Security

Hi all, I’m trying to connect to an SFTP operated by one of our vendors with an Automation Action but when trying to connect it just gives me an ‘Algorithm negotiation failed’ error with no other output.This page (FME Flow Troubleshooting: Automations – FME Support Center) says it’s an issue with the key exchange or host key algorithms not matching. They seem to have overlapping algorithms but I’m not sure how to definitively check what FME is using. Anyone had this issue? 

Hi there,In this article (Configure user attribute mapping with Azure AD SAML Provider – FME Support Center), a group claim can be setup to pass an AD group name which aligns to a role in FME Flow. As a group claim could be based on a search criterion and many AD groups could be returned which is a common method of Enterprise group membership in ArcGIS Enterprise software. I was wondering if this could be used to grant several roles to a user?Looking at controlling access to repositories, who can view workspace and who can run a job, etc via AD group assignment.Thanks

 Since using FME Flow version 2024.2.3, running on Windows Server 2022. we face the following issues.BackgroundWe found that in FME Flow 2024.2.3 the network security protocol TLS1.3 is not configured by default. We expect it to work, see e.g. FME Community TLSv1.3 Support).  Also, for TLSv1.3, the minimum requirements for the versions of OpenSSL and Java used are:Tomcat 9.0.13 and later versions have built-in TLS 1.3 support For TLS 1.3 support, you need JDK 1.8.0_170 or later.As FME Support Third Party Component Versions reports, FME Flow 2024.2.3 uses Tomcat 9.0.91 and Java JDK 17.0.12+7.

Apparently since fixing this problem https://support.safe.com/hc/en-us/articles/25407612007949-Known-Issue-FME-Flow-Apache-Tomcat-Vulnerability-with-X-Frame-Options-headerIn FME Flow 2025.1, embedding FME Flow content to other pages is disabled entirely by default.  Is there any chance to allow embedding from known sources or is embedding considered so risky that this would not be even considered? 

I just had to downgrade a local testing FME Flow (from 2025.2 to 2025.1.2) to solve some unforeseen breaking changes in 2025.2 (or probably in 2025.1.3).But now I cannot install a backups from 2025.2 into the 2025.1.2 Flow:I’m very sure that the backups does not contain anything that’s not workable in 2025.1.2, so it’s just a matter of administratively blocking the restore.Why is this versioning stonewalling necessary at all ?Why not just warn about potential problems and restore what can be restored ?

Hello,Our FME Flow server is installed behind a secure proxy and is accessible via the following URL: **[https://my.domaine.be](https://my.domaine.be)**The FME Flow server itself is *not* running in HTTPS; the HTTPS layer is configured at the proxy level.However, in the FME Flow configuration through the Web interface (Admin → System Configuration → Network & Email → Services), we have properly updated all URLs so that the root is **[https://my.domaine.be/](https://my.domaine.be/)**, and in “standard” usage everything works correctly with HTTPS URLs (access to the FME Flow web interface, data downloads, application publication, Webhook exposure).However, we are unable to use the REST API because an issue remains (see image in this email):FME seems to expect its API to be contacted over HTTP (see image in this email), whereas we must absolutely communicate with **my.domaine.be** over HTTPS.Could you tell us what needs to be adjusted in ou

I’m working with FME Flow 2025 and I’ve built a Flow App that allows users to run a workspace by clicking a “Run” button.My concern is about system overload: if a user (maliciously or accidentally) clicks the “Run” button hundreds or thousands of times, this could flood the job queue and potentially saturate the single engine I have available.I’ve looked into Job Queues and Job Routing Rules, but they only let me set priorities and routing conditions (repository). I understand that jobs can be routed to different engines using queues, but that’s not my goal. My goal is to limit the number of jobs submitted by users, not to distribute them across multiple engines.What I’m trying to achieve is: Prevent users from creating an infinite queue of jobs. Ideally, enforce a limit per user (e.g., max 5 jobs active or queued). Any ideas?

Hi,I’m using the FME Server API to perform an audit and cleanup. I can use the API to retrieve lists of users, workspaces, and workbenches. Separately, I can also get a list of connections.I want to check if any of these connections are now redundant after the recent cleanup. Is there a way to link connection names to the workbenches they are used in, so I can identify and remove unused connections?I can’t see a way to do this via the API. The only approach I can think of is to download all the .fmw files and then read them in FME Desktop using the .fmw reader.Any help or alternative suggestions would be appreciated, ideally all within the api.Thanks!!

Hi,I have a unique situation where my org can’t connect to Flow from Form desktop.Some background first.We are hosting our own server with Flow 2025.0, and Form to match.For several months now we have been using Microsoft Azure to login to Flow, and to also connect via Form using the same authentication method.  The Azure login to Flow via the web GUI still works without any issue.  Visiting the Manage Web Services options, the web service that was built using the MS Azure Active Directory template authenticates fine using the “Test” option so proper communication is occurring between the Microsoft tenant and our Flow server.Our IT department recently upgraded the GIS team to Windows 11 and since then we’ve experienced problems.Within Form, using the admin account with a password still works and we can carry on publishing.However, trying to connect via Azure is giving us fits.   Any attempt to create a new connection to Flow results in the

I see a description of the FME_SERVER_WEB_URL in documentation. Question: What does it do? With a setup that has a proxy server that relays requests to the FME Flow server via URL ReWrite and ARR, a flawed web-hook request (e.g., a parameter name address is given to a web hook that doesn’t have an address parameter) causes an error message to be returned to client--with details such as the internal server name (as set by FME_SERVER_WEB_URL, which is set to the internal server out-of-the-box) and the FME Flow username of user who published workspace. I understand changing service URLs for this sort of setup; that seems to be how the client knows how to download/stream the result. But FME_SER

We are upgrading to FME Flow 2024 and wanting to make some improvements. As part of this we want to know if we can have a user upload workbenches to FME Flow. Then login to FME Flow with their user account, but somehow build automations, streams, apps, and scheduled jobs to run under a different user account. We are trying to migrate from putting the all the running automations, schedules, and other items under individual user accounts. Instead we want to assign to a departmental account. Since we have FME Flow tied into our Active Directory this will prevent any permission issues of jobs not working when an employee leaves the company and their AD account is suspended. I didn’t really want to have every user login to FME Flow with the departmental user account. Then we won’t keep the individual repositories for workspaces and will become a mess. I know the GUI/Web Front End as-is doesn’t support this but trying to decide what approach I could do to solve this.M

For those who have a connection setup to use a SharepointOnlineConnector in FME Flow. If you’re running 2024.1 or above, have you changed to use Application permissions with a tenant id, client id and client secret rather than using a delegated permission and authenticating with a username and password? Any issues with updating?

Hi, Looking to call a PowerShell script that will need to be run as a different user to the service account that runs the FME Flow service.FME Flow is a shared server and these credentials need to be secure from other users scheduling flows.I could use an encrypted xml file for the credentials, but then all who use the server would have access via the FME Flow service account. Putting the password in the workspace as a password, I still see it in plain text.While these work and I can make the exposure risk lower, still don’t seem ideal,What are my other options?

I am new to FME Flow. My organization had setup a FME Flow 2024.2 and integrated SAML for user login. I am just wondering whether I could use SAML account in FME Flow REST API and how to use it to generate a token for further REST API requests. Furthermore, is the generated token secure enough to prevent accessing other users’ resources, workspaces and data connections.Thanks in advance,Henry from TfNSW

Hi,I created a token that is used in an HTTPCaller to download Workspaces from Flow via the Flow REST API. I granted the token only permission to access Repositories which worked fine but the problem is that as soon as a new repository is created, the initial permission is not extended for this new repos.  It seems that I either have to manually re-grant permissions everytime a new repository is created or grant “All Permissions”. Is there any better option?   

We use Azure Entra ID (formerly known as Azure Active Directory) with FME Flow to login the application.So now we have two methods: 1. user name and password2. button "Sign in with Microsoft"My colleagues often use the first method, which does not work for them.I set up the system events to notify me when a login is failed. But now I would like to know who tried and failed to login. Is there a log that shows the username someone used to try to login? Does anyone know which logfile it is in?ps it would be nice if I could hide the first login method. But that method is used by the admin-account. So I guess that is not an option.

Hi!After FME Flow upgrade from 2022.2.1. to 2023.1 our organization is not able to use login with Windows credentials (Active Directory) anymore. It seems to be similar issue to Known Issue: FME Server SSO failed login due to insufficient credentials (safe.com), the error message is Failed login by user YIIJygYGKwYBBQUCoIIJvjCCCbqgMDAu... due to insufficient credentials. We haven't changed the configuration and until now the upgrades to a newer version haven't broken login with Active Directory user. 

Hello,I am a newbie and want to use fmedownload api in our new webpage.what is the best way to integrate security?at the moment I would call the the get token service with user and password to get a temporary token.Then I would use this token and call fmedownload.Is that the best way? Will the token service be available in the future?thanksbest regards Gerhard

Hi,I get from our Security officer anmessage that there is an vulnerability dected on one of our servers.This server is has FME Flow 2023.2.2 Build 23781 - win64 which depend on Apache Tomcat.Can you tell me if there is an security risk? And how we can solve this?Thread is registered under: CVE-2023-44487.Thank you

Hi,I would like to ask if there is a way to share webconnections to group of users with partial permission (ie only access permission) not full permission. the issue with full permission that the shared users can be able to delete web connections I shared. I have to tried to take off their manager and create permission but still wont be able to let them do not remove the share connection.We are looking for a way can do partial permission setting up. Thank you very much. 😁 

I just reinstalled a test FME Flow 2024 (from .0 to .2), but was unable to restore a backup from the previous version. Something to do with encryption.This worries me, as we are getting close to wanting to upgrade our current 2022 servers.How can I make sure that backups from the old 2022 servers can be read by the new (2024) servers ?Thanks in advance.

Hi! I am getting a warning that FMEFlow is affected by CVE-2024-56337. I am running FME Flow 2023.1.1Is this correct?Is there a fix or are these CVE not applicable? Best regards/Kim 

 We're sending CORS headers, but not getting them back. How do we get them back?

Using FME Server 2021.1 Build 21607 - win64,  we have applied the Security Update: FME Flow Privilege Escalation Vulnerability using this link https://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privilege-Escalation-Vulnerability but even after applying the patch and re-starting FME services and even rebooting the hosting VM we are still seeing this message!  I know it is possible to just click on X and close this notification on admin page but I noticed that other team members who didn't close the notification still seeing that on page!Should we ask everyone to ignore it!

Hey guys,Why do I get the error (some texts replaced for security reasons):Failed to load http://fme-serverdomain.com/fmedatadownload/repository/workspace.fmw?param1=somefile&param2=sometext&opt_responseformat=json&token=123456789&detail=high: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://someotherdomain.com' is therefore not allowed access.although I configured CORS to allow all hosts