Hi FME’ers,
It’s rare I focus on a particular FME Server aspect like this, but – for server users – security tends to be one of the big ones; a topic every administrator is interested in. And FME 2012 delivers a bunch of new security functionality that is both effective and flexible.

Integrated Security
For me, the biggest enhancement in 2012 is the easiest to describe: FME2012 integrates with Active Directory to use your existing security infrastructure to control FME user accounts, passwords, and roles.

This screenshot (click to enlarge) shows a group of users assigned privileges in FME Server:

Switching from the in-built security to Active Directory involves just uncommenting a couple of lines in a config file. And – as this short movie by Safe Software’s president, Don Murray shows – managing users is then remarkably simple.

As one user remarked “looks easy as pie”. In fact it’s even easier because the administrator doesn’t need to roll out a pastry topping and there’s no chance the end-user will find a mushroom inside (yeuch)! But seriously, you can imagine how important this enhancement is for large corporate users.

Better Access Control
FME Server 2012 also provides better access control.

Permissions can now be granted or revoked for the ability to read, write, run and remove in a particular repository. Also, it’s now possible to set permissions for repository creation, and service creation.

Here the administrator is setting repository permissions for the fmeadmin role.

This means a particular group can be allowed to run items in a particular repository (for example) but not allowed to download or publish workspaces.

Incidentally, the terminology Read, Write, Run, Remove is deliberate. “Download” and “Publish” were considered but didn’t work: would “download” mean I could also view all workspaces, and if not then how do you download a workspace you can’t see? Would “publish” also allow updates or republishing?

So we settled on “Read” and “Write” because those terms cover all bases. Read means you can view a workspace in the repository, and download it; but you can’t necessarily publish or run a workspace. Write means you can publish a workspace, and or re-publish/update an existing one. “Run” and “Remove” are – I hope – self explanatory.

Request Tracking
A nice enhancement for 2012 is improved request tracking.

Each translation on FME Server is the result of a ‘request’ A new published parameter called FME_SECURITY_USER now stores the name of the user who made the request. As a published parameter, this information can be retrieved by the workspace.

Of course, the most obvious use is simply to record who is running the translation and downloading (or uploading) data. You could retrieve the username and write it out to either the log file or a database, send it to an online log, or email it to an administrator. But there are other uses such as directing processing within the workspace itself.

For example, a Tester transformer could be used to filter features based on the username (with the new parameter handling in 2012, you wouldn’t even need the ParameterFetcher)…

The reason you might do this is that FME Server security is role-based; i.e. each setting is applied to a role rather than an individual. You could handle individual security by making a person a group (role) of one; but now the FME_SECURITY_USER parameter lets you do it inside the workspace itself.

Of course another use for that information is to use it to update an output dataset’s metadata, by using it in the new XMLUpdater transformer for example.

Besides the parameter, the requestor information is recorded in the repository database, as part of the request record. Also note that we already have FME_SECURITY_ROLES to identify the role of the user who requested the translation, and could use it for similar purposes.

I hope this post was of use. If you are thinking about FME Server and what it can do for you, then the first step you might take is to participate in one of our monthly server webinars, or even just watch a previously recorded one. You can find more information about recorded and future webinars on the Safe Software web site.

About FME Active Directory FME Server Geoweb Miscellaneous Permissions Published Parameters Repositories Security Tester

Mark Ireland

Mark, aka iMark, is the FME Evangelist (est. 2004) and has a passion for FME Training. He likes being able to help people understand and use technology in new and interesting ways. One of his other passions is football (aka. Soccer). He likes both technology and soccer so much that he wrote an article about the two together! Who would’ve thought? (Answer: iMark)


Comments are closed.

Related Posts