FME Server security is based on two primary concepts:
- Users: Users are the individual accounts that access FME Server. When FME Server is installed for the first time, default user accounts are created.
- Roles: Roles are comprised of one or more users.
FME Server security controls access to resources either through role-based or user-based access.
Optionally, you can incorporate your organization's Active Directory groups and users into your FME Server security configuration.
Roles make it easy to assign the same set of permissions to multiple users based on job function. Permissions to perform certain operations are assigned to specific roles. In turn, these permissions apply to the users who belong to that role.
For example, a request by user user1 could be to run a workspace in the Samples repository for the Data Download Service. FME Server security grants access if any of the roles to which user1 is assigned has permission to run workspaces in the Samples repository, and also has access to the Data Download Service.
FME Server provides a set of default roles:
Provides full access to FME Server, including the Web User Interface.
|"administrator" (username specified during installation)|
Provides workspace authors access to FME Server to publish, author, and test new workspaces.
Provides unauthenticated access to run jobs via Web Service URLs.
|fmesuperuser||Authorized to access all resources of FME Server, including existing and newly-created resources.||"administrator"|
|fmeuser||Provides users access to the Web User Interface and Web Services.||user|
On the Roles page of the Web User Interface, an administrator can:
- Create and remove roles.
- Configure users in roles.
- Configure permissions of roles.
On the Active Directory page of the Web User Interface, an administrator can integrate the organization's Active Directory groups and users into its FME Server security configuration.
Another way for FME Server to determine if a user can access a resource is whether the user owns it, or has been given permissions on it.
Anything a user creates in FME Server, such as a repository, is owned by that user. When you own something, you have full permissions on it. This permission supersedes the permissions you have on other items in FME Server based on the role to which you belong.
Additionally, as an owner, you can:
- Share permissions on the items you own with other users or roles.
- Assign ownership of something to another user.
Users can be granted permissions on resources, and these permissions may supersede the permissions available to them through their role. (In fact, it is not even necessary for a user to belong to a role.)
On the Users page of the Web User Interface, an administrator can:
- Create and remove users.
- Configure users in roles.
- Configure permissions of users.
On the Active Directory page of the Web User Interface, an administrator can integrate the organization's Active Directory users and groups into its FME Server security configuration.
Through sharing, users can grant different levels of access to items in FME Server to other users or roles. A user can share an item if their account is enabled for sharing, and either of the following is true:
- The user owns the item.
- The user has Manage Security permission (usually granted to an administrator).
A special account, referred to as the trusted account, can be used to provide unauthenticated access to any component. By default, this trusted account is named
guest and is assigned to the fmeguest role. By default, the fmeguest role is configured to allow unauthenticated access to the FME Server Web Services. This means it is possible to invoke a service URL without providing any credentials.
Note: If you want all of the FME Server Web Services to prompt for authentication, remove the guest account after you configure your own set of users and access control for your server.
The trusted user account is configured in the propertiesFile.properties file for each web service. If your FME Server installation uses the built-in Apache Tomcat servlet, these files are located under:
To change the user name and password of the trusted account for a service, configure the DEFAULT_USER_ID and DEFAULT_PASSWORD parameters.