Skip to main content
Solved

Using different accounts for FME jobs

  • January 21, 2025
  • 1 reply
  • 52 views
gregbensnoco
Participant
Forum|alt.badge.img

We currently run all our FME jobs as an AD service account.  Unless a workspace uses SQL Authentication for DB access, all DB access occurs as this service account.  This has turned into a security concern and I’m sure others have dealt with this.  Which of the following is the best solution or what have I missed?

  1. It sounds like the new FME licensing allows unlimited engines.  Could we create a new engine for each workspace and run it as the service account with DB access, and access to network shares?  Kindly point me to steps to do this.
  1. Group Managed Service Accounts - can a FME workspace run as a gMSA?
  2. Use SQL Authentication instead of Windows Authentication for DB access.  I understand FME encrypts passwords but we’d still use the FME service account to access a ton of resources.

How do others handle FME jobs and access to resources?

Best answer by hkingsbury

An FME Engine runs using the account setup to run the service. For each engine specified on that machine a new instances is spun up using that account. On a single machine all engines run as the same user (the one specified to run the service). What you could do, is setup engines on a different machine using either:

On these machines the engine service can be set to run under a different windows account. You would of course, need to setup queues/engine assignment rules to send jobs to the correct engine(s).

The licensing model with ‘unlimited’ engines is CPU-Usage Engines where you purchase blocks of processing time to use across as many engines as you need..

 

FME does support GMSA accounts: https://support.safe.com/hc/en-us/articles/25407407864461-FME-Flow-Administration-Planning-and-Performing-an-FME-Flow-Installation

 

I would suggest you use the approach you’ve outlined in #3. The credential can be stored as database connections and centrally administered/managed by an admin via Database Connections - https://docs.safe.com/fme/html/FME-Flow/WebUI/Database-Connections.htm

View original
Did this help you find an answer to your question?

1 reply

hkingsbury
Celebrity
Forum|alt.badge.img+53
  • hkingsburyCelebrity
  • Celebrity
  • Best Answer
  • January 21, 2025

An FME Engine runs using the account setup to run the service. For each engine specified on that machine a new instances is spun up using that account. On a single machine all engines run as the same user (the one specified to run the service). What you could do, is setup engines on a different machine using either:

On these machines the engine service can be set to run under a different windows account. You would of course, need to setup queues/engine assignment rules to send jobs to the correct engine(s).

The licensing model with ‘unlimited’ engines is CPU-Usage Engines where you purchase blocks of processing time to use across as many engines as you need..

 

FME does support GMSA accounts: https://support.safe.com/hc/en-us/articles/25407407864461-FME-Flow-Administration-Planning-and-Performing-an-FME-Flow-Installation

 

I would suggest you use the approach you’ve outlined in #3. The credential can be stored as database connections and centrally administered/managed by an admin via Database Connections - https://docs.safe.com/fme/html/FME-Flow/WebUI/Database-Connections.htm

david_r
gregbensnoco
2 people upvoted this
  • david_r
    david_r
  • gregbensnoco
    gregbensnoco

Reply


Helpful Members This Week

Community Stats

31,092
Posts
117,884
Replies
38,849
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.