Role-Based Access Control
FME Server security controls access to resources with role-based access control. Within an organization, users are grouped into roles. Roles are created for various job functions. Permissions to perform certain operations are assigned to specific roles.
When a user accesses a specific resource, FME Server security determines if any of the associated roles of the user has permission to perform the requested operation on the specified resource. For example, a request by user fmeuser could be to run a workspace in the Samples repository for the Data Download Service. FME Server security grants access if any of the roles for the fmeuser user account has permission to run workspaces in the Samples repository and also has access to the Data Download Service.
Users, roles, and permissions are configured on the Security page of the Web User Interface. The Security page is organized into the following categories:
Users
User accounts are the users of the FME Server system. Permissions to perform particular operations are not assigned directly to users. Instead, users acquire permissions through their roles.
When FME Server is installed for the first time, default user accounts are created.
About the Trusted User Account
A special account, referred to as the trusted account, can be used to provide unauthenticated access to any component. By default, this trusted account is named guest
and is assigned to the fmeguest role. By default, the fmeguest role is configured to allow unauthenticated access to the FME Server services. This means it is possible to invoke a service URL without providing any credentials.
Note: If you want all of the services to prompt for authentication, remove the guest account after you configure your own set of users and access control for your server.
Roles
Roles allow an administrator to associate a group of users with a set of resources/permissions. Users can be added and removed from a role and permissions can be added and removed from a role.
By default, FME Server creates the following roles:
- fmeadmin – Provides full access to FME Server, including the Web User Interface.
- fmeauthor – Provides workspace authors access to FME Server to publish, author, and test new workspaces.
- fmeguest – Provides unauthenticated access to run jobs via Web Service URLs.
- fmesuperuser – Authorized to access all resources of FME Server, including existing and newly-created resources. By default, FME Server assigns the "admin" account to both the fmeadmin and fmesuperuser roles.
- fmeuser – Provides users access to the Web User Interface and Web Services.
Object Policies
Object policies are the resources that comprise FME Server, to which permissions are granted to roles. Policies can be added if new objects are created, such as a new repository or custom web service.
Policies are categorized as:
-
Applications - Desktop and web client applications that provide user interaction with FME Server. FME Workbench and the various FME Server Web User Interfaces are examples.
-
Components - FME components that access FME Server. Special Server formats and Workbench transformers are examples.
- Repositories - These are all the repositories of FME Server. When a new repository is created, a security resource for the repository is automatically created.
-
Services - Software that provides a specific service to a client on behalf of FME Server. The data download, data streaming, and OGC services are examples. When a new service is created, a security resource for the Service is automatically created enabling all access.
-
Resources - Resource Management directories.
-
Topics - Notification Service topics.
Role Policies
Permissions are assigned or un-assigned to object policies for specific roles, depending on whether access to a resource should be granted.