Role-Based and User-Based Access Control
FME Flow security is based on two primary concepts:
- Users: The individual accounts that access FME Flow. When FME Flow is installed for the first time, default user accounts are created. Note that the default Status of these accounts, except the admin account, is Disabled.
- Roles: Comprised of one or more users.
FME Flow security controls access to resources either through role-based or user-based access.
Optionally, you can incorporate your organization's directory server (for example, Windows Active Directory) groups and users into your FME Flow security configuration.
Role-Based Access
Roles make it easy to assign the same set of permissions to multiple users based on job function. Permissions to perform certain operations are assigned to specific roles. In turn, these permissions apply to the users who belong to that role.
For example, a request by user user1 could be to run a workspace in the Samples repository for the Data Download Service. FME Flow security grants access if any of the roles to which user1 is assigned has permission to run workspaces in the Samples repository, and also has access to the Data Download Service.
FME Flow provides a set of default roles:
Role | Description | User |
---|---|---|
fmeadmin |
Provides full access to FME Flow, including the Web User Interface. |
admin |
fmeauthor |
Provides workspace authors access to FME Flow to publish, author, and test new workspaces. |
author |
fmeguest |
Provides unauthenticated access to run jobs via Web Service URLs. |
guest |
fmesuperuser | Authorized to access all resources of FME Flow, including existing and newly-created resources. | admin |
fmeuser | Provides users access to the Web User Interface and Web Services. | user |
On the Roles page of the Web User Interface, an administrator can:
- Create and remove roles.
- Configure users in roles.
- Configure permissions of roles.
On the Authentication Services page of the Web User Interface, an administrator can integrate the organization's Windows Active Directory, LDAP, or other directory server groups and users into its FME Flow security configuration.
User-Based Access
Another way for FME Flow to determine if a user can access a resource is whether the user owns it, or has been given permissions on it.
User Ownership
Anything a user creates in FME Flow, such as a repository, is owned by that user. When you own something, you have full permissions on it. This permission supersedes the permissions you have on other items in FME Flow based on the role to which you belong.
Additionally, as an owner, you can:
- Share permissions on the items you own with other users or roles.
- Assign ownership of something to another user. To change ownership of an item, edit it from the Items page.
User Permission
Users can be granted permissions on resources, and these permissions may supersede the permissions available to them through their role. (In fact, it is not even necessary for a user to belong to a role.)
On the Users page of the Web User Interface, an administrator can:
- Create and remove users.
- Configure users in roles.
- Configure permissions of users.
On the Authentication Services page of the Web User Interface, an administrator can integrate the organization's Windows Active Directory, LDAP, or other directory server users and groups into its FME Flow security configuration.
Shared Access
Through sharing, users can grant different levels of access to items in FME Flow to other users or roles. A user can share an item if their account is enabled for sharing, and either of the following is true:
- The user owns the item.
- The user has Manage permission in User Management (usually granted to an administrator).
About the Trusted User Account
A special account, referred to as the trusted account, can be used to provide unauthenticated access to any component. By default, this trusted account is named guest and is assigned to the fmeguest role. By default, the fmeguest role is configured to allow unauthenticated access to the FME Flow Web Services. This means it is possible to invoke a service URL without providing any credentials.
- The Status of the guest user account is Disabled by default.
- If you want all of the FME Flow Web Services to prompt for authentication, remove the guest account after you configure your own set of users and access control for your FME Flow.
To change the user name and password of the trusted account for a service:
- Configure the DEFAULT_USER_ID and DEFAULT_PASSWORD parameters in the propertiesFile.properties file for each service. If your FME Flow installation uses the built-in Apache Tomcat servlet, these files are located under:
- Applying the same settings as above, update the name and password of the account on the Users page.
<FMEFlowDir>\Utilities\tomcat\webapps\<service>\WEB-INF\conf\propertiesFile.properties
See Also