Version 1.0

Security and Hosting for FileMaker Databases in A&A The Filemaker Database Hosting Procedure available at http://aait.psu.edu/aait-forms-and-policies covers the basic requirments for hosting FM databases on the college FM server. This document provides a more detailed walk through of setting up these security and access permissions. For full information on security options see FileMaker’s documentation.

Overview Access to databases is handled through membership in groups managed by AAIT systems administrators. Authentication therefore is done by PSU ID and password just like email. The database administrator setting up the database (presumably you if you are reading this) sets the desired permissions for the group in the database. Requests for IT to set up a group or add people to an existing group, as well as hosting a new database, is done via the Request for Network Services form also available at http://aait.psu.edu/aait-forms-and-policies. To put another way, IT does not grant access for a person to a database directly, we service a request to add a person to a group, and you as the database maintainer give rights to that group to the database. Let’s look at how this is done.

Managing Security

• Open your database in Filemaker and go to File -> Manage -> Security…

• The Accounts tab at the top should already be selected, and you will see a list of accounts currently in the file. By default this includes [Guest] and Admin.

• NOTE: The Guest account should NOT be active, make sure it’s checkbox is cleared. For security, the Admin account should be changed to a different name, and it must be given a password.

• Remember secure passwords are at least 8 characters and contain letters and numbers and no proper words.

• Click on the Admin account and click the Edit… button at the bottom of the window.

• In the Edit Account window you can change the Account Name and Password.

• Once you do this, click OK on both windows.

• You will be prompted to verify the changes with the name and password you just set. If they don’t match, it will fail and you can try again.

Keep record of this admin account you set in a secure location. It will be required to work with the file offline and make master changes to the Security settings in the file in the future. Losing it could lock you out of the file at some point. Re-open the Manage Security window now and we’ll add groups.

Version 1.0

External Accounts The most confusing thing to most people is that the groups we make on the server end are added to the database in the Accounts window. Click on the New… button and you will see the same Edit Account window you saw in the last section, but it will be blank. Do not use this to add accounts and passwords to the database for use on the FileMaker server. If you wanted to secure a database you were using offline with another person, but wanted to have unique accounts and privileges, then you could add this kind of internal database account. We won’t discuss that here, for more information see FileMaker’s documentation.

• Change the pull down menu at the top from FileMaker to External Server.

• Enter the Group Name of the group you requested IT create for this database, or an existing group you wish to use for access.

• Select the Privilege Set you want this group to have. The default internal sets are Full, Data Entry, and Read Only. You can create and assign custom sets if you wish. Full details on these sets and making new ones can be found in FileMaker’s documentation.

• Click OK to add the “account”.

Usually, you will have at least two groups created for a given database. One is a group that will contain yourself and any other people who will administer the database (layouts,etc), and the other for your users who will look up or enter data. You may have three groups, following the Full, Data Entry, and Read Only sets that are built in. A group can contain a single person. You must also add the fmdbadmins group with the Full Access Privilege Set. This is the group used by the AAIT system administrators to verify database security and perform emergency service.

Version 1.0

Extended Privileges Just adding the external group to the Accounts list is not enough to allow people to access this file once it’s on the server. You have two options for access. One is via the FileMaker application (fmapp), which requires the person to have FileMaker installed on their machine. The other option is Instant Web Publishing (fmiwp) which allows access to the database through FileMaker Server’s web based system. This is good for people entering and browsing data, but does not allow editing layouts, though that is usually just done by a database admin such as yourself. It also does not require a license for the person to have FileMaker, and can be used from any computer on a network in the college, the PSU wireless, mobility, or VPN systems. This restricted access by network location ensures no one can even get to the server let alone try to authenticate to a database unless they are part of Penn State. You don’t have to worry that the database can be seen by anyone on the internet.

• Click on the Extended Privileges tab in the Manage Security window.

• Double click the fmapp item

• Click the check box for the Privilege Set you want to be able to access this database using the FileMaker application. If no groups are checked, no one can open the database once it’s on the server. You’ll want to ensure Full Access is checked, as that is used for your admin group and the fmdbadmins group noted above.

• Click OK

• Repeat for the fmiwp Set for those you want to access by the web interface.

Note that one Privilege Set can be assigned to many “accounts” (groups). If you want one group to have read only access via the web interface, and another group to only have read only by using FileMaker, you would need a second read only privilege set. Again the details on making and managing Sets can be found in FileMaker’s documentation. You can also set this under the Privilege Sets tab by double clicking a set and then checking off fmapp or fmiwp in the list at the bottom. This would be where you would create new sets and customize their access and privileges in more detail.

Version 1.0

Conclusion Once you have set your accounts (groups) and privileges as desired, you will be challenged for the built in admin account credentials to verify. Once this is done, the file needs to be emailed or delivered on flash drive to Yadin (yxf4@psu.edu) in AAIT to put on the FileMaker server. The database can then be accessed by the methods you enabled at filemaker.arts.psu.edu (either by web browser or Open Remote in FileMaker). You and the others you granted access to should now be able to open it with your PSU credentials. Note that when authenticating to a database on the server, your Account Name needs to be entered as userid@dce.psu.edu, not just your userid (i.e. yxf4@dce.psu.edu not yxf4). You do not add this when using the built in admin account, and remember your offline file is not tied to the copy put on the server, nor will it allow the external authentication to work if not on the server.