Transfer fmesuperuser role privileges to Active Directory role

Hi @g_karssenberg

 

 

Which build of FME Server are you using?

 

 

If you're on 2017+, the parameter you've referenced in the fmeCommonConfig no longer exists as all of the active directory configuration is done through the web ui.

 

 

From here, once you've imported your users, you can add the fmesuperuser role to the user that you want to have superuser privileges.

 

I would not recommend under any circumstances removing or replacing the fme server super user account with an active directory only super user account. If your active directory details change (which I have seen happen to customers without their knowledge) you will be unable to access FME Server.

Using build 19253 win64.

The article is in the current documentation, so if this is no longer applicable this should be removed from documentation. The fact that it is (still) present gives me the indication that it is valid for the current version.

We would like to be able to use only AD for user and role management. Included superuser. In my opinion, this would not be risky if the superuser role still exists (but with no privileges) and can be assigned through the configuration file, back to the original configuration. This would be the 'backup' scenario in case there is no access to AD. Upside is that there is no user management needed in FME Server web interface but adding AD users to the AD role would be sufficient.

So, basically I need to know two things:

1. Explicitly: is it still supported in this version? If not, this should be removed from current documentation.
2. If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface.

Or just add a remark to the documentation about removing this functionality from a certain version on. And clarify that transfer of the privileges is not possible anymore. That would clear things up.

Good spot. I am going to request that this get removed from the documentation as it's no longer supported.

 

 

"If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface."

 

You can assign the superuser role to AD user(s) if you wish. Those users would be able to do AD configuration as long as the config remains that same so they are still able to sign in. If your AD settings change those users will not be able to sign into FME Server as it will not be able to communicate with your domain controller. This is why I do not recommend or in any way endorse removing the fme server superuser account and only having AD users as superusers.

 

 

This is why we have mixed FME Server + AD users - so if something happens to the connection to your AD server an FME Server superuser is able to sign in and update the configuration.