Role- and User-Based Access

FME Server security is based on two primary concepts:

  • Users: Users are the individual accounts that access FME Server. When FME Server is installed for the first time, default user accounts are created.
  • Roles: Roles are comprised of one or more users.

FME Server security controls access to resources either through role-based or user-based access.

Role-Based Access

Roles make it easy to assign the same set of permissions to multiple users based on job function. Permissions to perform certain operations are assigned to specific roles. In turn, these permissions apply to the users who belong to that role.

For example, a request by user user1 could be to run a workspace in the Samples repository for the Data Download Service. FME Server security grants access if any of the roles to which user1 is assigned has permission to run workspaces in the Samples repository, and also has access to the Data Download Service.

A default set of roles is defined when FME Server is installed. These are:

  • fmesuperuser: For users with unlimited access to the system, including Backup & Restore tasks.
  • fmeadmin: For users who need to carry out specific administration tasks.
  • fmeauthor: For users who are authoring workspaces to run on FME Server.
  • fmeuser: For users who need to run (but not author) workspaces.
  • fmeguest: For temporary users who need a minimal set of permissions.

FME Lizard says...
The FMESuperUser role is the highest position in FME Server and is granted all permissions on all security settings. What’s more, these permissions cannot be revoked, unset, or appealed against!

So, be sure not to assign accounts to the FMESuperUser role unless you really, really mean for them to be given that degree of power!

A number of default accounts are created too. These are:

  • admin: Assigned to the fmesuperuser and fmeadmin roles.
  • author: Assigned to the fmeauthor role.
  • user: Assigned to the fmeuser role.
  • guest: Assigned to the fmeguest role.

FME Lizard says...
Don't forget, these are just default accounts that FME creates. You can create any role necessary for your system, assign any specific security settings to it, and create any number of users assigned to that role.

On the Roles page of the Web Interface, an administrator can:

  • Create and remove roles.
  • Configure users in roles.
  • Configure permissions of roles.

User-Based Access

Another way for FME Server to determine if a user can access a resource is whether the user owns it, or has been given permissions on it.

User Ownership

Anything a user creates in FME Server, such as a repository, is owned by that user. When you own something, you have full permissions on it. This permission supersedes the role-based permissions you have on equivalent items in FME Server.

Additionally, as an owner, you can:

  • Share permissions on the items you own with other users or roles.
  • Assign ownership of something to another user.

User Permission

Users can be granted permissions on resources, and these permissions may supersede the permissions available to them through their role (in fact, it is not even necessary for a user to belong to a role).

On the Users page of the Web Interface, an administrator can:

  • Create and remove users.
  • Configure users into roles.
  • Configure permissions of users.

FME Lizard says...
On the Active Directory page of the Web Interface, an administrator can integrate the organization’s Active Directory users and groups into its FME Server security configuration.

FME Lizard asks...

Q) If I want one user to have a higher level of access to other users in the same role (say I wish to let an FME author be able to manage engines) what must I do? Select all that apply:

Simply select that user from the user list and enable the manage Engines & Licensing policy
Promote that role to superuser status so that the user has a higher level of security
Create a new role with the manage Engines & Licensing policy enabled and move that user to it
Create a new role with the manage Engines & Licensing policy enabled and add that user to it as well as the original role

A) Security policies can be set at both the user and role levels. While you can create a new role and assign the user to it (Option 4) – enabling the user to be a member of two roles – it is much easier to simply edit the permissions of the individual user (Option 1).

results matching ""

    No results matching ""