Role-Based and User-Based Access Control
FME Flow security is based on two primary concepts:
- Users: The individual accounts that access FME Flow. When FME Flow is installed for the first time, default user accounts are created. Note that the default Status of these accounts, except the admin account, is Disabled.
- Roles: Comprised of one or more users.
FME Flow security controls access to resources either through role-based or user-based access.
Optionally, you can incorporate your organization's directory server (for example, Windows Active Directory) groups and users into your FME Flow security configuration.
Role-Based Access
Roles make it easy to assign the same set of permissions to multiple users based on job function. Permissions to perform certain operations are assigned to specific roles. In turn, these permissions apply to the users who belong to that role.
For example, a request by user user1 could be to run a workspace in the Samples repository for the Data Download Service. FME Flow security grants access if any of the roles to which user1 is assigned has permission to run workspaces in the Samples repository, and also has access to the Data Download Service.
FME Flow provides a set of default roles:
Role | Description | User |
---|---|---|
fmeadmin |
Provides full access to FME Flow, including the Web User Interface. |
admin |
fmeauthor |
Provides workspace authors access to FME Flow to publish, author, and test new workspaces. |
author |
fmeguest |
Provides the minimal access to FME Flow required to run workspaces. |
guest |
fmesuperuser | Authorized to access all resources of FME Flow, including existing and newly-created resources. | admin |
fmeuser | Provides users access to the Web User Interface and Web Services. | user |
On the Roles page of the Web User Interface, an administrator can:
- Create and remove roles.
- Configure users in roles.
- Configure permissions of roles.
On the Authentication Services page of the Web User Interface, an administrator can integrate the organization's Windows Active Directory, LDAP, or other directory server groups and users into its FME Flow security configuration.
User-Based Access
Another way for FME Flow to determine if a user can access a resource is whether the user owns it, or has been given permissions on it.
User Ownership
Anything a user creates in FME Flow, such as a repository, is owned by that user. When you own something, you have full permissions on it. This permission supersedes the permissions you have on other items in FME Flow based on the role to which you belong.
Additionally, as an owner, you can:
- Share permissions on the items you own with other users or roles.
- Assign ownership of something to another user. To change ownership of an item, edit it from the Items page.
User Permission
Users can be granted permissions on resources, and these permissions may supersede the permissions available to them through their role. (In fact, it is not even necessary for a user to belong to a role.)
On the Users page of the Web User Interface, an administrator can:
- Create and remove users.
- Configure users in roles.
- Configure permissions of users.
On the Authentication Services page of the Web User Interface, an administrator can integrate the organization's Windows Active Directory, LDAP, or other directory server users and groups into its FME Flow security configuration.
Shared Access
Through sharing, users can grant different levels of access to items in FME Flow to other users or roles. A user can share an item if their account is enabled for sharing, and either of the following is true:
- The user owns the item.
- The user has Manage permission in User Management (usually granted to an administrator).