Skip to main content
Solved

Token from call to run workspace. Are permissions inherited by subsequent jobs/subscriptions

virtualcitymatt
Celebrity
Forum|alt.badge.img+35

I've just been thinking about required permissions for a project I've been working on.

 

The initial workspace is triggered via REST call (jobSubmitter). Depending on success or failure a topic gets triggered which may fire a subsequent workspace.

In one of these workspaces it needs to access the FME job history data via a rest call. I've set up a web connection.

 

My question is, does the initial token I use for the JobSubmitter need to have access to the job table (and web connection)? or are permissions used based on the owner of the subscription workspace or the subscription itself?

 

Any best practices here?

 

Best answer by laurawatsafe

Hey @virtualcitymatt​! As I understand it, you have the following set up:

 

Workspace (called via REST) -> Topic (on success/fail) -> Workspace subscription

 

Based on that, these two workspaces are essentially completely independent when it comes to permissions. The Token used to trigger the first workspace via REST only needs enough permissions to run the first job and nothing else.

 

The permissions for the second job would be controlled by the account that owns the subscription. That user would need permission to access the web connection used inside the workspace. That user wouldn't necessarily need access to the job table though as that permission is controlled by the user account used inside the web connection. I guess one thing to keep in mind here is that if you share your FME Server web connection with another user, you are giving them full access to everything that your account can do.

 

Hope that helps!

View original
Did this help you find an answer to your question?

2 replies

laurawatsafe
Safer
Forum|alt.badge.img+11
  • laurawatsafeSafer
  • Safer
  • Best Answer
  • November 26, 2020

Hey @virtualcitymatt​! As I understand it, you have the following set up:

 

Workspace (called via REST) -> Topic (on success/fail) -> Workspace subscription

 

Based on that, these two workspaces are essentially completely independent when it comes to permissions. The Token used to trigger the first workspace via REST only needs enough permissions to run the first job and nothing else.

 

The permissions for the second job would be controlled by the account that owns the subscription. That user would need permission to access the web connection used inside the workspace. That user wouldn't necessarily need access to the job table though as that permission is controlled by the user account used inside the web connection. I guess one thing to keep in mind here is that if you share your FME Server web connection with another user, you are giving them full access to everything that your account can do.

 

Hope that helps!

virtualcitymatt
Celebrity
Forum|alt.badge.img+35
lauraatsafe wrote:

Hey @virtualcitymatt​! As I understand it, you have the following set up:

 

Workspace (called via REST) -> Topic (on success/fail) -> Workspace subscription

 

Based on that, these two workspaces are essentially completely independent when it comes to permissions. The Token used to trigger the first workspace via REST only needs enough permissions to run the first job and nothing else.

 

The permissions for the second job would be controlled by the account that owns the subscription. That user would need permission to access the web connection used inside the workspace. That user wouldn't necessarily need access to the job table though as that permission is controlled by the user account used inside the web connection. I guess one thing to keep in mind here is that if you share your FME Server web connection with another user, you are giving them full access to everything that your account can do.

 

Hope that helps!

Hi Laura,

 

OK Prefect, thanks a lot for the clarification. The web connection inside the workspace uses a dummy connection with missing credentials that needs to be configured post import of the project.

 

This really helps me to get the users and permissions sorted out. Thanks Laura!

Reply


Helpful Members This Week

Community Stats

31,200
Posts
118,268
Replies
38,807
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.