If you're hosting FileMaker Pro Advanced files with FileMaker Server and your organization uses centrally managed authentication for users and groups, such as Apple Open Directory or a Windows domain, you can set up account access in FileMaker Pro Advanced that authenticates a group of users based on your authentication server. This allows you to use your existing authentication server to control access to files without having to manage an independent list of accounts in each file.
When users in a group try to open a hosted file, FileMaker clients prompt the user to sign in with an account name and password. These account credentials are sent to the external authentication server, which authenticates the user and returns to FileMaker Server a list of all the groups the user belongs to. FileMaker Server compares the group name of each external server account access entry in the file with this list of group names. The first valid match determines which account access entry is used and therefore which privilege set is assigned to the user.
Note Although you can set up account access for external authentication servers in FileMaker Pro Advanced, only files hosted by FileMaker Server can authenticate users via an authentication server. Files shared by any other FileMaker host can't authenticate via an authentication server.
Important When a database file contains external server account access entries, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. For more information on external authentication, see FileMaker Server Help.
1. Start editing new or existing account access for an external server group in the Manage Security dialog box.
See Creating and editing account access.
2. For Authenticate via, choose FileMaker File or External Server.
3. To grant account access to a group, click New. To change an existing group's account access, select the group.
4. In the details pane, for Authenticate via, choose External Server.
5. For Group Name, enter or change the name of a group that is defined on an external authentication server and will have access to this file.
6. For Privilege Set, choose, create, or edit a privilege set.
See Creating and editing privilege sets.
The privilege set assigned to this account access determines what the externally authenticated users in the group can do in the file.
7. To make the account active, select its checkbox.
Make account access inactive, for example, to set up privilege sets before allowing users to sign in.
8. If you also grant access to other groups or to FileMaker file accounts, you may need to change the priority of account access.
See Changing the priority of account access.
•You'll need to set additional options in FileMaker Server to authenticate users against an external server. See FileMaker Server Help.
•If you work with shared database files that access ODBC data from Microsoft SQL Server, you can configure Windows single sign-on authentication. See Enabling ODBC data source single sign-on (Windows only).