Role- and User-Based Access
FME Server security is based on two primary concepts:
- Users: Users are the individual accounts that access FME Server. When FME Server is installed for the first time, default user accounts are created.
- Roles: Roles are comprised of one or more users.
FME Server security controls access to resources either through role-based or user-based access.
Role-Based Access
Roles make it easy to assign the same set of permissions to multiple users based on job function. Permissions to perform certain operations are assigned to specific roles. In turn, these permissions apply to the users who belong to that role.
For example, a request by user user1 could be to run a workspace in the Samples repository for the Data Download Service. FME Server security grants access if any of the roles to which user1 is assigned has permission to run workspaces in the Samples repository, and also has access to the Data Download Service.
A default set of roles is defined when FME Server is installed. These are:
- fmesuperuser: For users with unlimited access to the system, including Backup & Restore tasks.
- fmeadmin: For users who need to carry out specific administration tasks.
- fmeauthor: For users who are authoring workspaces to run on FME Server.
- fmeuser: For users who need to run (but not author) workspaces.
- fmeguest: For temporary users who need a minimal set of permissions.
Police Chief Webb-Mapp says... |
I am the law! The FMESuperUser role is the high court of FME Server and is granted all permissions on all security settings. What’s more, these permissions cannot be revoked, unset, or appealed against!
So, be sure not to assign accounts to the FMESuperUser role unless you really, really mean for them to be given that degree of power! |
A number of default accounts are created too. These are:
- admin: Assigned to the fmesuperuser and fmeadmin roles.
- author: Assigned to the fmeauthor role.
- user: Assigned to the fmeuser role.
- guest: Assigned to the fmeguest role.
Chef Bimm says... |
Don't forget, these are just default accounts that FME creates. You can create any role necessary for your system, assign any specific security settings to it, and create any number of users assigned to that role. |
On the Roles page of the Web User Interface, an administrator can:
- Create and remove roles.
- Configure users in roles.
- Configure permissions of roles.
User-Based Access
Another way for FME Server to determine if a user can access a resource is whether the user owns it, or has been given permissions on it.
User Ownership
Anything a user creates in FME Server, such as a repository, is owned by that user. When you own something, you have full permissions on it. This permission supersedes the permissions you have on other items in FME Server based on the role to which you belong.
Additionally, as an owner, you can:
- Share permissions on the items you own with other users or roles.
- Assign ownership of something to another user.
User Permission
Users can be granted permissions on resources, and these permissions may supersede the permissions available to them through their role. (In fact, it is not even necessary for a user to belong to a role.)
On the Users page of the Web User Interface, an administrator can:
- Create and remove users.
- Configure users into roles.
- Configure permissions of users.
Sister Intuitive says... |
On the Active Directory page of the Web User Interface, an administrator can integrate the organization’s Active Directory users and groups into its FME Server security configuration. |
Miss Vector says... |
If I want one user to have a higher level of access to other users in the same role (say I wish to let an FME author be able to manage engines) what must I do?
1. Simply select that user from the user list and enable the manage Engines & Licensing policy 2. Promote that role to superuser status so that the user has a higher level of security 3. Create a new role with the manage Engines & Licensing policy enabled and move that user to it 4. Create a new role with the manage Engines & Licensing policy enabled and add that user to it as well as the original role |