5.2 User administration and access rights
The administration of user accounts and access rights is a central task in the administration of FileMaker databases. These functions allow you to control who can access which data and functions, and protect your sensitive information from unauthorized access. In this chapter, you will learn how to create and manage user accounts, customize access rights to layouts and data, and implement best practices for secure and efficient user management.
Table of contents
- 5.2 User administration and access rights
- Create and manage user accounts
- FileMaker ERP with many user-defined settings
- Customization of access rights to layouts and data
- Best practices for managing user access
- gFM-Business Open Source FileMaker Basis ERP The software for a crash course
- Extended access rights in FileMaker: Tips for assigning and managing them
Create and manage user accounts
User administration in FileMaker is the backbone of your database's security architecture. It allows you to control access to your database individually for each user and ensure that only authorized persons have access to certain information or functions.
Creating user accounts
- Opening the security administrationTo create user accounts, open your database and go to File > Manage > Security. This opens the "Manage security" dialog, in which you can manage user accounts and their rights.
- Add new user account: In the "Manage security" window, click on New user. Here you can assign a user name and password and specify whether the password must be changed the first time you log in.
- Assignment of roles: After you have created the user, you must assign a Role assign roles. Roles are predefined or user-defined sets of privileges that define what a user is allowed to do in the database. This includes access to certain layouts, tables, scripts and menus.
- Set password guidelinesTo further increase security, you should enforce password policies. For example, you can require that passwords have a certain length and complexity and must be changed regularly.
FileMaker ERP with many
user-defined settings
More information
Management of user accounts
- Edit user accountsTo make changes to existing user accounts, such as resetting a password or changing a role, open the "Manage security" dialog again. Here you can select existing users and make the corresponding changes.
- Deactivating or deleting user accountsIf a user no longer requires access, you can deactivate or delete their account. This is particularly important to ensure that former employees or temporary users no longer have access to the database.
- Monitoring and logging of user activitiesFileMaker offers basic functions for monitoring user activities. For example, you can monitor when a user logs in and what actions they perform. This is useful for detecting and documenting suspicious behavior.
Best practices for the administration of user accounts
- Use unique user accountsAvoid shared accounts for multiple users. This increases security and the traceability of actions in the database.
- Regular verification of user accountsCheck the list of active users regularly and make sure that only required accounts are still active.
- Enforcing strong passwordsEnforce that passwords are strong enough and changed regularly to minimize security risks.
Customization of access rights to layouts and data
Access rights in FileMaker control which data users can see and edit and which layouts are available to them. By assigning specific rights, you can ensure that users can only use the data and functions relevant to their tasks, which increases both security and efficiency.
Creation and customization of roles and privileges
- Access to the management of privilege sets: Open the security dialog via File > Manage > Security and select the tab Privilege sets. Here you can create new roles or edit existing ones to adjust the access rights.
- Definition of access rights to layoutsRoles can be configured so that they only have access to certain layouts. You can control whether a user may only view a layout, edit it or have no access to it.
- Adjustment of data access rightsIn addition to layouts, you can also control data access. You can define which data records in a table a user may view, edit or delete. These rights can apply globally for all data records or specifically for certain data records.
- Reading, editing and deleting dataDefine whether a user may display, edit or delete data in certain tables. You can also define whether certain fields within a table are writable or read-only.
- Field authorizationsIf you need fine-grained control, you can customize access rights at field level. For example, you can specify that a user can edit certain fields in a layout, while other fields remain read-only.
Dynamic control of access rights
- Use of calculations to control accessFileMaker allows you to use calculations to dynamically control access rights. This allows you to implement complex rules that control access to specific data or functions based on user roles or other criteria.
- Application of conditional rightsYou can define conditional rights that vary depending on certain field values or user attributes. For example, access to certain data records can be controlled based on the department field.
Best practices for customizing access rights
- Principle of minimum rightsOnly give users the rights they absolutely need. This reduces the risk of unintentional or unauthorized changes.
- Create role-specific layoutsCreate layouts specifically tailored to the needs of different roles to improve the user experience and increase security.
- Regular review of access rightsRegularly check the assignment of roles and privileges to ensure that they meet the current requirements and that no unnecessary rights are assigned.
Best practices for managing user access
Managing user access requires continuous monitoring and adjustment to ensure that your database remains secure and can be used efficiently at the same time. By implementing best practices, you can minimize the risk of security breaches and improve the user experience.
Regular checking and updating of access rights
- Verification of user accountsCarry out regular checks of the active user accounts. Ensure that all accounts are still required and that the assigned rights meet the current requirements.
- Regular password updatesEnforce regular password changes to increase security. This is especially important if a password may have been compromised or a user is working in a security-sensitive role.
- Use audit logsUse the audit logs integrated in FileMaker to log changes and accesses in the database. This helps you to recognize suspicious activities and, if necessary, to trace who has made which changes.
Training and sensitization of users
- Offer safety trainingTrain your users regularly in the best security practices, especially in handling passwords and using the database. Make them aware of possible security risks and how they can avoid them.
- Guidelines for the secure handling of dataImplement guidelines for the secure handling of sensitive data. This could include secure access to the database, secure transmission of data and protection of end devices.
- Immediate response to security incidentsDevelop a security incident response plan that includes steps to immediately suspend affected user accounts, investigate the incident, and notify affected parties.
gFM-Business Open Source FileMaker Basis-ERP
The software for the crash course
Download for free
Extended access rights in FileMaker: Tips for assigning and managing them
In addition to the basic access rights for records, layouts, value lists and scripts, FileMaker offers extended access rights that allow you to control access to special database functions. These extended privileges are particularly useful if you want to secure or specifically enable access to interfaces, databases and external connections. In this section, we focus on the extended privileges in FileMaker, including fmxdbc, fmapp, fmxml, fmphp, fmwebdirect, fmurlscript, and fmrest.
fmapp - FileMaker network access
The fmapp privilege controls whether a user can access a hosted database over the FileMaker network. This permission is important if your database is hosted in a multi-user environment and is to be accessed by various clients via the network.
Recommended useThis right should be assigned to those user roles that regularly access the database via the network. It is advisable to deactivate this right for users who only access the database locally or via other interfaces. TipRestrict network access only to users who actually need it. This increases security and minimizes the risk of unauthorized access.
fmxdbc - ODBC/JDBC access
The fmxdbc right enables users to access the database via ODBC (Open Database Connectivity) or JDBC (Java Database Connectivity). These interfaces are often used to integrate FileMaker data into external applications such as BI tools (e.g. Tableau) or other database management systems.
Recommended useThis permission should only be assigned to those user roles that actually need to query or update data via ODBC or JDBC. Typical applications include the integration of FileMaker data into reporting and analysis tools or access to the database by external programs. TipAssign this right restrictively, as ODBC/JDBC allows extensive access to data. Use additional protective measures such as IP whitelisting or SSL encryption for connections.
fmxml - Access via XML
The fmxml right enables access to the database via XML web publishing. This interface is used to provide data in XML format, which is particularly relevant for web applications or external systems that process data in XML.
Recommended useEnable this right only if user roles require access to XML data, for example for integration into content management systems (CMS) or other data processing applications that rely on XML. TipImplement security protocols such as SSL to ensure that XML data is transferred securely, as the API is often used in web environments.
fmphp - PHP-Webpublishing
The fmphp right enables access to the database via the PHP Custom Web Publishing module. This is particularly useful for developers who want to integrate database content into PHP web applications.
Recommended useAssign this privilege only to web developers or user roles responsible for managing or integrating FileMaker data into PHP-based web applications. This API is powerful, but due to the sensitive data it provides, it should be well secured. TipUse SSL and other web security measures to ensure that the connection between FileMaker and the PHP application is protected.
fmwebdirect - WebDirect access
The fmwebdirect right enables access to the database via FileMaker WebDirect. With this technology, users can access FileMaker databases via a web browser without having to install a FileMaker client.
Recommended useThis privilege is ideal for users who are mobile or working remotely and still need to access the FileMaker database. You can access most of the database functions via a browser without the need for additional software. TipRestrict WebDirect access to users who require a pure browser-based solution. Ensure that WebDirect sessions are secured via SSL.
fmurlscript - Execution of scripts via URL
The fmurlscript privilege makes it possible to start FileMaker scripts via a URL. This method is useful for automating processes where external systems need to trigger scripts in the FileMaker database.
Recommended useThis privilege is suitable for user roles or systems that need to perform automated tasks, e.g. triggering a script through an external web service. It can be used to automate processes that are controlled by events outside the FileMaker database. TipUse the fmurlscript permission sparingly and only where script execution by external systems is required. Secure the URLs to prevent misuse.
fmrest - Access via the FileMaker Data API
The fmrest right controls access to the database via the FileMaker Data API, which provides a modern, powerful method of integrating FileMaker data with other systems via RESTful web services. External applications can read, write and update data via this API.
Recommended useUse this right for user roles or systems that require API-based integration, e.g. for connecting to CRM systems, web stores or business intelligence tools. The FileMaker Data API is particularly useful for web and mobile applications that need to access real-time data from the database. TipThe FileMaker Data API can provide extensive data access. Use carefully tuned privilege sets and access controls to ensure that only authorized applications access the API.
