FMPA18 – Delegating User Management without Full Access

With the release of FileMaker Pro Advanced 18, full access users can delegate user management to any user. This tool reduces the administrative burden on database administrators, in addition to decreasing the response time when it comes to changes in user accounts. For example, the person(s) conducting employee onboarding/offboarding can now create, edit or delete users. Additionally, someone like an office manager would now be able to reset user passwords instead of sending a request to a database administrator.

In FileMaker 17, only full access users were able to manage users. You wanted the least amount of users with such privilege set for security reasons. Database administrators had to either manage all users themselves, create complex scripts as a workaround, or provide users with full access, thereby giving access to restricted parts of the database. In FileMaker 18, users can manage other users without having such a privilege set. They can create, delete, disable, enable other users and they can reset passwords to all but full access users.

Here’s how you can use this new feature:

1.Open your database file as a Full Access user.

2. File → Manage → Security.

3. In the Manage Security window, create a new user by clicking on the New button. This window has been redesigned in FileMaker 18. Skip to Step 5 if you want to select an existing user.

Manage Security Window

4. Enter the new user’s information.

5. Create a new privilege set by opening the privilege sets’ dropdown list, then clicking on New Privilege Set.

6. Change all necessary fields and check the box next to Manage accounts that don’t have Full Access. This option is new in FMPA 18.

Edit Privilege Set Window

7. Click OK.

8. Now you can see that the new user created has the new privilege set. You can assign this privilege set to other users as well.

Manage Security Window. Make sure that the user was assigned the new privilege set.

9. Close the database file, then log in again as the user with the new privilege set.

10. Once logged in, open File → Manage → Security

11. You can see that this user can create, delete, enable, disable, change privilege sets, and reset passwords. This user can’t create new privilege sets nor modify existing ones, they also can’t change the privilege set of Full Access users.

Can’t delete nor change the privilege set of Full Access users
Message when trying to create a new privilege set

You can also use this privilege set with active directory users or groups. Contact us at sales@app.works if you’d like to know more about that.

While this feature brings convenience, it also brings a security risk. Compromised or rogue user accounts with such privileges have the ability to cause more damage than before. We recommend checking for this type of privilege set as part of the employee exit process. We’re excited to use this feature along with all the other new ones in FileMaker 18.