Use External Directory AD Group for FileMaker Admin Console Access on macOS

Besides using its own internal accounts, FileMaker Server supports centrally managed authentication using directory systems such as Active Directory. Using these systems can help control access to both FileMaker Server’s admin console and database files.

If you are using directory bound servers already, you’ll often want to add access to a FileMaker Server’s console using directory groups instead of adding in specific users. Previously this was easily done with either Workgroup Manager (no longer supported on macOS), or the Server application (still viable, but just in a vestigial form).

Here I’ll show how you can do the same thing using the dscl command.

While logged in to the bound server, we’ll need to run a few commands in the Terminal. Since we can’t use the name of the group, we will instead use the directory ID of the group that we want to add in access for.

dscl "/Active Directory/YOURDOMAIN/All Domains" read /Groups/YOURGROUP GeneratedUID

If you run the above command (after editing to the correct domain and group) you should see some output like the following:

GeneratedUID: D8EB09EB-7E6A-4361-935F-B0A9D151F8D5

When FileMaker server is installed, it will create a local group named fmsadmin. So we’ll make use of that existing group by adding in our directory group as a member. This has the added benefit of also giving members of this group file system access to the many folders used by FileMaker Server.

dscl . append /Groups/fmsadmin NestedGroups "D8EB09EB-7E6A-4361-935F-B0A9D151F8D5"

Next, we jump in to the Admin Console to allow the group’s members to have access.

And finally, we enable that access for the console.


Some of you may be more familiar with the dsedit command. I happen to be more used to using dscl however.

You might want to also check out this post on setting file permissions. This will help ensure that when files are manipulated by members of the fmsadmin group that all other members (including FileMaker Server itself) will have full access to the files.

Simon


References

Leave a Reply