Token from call to run workspace. Are permissions inherited by subsequent jobs/subscriptions

Question

I've just been thinking about required permissions for a project I've been working on.

The initial workspace is triggered via REST call (jobSubmitter). Depending on success or failure a topic gets triggered which may fire a subsequent workspace.

In one of these workspaces it needs to access the FME job history data via a rest call. I've set up a web connection.

My question is, does the initial token I use for the JobSubmitter need to have access to the job table (and web connection)? or are permissions used based on the owner of the subscription workspace or the subscription itself?

Any best practices here?

laurawatsafe · Accepted Answer

Hey @virtualcitymatt​! As I understand it, you have the following set up: Workspace (called via REST) -> Topic (on success/fail) -> Workspace subscriptionBased on that, these two workspaces are essentially completely independent when it comes to permissions. The Token used to trigger the first workspace via REST only needs enough permissions to run the first job and nothing else.  The permissions for the second job would be controlled by the account that owns the subscription. That user would need permission to access the web connection used inside the workspace.  That user wouldn't necessarily need access to the job table though as that permission is controlled by the user account used inside the web connection.  I guess one thing to keep in mind here is that if you share your FME Server web connection with another user, you are giving them full access to everything that your account can do.Hope that helps!

virtualcitymatt · Answer

Hey @virtualcitymatt​! As I understand it, you have the following set up: Workspace (called via REST) -> Topic (on success/fail) -> Workspace subscriptionBased on that, these two workspaces are essentially completely independent when it comes to permissions. The Token used to trigger the first workspace via REST only needs enough permissions to run the first job and nothing else.  The permissions for the second job would be controlled by the account that owns the subscription. That user would need permission to access the web connection used inside the workspace.  That user wouldn't necessarily need access to the job table though as that permission is controlled by the user account used inside the web connection.  I guess one thing to keep in mind here is that if you share your FME Server web connection with another user, you are giving them full access to everything that your account can do.Hope that helps!Hi Laura,OK Prefect, thanks a lot for the clarification. The web connection inside the workspace uses a dummy connection with missing credentials that needs to be configured post import of the project. This really helps me to get the users and permissions sorted out. Thanks Laura!

Reply

Community Stats

Reply

Community Stats

Sign up

An FME Account is required to contribute

Login to the community

An FME Account is required to contribute

Scanning file for viruses.

This file cannot be downloaded