Skip to main content
  • EN

We currently run all our FME jobs as an AD service account.  Unless a workspace uses SQL Authentication for DB access, all DB access occurs as this service account.  This has turned into a security concern and I’m sure others have dealt with this.  Which of the following is the best solution or what have I missed?

  1. It sounds like the new FME licensing allows unlimited engines.  Could we create a new engine for each workspace and run it as the service account with DB access, and access to network shares?  Kindly point me to steps to do this.
  1. Group Managed Service Accounts - can a FME workspace run as a gMSA?
  2. Use SQL Authentication instead of Windows Authentication for DB access.  I understand FME encrypts passwords but we’d still use the FME service account to access a ton of resources.

How do others handle FME jobs and access to resources?

An FME Engine runs using the account setup to run the service. For each engine specified on that machine a new instances is spun up using that account. On a single machine all engines run as the same user (the one specified to run the service). What you could do, is setup engines on a different machine using either:

On these machines the engine service can be set to run under a different windows account. You would of course, need to setup queues/engine assignment rules to send jobs to the correct engine(s).

The licensing model with ‘unlimited’ engines is CPU-Usage Engines where you purchase blocks of processing time to use across as many engines as you need..

 

FME does support GMSA accounts: https://support.safe.com/hc/en-us/articles/25407407864461-FME-Flow-Administration-Planning-and-Performing-an-FME-Flow-Installation

 

I would suggest you use the approach you’ve outlined in #3. The credential can be stored as database connections and centrally administered/managed by an admin via Database Connections - https://docs.safe.com/fme/html/FME-Flow/WebUI/Database-Connections.htm

Reply


Community Stats

31,790
Posts
120,757
Replies
39,405
Members

Latest FME

Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.