to check the permission set on Filemaker database. It is not so simple to set permissions, so check them. Can you post a screen capture of permissions?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 7

Expert Comment

by:kemi67
ID: 34924675
What do you mean for "their own user data"?
Is there a field that identify which user is the record for?
Is such field compared with Get(accountname)?
Is there something wrong the the script that filters data for the user?
0
 

Author Comment

by:SFSDIT
ID: 34924713
I've exported the AccountName field and that table is populated correctly with our Teachers usernames.  The Teachers usernames are populated in a field called AccountName per the calculation Get (AccountName).  

yes, I can send a screen shot of the permissions, although I'll have to do it in about 30 minutes.
0
 
LVL 7

Expert Comment

by:kemi67
ID: 34924768
Usually, in Active Directory the username is in the format DomainName\Username.
Are you sure that in the field is the same format and Get(username) is the same.
That is, is the DomainName always witten (or always not written) in a consistent way?
0
 

Author Comment

by:SFSDIT
ID: 34924791
It looks like it is reading Active Director OK since I can log on with different teachers accounts.  I'm trying my wife's as well as a friend and I can log in to the DB just fine so I know it is authenticating through our AD.
0
 
LVL 1

Expert Comment

by:Nic44683
ID: 34927947
Privilege sets are tied to Active Directory Groups through the "Manage" -> "Security" screen in FileMaker.  Therefore you need to have a group in Active Directory, something like "Database Read Only" to which you put the users you want to only have ready-only access to.  Then in the FileMaker Security screen you would create a new account but switch the "Account is authenticated via" to "External Server" and then make sure the "Group Name" on that screen matches the name of the Group in Active Directory.

On this same screen, you will see "Privilege Set" that would allow you to tie a group to a particular privilege set.  Once you have all of this done:

1.  You would need a creation field for the records that was equal to "Account Name".  
2.  You could then go to the Privilege Set and under "Data Access and Design" you would click on "Custom Privileges.." next to records.
3.  For the particular table that you want users to only see THEIR data you would click on "View" and set to "limited"
4.  For your calculation you would want to match the account name creation field that you specified in your table with the current users account name.

Tha would look something like this:

Table::AccountName = Get(AccountName)

Then as long as "AccountName" in "Table" matched the currently logged in user, they could view that data.
0
 

Author Comment

by:SFSDIT
ID: 34935903
OK I'm losing my mind.  I created a separate Group in my AD and put 2 users in it, my wife's account and mine.    I turned off External authentication and I wasn't allowed to log on, then turned Ext Auth. back on and I was able to, that's good, but just like square one I was able to see all teachers personal details instead of just the logged in user, my wife.  I do have a field which contains the individual users account name to match, but it doesn't see to be matching.   There has to be something wrong with the privilege set although more frustrated than anything right now cause nothing seems to work.  


Filemaker screenshots attached.
FM-Account.png
Privilege-set.png
Limite-view-Calculation.png
0
 

Author Comment

by:SFSDIT
ID: 34935942
Another anomaly is the calculation is telling me it must be boolean.  If I have it set to AccountName = Get ( AccountName ) how can the calculation be correct since it is looking for a 1 or 0, or True or False?
0
 
LVL 7

Accepted Solution

by:
kemi67 earned 250 total points
ID: 34937024
Uhmmm
Is AccountName a calculated field of the table Staff, or is a normal field.
Perhaps there is a problem if the fiedl AccountName (that I don't see in your picture) is calculate.

And another hint: the field Staff.AccountName has the same name of the system variable in Get(Accountname): could be that this is a problem.
Try to change the field name in the Staff Table
0
 

Author Closing Comment

by:SFSDIT
ID: 34937245
Pointed me to the field to look at, did some switching and it worked.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Pop up windows can be a useful feature of any Filemaker database.  Though best used sparingly, they can be employed in a multitude of different ways, for example;  as a splash screen at login, during scripted processes to control user input, as pick…
Problem: You have a hosted FileMaker database and users are tired of having to use Open Remote or Open Recent to access the database. They say, "can't you just give us something to double-click on rather than have to go through those dialogs?" An…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question