Authorizing access to files
As part of your overall security plan, you can control whether other FileMaker Pro files are permitted to access the schema in a file (including its tables, layouts, scripts, and value lists) in your protected custom app. When protection is enabled, any use of the protected file through a FileMaker data source will require authorization. Therefore, in a multifile custom app, you will need to authorize the other files.
For example, enabling protection prevents someone with account access in your file from creating another file that uses tables in your file but does not implement the same business logic (such as the same script triggers). The use of this alternative file can bypass your intended business logic (although record-level access would still be enforced). Turning on this option also prevents files that are not authorized from opening a protected file using the Open File script step. Furthermore, you can prevent even previously authorized files moved to a different host from opening a protected file.
To prevent unauthorized files from performing certain operations in your file via an enabled plug-in, use fmplugin extended privileges. See About controlling plug-in access between files.
Each authorized file is assigned a unique numeric identifier, which the protected file keeps track of, ensuring that the protected file remains protected even if it is renamed or duplicated. Any efforts to bypass authorization, such as by replacing an authorized file with a different one, will be unsuccessful.
Protecting a file and authorizing other files to access it is different from protecting a file's record data and other security measures that you can take. See Planning security for a shared file.
To manage access to files, you must open the file with an account that is assigned the Full Access privilege set.
To authorize access to a file:
-
Open the file that you want to protect.
-
Choose File menu > Manage > Security.
-
Click Advanced Settings, then the File Access tab.
-
If you want to authorize additional files that are not currently open, click Authorize. In the Open File dialog box, choose a file to authorize, and click Open.
You may be asked to enter the name and password of an account with Full Access privileges.
Important If you don't authorize a file that references a protected file, the references will no longer work.
The authorized file appears in the File Access list, with the date and time it was authorized, and the account used to create the authorization.
To |
Do this |
Protect this file against unwanted access from other files |
Select Require full access privileges to use references to this file. If any files that reference the protected file are currently open, you see an alert for each file, asking if you want to authorize the file. Click Yes. |
Require authorized files to be on the same host as this file |
Select All files must be on the same host. If this file is local, all authorized files must also be local to access this file. Note To fully enforce this option, the current file and all files authorized to open it must be opened by FileMaker 21.1 clients at a minimum. To require a minimum version, see Setting file options. |
Remove authorization for a file |
Select the file for which you want to remove authorization, then click Deauthorize. If the deauthorized file is open on any clients, deauthorization will not take effect until the next time the file is opened. |
Remove all restrictions to file access |
Deselect Require full access privileges to create references to this file. |
Notes
-
A newly created file contains a reference to itself in the File Access list. This enables a data source in this file to refer to itself and copied or cloned files to work with each other, both without needing to add references manually to the File Access list. You can remove this self authorization to prevent this type of access.
-
If you rename an authorized file and the file is currently open, the new name appears next to the original name in the File Access list. For example, if you renamed the file SalesReport to ExecReport, then ExecReport;SalesReport appears in the list.
-
A protected file retains its list of authorized files if the file is cloned, so you don't have to repeat this process.
This is helpful because you don't have to repeat the authorization process. However, if you duplicate or clone a protected file, each file will also have the same ID. If you use both files in the same multifile custom app, you must reset the ID in one of the files so that each file has a unique ID. To reset the protected file's unique ID, click Reset All, then click Yes. After resetting, you will need to reauthorize all files that are authorized to access the protected file and any protected files that file was authorized to access.
Important Resetting the ID cannot be undone by clicking Cancel in the Advanced Security Settings dialog box.