Skip to main content

I would like to transfer the fmesuperuser role privileges to an Active Directory role.

In the FME Server documentation, there is an article about how to do this using the SECURITY_SUPERUSER_ROLE parameter in the fmeCommonConfig.txt configuration file. Unfortunately, this does not seem to work. The parameter line mentioned (SECURITY_SUPERUSER_ROLE=fmesuperuser) is not present in the configuration file. Also just adding the line as a parameter does not seem to work.

The answer in the article already present in the knowledge base is not sufficient, because this only concerns assigning an Active Directory user to the role.

I ruled out errors in the Active Directory distinguished name by testing with a test FME Server role (non-AD) and using this in the configuration file (e.g. SECURITY_SUPERUSER_ROLE=testsuperuser).

How can I accomplish transfer of privileges on the AD role?

Hi @g_karssenberg

 

 

Which build of FME Server are you using?

 

 

If you're on 2017+, the parameter you've referenced in the fmeCommonConfig no longer exists as all of the active directory configuration is done through the web ui.

 

 

From here, once you've imported your users, you can add the fmesuperuser role to the user that you want to have superuser privileges.

 

I would not recommend under any circumstances removing or replacing the fme server super user account with an active directory only super user account. If your active directory details change (which I have seen happen to customers without their knowledge) you will be unable to access FME Server.

Hi @g_karssenberg

 

 

Which build of FME Server are you using?

 

 

If you're on 2017+, the parameter you've referenced in the fmeCommonConfig no longer exists as all of the active directory configuration is done through the web ui.

 

 

From here, once you've imported your users, you can add the fmesuperuser role to the user that you want to have superuser privileges.

 

I would not recommend under any circumstances removing or replacing the fme server super user account with an active directory only super user account. If your active directory details change (which I have seen happen to customers without their knowledge) you will be unable to access FME Server.

Using build 19253 win64.

The article is in the current documentation, so if this is no longer applicable this should be removed from documentation. The fact that it is (still) present gives me the indication that it is valid for the current version.

We would like to be able to use only AD for user and role management. Included superuser. In my opinion, this would not be risky if the superuser role still exists (but with no privileges) and can be assigned through the configuration file, back to the original configuration. This would be the 'backup' scenario in case there is no access to AD. Upside is that there is no user management needed in FME Server web interface but adding AD users to the AD role would be sufficient.

So, basically I need to know two things:

  1. Explicitly: is it still supported in this version? If not, this should be removed from current documentation.
  2. If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface.

Using build 19253 win64.

The article is in the current documentation, so if this is no longer applicable this should be removed from documentation. The fact that it is (still) present gives me the indication that it is valid for the current version.

We would like to be able to use only AD for user and role management. Included superuser. In my opinion, this would not be risky if the superuser role still exists (but with no privileges) and can be assigned through the configuration file, back to the original configuration. This would be the 'backup' scenario in case there is no access to AD. Upside is that there is no user management needed in FME Server web interface but adding AD users to the AD role would be sufficient.

So, basically I need to know two things:

  1. Explicitly: is it still supported in this version? If not, this should be removed from current documentation.
  2. If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface.

Or just add a remark to the documentation about removing this functionality from a certain version on. And clarify that transfer of the privileges is not possible anymore. That would clear things up.


Or just add a remark to the documentation about removing this functionality from a certain version on. And clarify that transfer of the privileges is not possible anymore. That would clear things up.

Good spot. I am going to request that this get removed from the documentation as it's no longer supported.

 

 

"If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface."

 

You can assign the superuser role to AD user(s) if you wish. Those users would be able to do AD configuration as long as the config remains that same so they are still able to sign in. If your AD settings change those users will not be able to sign into FME Server as it will not be able to communicate with your domain controller. This is why I do not recommend or in any way endorse removing the fme server superuser account and only having AD users as superusers.

 

 

This is why we have mixed FME Server + AD users - so if something happens to the connection to your AD server an FME Server superuser is able to sign in and update the configuration.

Reply