FileMaker’s innovative platform requires ever more security as the platform’s transition to a First Class Web Citizen continues. As more services connect to our systems and as more people interact with the data, a file needs tighter and more security. FileMaker 18 has introduced changes that increase security, remove false security, and open up more security access to authorized users. Those changes include Enabling “Require Full Access Privileges to use references to this file” by default, removing false security of password challenge for full-access, alerting the developer to unsigned plugins, and adding a new option to allow non-full access users to manage non-full access accounts.
Let’s take a look at the FileMaker 18 security changes that have been introduced.
A new security interface
For one, the security interface has been redesigned to be more efficient for a developer or user coming to adjust the security settings.
FileMaker 18’s redesigned security interface
Those people who are assigned the role (more on that later) can adjust the privilege set, enable or disable it, or set/reset the password. This redesign seems to solve the “number of clicks” problem. The developer or a user can do what they need to do in fewer of them.
A Privilege to manage user accounts
As clients become more used to manage their own day-to-day security, they expect more control over accounts and such. As a developer we can provide scripts to do some of this, but that is a pain. FileMaker 18 adds a new privilege for any non-full-access account to manage non-full-access accounts.
A user with this privilege can do what we as developers used to have to do manually or build scripts. She can add accounts, change privilege sets (but not create them), change passwords, and more. If the same user has the older “Manage Extended Privileges” privilege, then she has more control over user accounts.
This person cannot touch the full-access accounts in the file. Though she can see them, she cannot edit or delete them.
Require Full Access privileges
This is sort of a feature that’s been around for a long time but sort of been hidden and off by default. For those files created with FileMaker Pro Advanced 18, this setting is now on at file-creation. This is a good thing.
This feature ensures that only authorized files can access this file, and that authorization can only be given by the full-access account of the file. If File A has this option turned on, then File B can only reference this file after File A’s full-access username and password has been entered when setting up the reference.
This feature is off by default for files created with FileMaker Pro 17 Advanced and earlier. But it’s easy to set up. Simply navigate to the Authorization area, turn it on. Then you have to go to all files that reference this one and authorize it.
I find this feature amazing. So we’ll talk about it in the near future.
Removing password challenges (most of them) in Manage Security
A FileMaker developer’s job is to deliver to the client an innovative app that connects to other services, processes data, and displays summaries, among other things. We’re logged into the file using our full-access account for a work session, opening the script workspace, the custom function dialog and other places. In previous versions of FileMaker the Manage Security dialog was hidden behind a full-access credentials challenge. So we stop our work and enter those. We make changes in the security, then close the dialog. We’re challenged again with credentials.
And then we walk away from our computer to get coffee or a donut or something. Our computer is open and we’re still logged in.
In the past, we might not have thought about that too much. After all, no one can get into the security part of the file. That seemed like it was a security feature.
The credentials challenge created a false-sense of security. For sure, Manage Security is one important part of the system, but it’s one part. Any full-access account can still create scripts that create accounts, run any script, delete records, see any layout. etc. So the password challenge was not much of a security point. It was a work-break point. I am the developer with full access. I need to get everywhere in the system quickly. Now I can.
The only time we are challenged with full-account username and password is when we are trying to change that password of the full access account. FileMaker wants to make sure you know what the new password is.
Be thoughtful in security
What we have to do as developers is think security in every part of our work: from our work to the times we’re not working. At the very least, when we walk away, we should log out of the file. Even better: lock the computer.
Again, this is a topic for a later post.
Invalidated plugin warning
The FileMaker 18 security changes include a warning when plugins are invalid in some way: the plugin is unsigned or has expired or other forms of validation fails. The user will get a weird (to them) message when the file tries to use an invalid plugin.
Since FileMaker now does this, we as developers should plan for this. We should use only valid or signed plugins, and we should test to make sure that users won’t get this message.
Luckily we have a small group of those plugins, and all the developers are part of the community, so I’m sure they’re working on getting this fixed. I doubt any plugins we typically use will cause this error.
FileMaker 18 security changes
FileMaker’s security changes show us that FileMaker, Inc. is indeed concerned about security. Every release continues the security updates as the platform reaches further and further out from our local computers and touches more people. The changes introduced in FileMaker 18 are necessary and good. They tighten up security and make our delivery to our clients more efficient and neater.