Skip to main content
Solved

Transfer fmesuperuser role privileges to Active Directory role

  • June 17, 2019
  • 4 replies
  • 44 views
g_karssenberg
Contributor
Forum|alt.badge.img+7

I would like to transfer the fmesuperuser role privileges to an Active Directory role.

In the FME Server documentation, there is an article about how to do this using the SECURITY_SUPERUSER_ROLE parameter in the fmeCommonConfig.txt configuration file. Unfortunately, this does not seem to work. The parameter line mentioned (SECURITY_SUPERUSER_ROLE=fmesuperuser) is not present in the configuration file. Also just adding the line as a parameter does not seem to work.

The answer in the article already present in the knowledge base is not sufficient, because this only concerns assigning an Active Directory user to the role.

I ruled out errors in the Active Directory distinguished name by testing with a test FME Server role (non-AD) and using this in the configuration file (e.g. SECURITY_SUPERUSER_ROLE=testsuperuser).

How can I accomplish transfer of privileges on the AD role?

Best answer by jlutherthomas

Hi @g_karssenberg

 

 

Which build of FME Server are you using?

 

 

If you're on 2017+, the parameter you've referenced in the fmeCommonConfig no longer exists as all of the active directory configuration is done through the web ui.

 

 

From here, once you've imported your users, you can add the fmesuperuser role to the user that you want to have superuser privileges.

 

I would not recommend under any circumstances removing or replacing the fme server super user account with an active directory only super user account. If your active directory details change (which I have seen happen to customers without their knowledge) you will be unable to access FME Server.
This post is closed to further activity.
It may be an old question, an answered question, an implemented idea, or a notification-only post.
Please check post dates before relying on any information in a question or answer.
For follow-up or related questions, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

4 replies

J
Forum|alt.badge.img+2

Hi @g_karssenberg

 

 

Which build of FME Server are you using?

 

 

If you're on 2017+, the parameter you've referenced in the fmeCommonConfig no longer exists as all of the active directory configuration is done through the web ui.

 

 

From here, once you've imported your users, you can add the fmesuperuser role to the user that you want to have superuser privileges.

 

I would not recommend under any circumstances removing or replacing the fme server super user account with an active directory only super user account. If your active directory details change (which I have seen happen to customers without their knowledge) you will be unable to access FME Server.
g_karssenberg
Contributor
Forum|alt.badge.img+7
  • g_karssenbergContributor
  • Author
  • Contributor
  • June 17, 2019

Hi @g_karssenberg

 

 

Which build of FME Server are you using?

 

 

If you're on 2017+, the parameter you've referenced in the fmeCommonConfig no longer exists as all of the active directory configuration is done through the web ui.

 

 

From here, once you've imported your users, you can add the fmesuperuser role to the user that you want to have superuser privileges.

 

I would not recommend under any circumstances removing or replacing the fme server super user account with an active directory only super user account. If your active directory details change (which I have seen happen to customers without their knowledge) you will be unable to access FME Server.

Using build 19253 win64.

The article is in the current documentation, so if this is no longer applicable this should be removed from documentation. The fact that it is (still) present gives me the indication that it is valid for the current version.

We would like to be able to use only AD for user and role management. Included superuser. In my opinion, this would not be risky if the superuser role still exists (but with no privileges) and can be assigned through the configuration file, back to the original configuration. This would be the 'backup' scenario in case there is no access to AD. Upside is that there is no user management needed in FME Server web interface but adding AD users to the AD role would be sufficient.

So, basically I need to know two things:

  1. Explicitly: is it still supported in this version? If not, this should be removed from current documentation.
  2. If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface.
g_karssenberg
Contributor
Forum|alt.badge.img+7
  • g_karssenbergContributor
  • Author
  • Contributor
  • June 17, 2019

Using build 19253 win64.

The article is in the current documentation, so if this is no longer applicable this should be removed from documentation. The fact that it is (still) present gives me the indication that it is valid for the current version.

We would like to be able to use only AD for user and role management. Included superuser. In my opinion, this would not be risky if the superuser role still exists (but with no privileges) and can be assigned through the configuration file, back to the original configuration. This would be the 'backup' scenario in case there is no access to AD. Upside is that there is no user management needed in FME Server web interface but adding AD users to the AD role would be sufficient.

So, basically I need to know two things:

  1. Explicitly: is it still supported in this version? If not, this should be removed from current documentation.
  2. If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface.

Or just add a remark to the documentation about removing this functionality from a certain version on. And clarify that transfer of the privileges is not possible anymore. That would clear things up.

J
Forum|alt.badge.img+2

Or just add a remark to the documentation about removing this functionality from a certain version on. And clarify that transfer of the privileges is not possible anymore. That would clear things up.

Good spot. I am going to request that this get removed from the documentation as it's no longer supported.

 

 

"If this is not supported, is it then not supported in any way to transfer from fmesuperuser role to an AD role? If not, then it is not possible to do all AD configuration through the web interface."

 

You can assign the superuser role to AD user(s) if you wish. Those users would be able to do AD configuration as long as the config remains that same so they are still able to sign in. If your AD settings change those users will not be able to sign into FME Server as it will not be able to communicate with your domain controller. This is why I do not recommend or in any way endorse removing the fme server superuser account and only having AD users as superusers.

 

 

This is why we have mixed FME Server + AD users - so if something happens to the connection to your AD server an FME Server superuser is able to sign in and update the configuration.

Community Stats

32,207
Posts
122,303
Replies
39,891
Members

Latest FME

Terms & ConditionsCookie settingsAccessibility statement
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.