FME Flow Security

Liz Sanderson
Liz Sanderson
  • Updated

Introduction

This article is intended to provide a high-level overview of FME Flow Security. 
 
For technical instructions on how to enhance security for FME Flow please see the FME Flow Best Practices Guide for IT Ops and Server Admins.

 

Authentication

Authentication is the process used to verify the identity of the person accessing the application. FME Flow supports both user and token-based authentication that is configurable via the FME Flow Web UI or programmatically using the REST API.
 

User Security

Users can be created directly on the system, or FME Flow can be integrated with Windows Active Directory or other LDAP-based directories. When accessing FME Flow users will have been granted access to different components and must enter their credentials, to log in and use this functionality.  If using Windows Active Directory optionally the Administrator can also enable Integrated Windows Authentication (IWA) commonly referred to as single sign-on, removing the need for users to enter their user credentials in the Web UI.
 
For enhanced security, the System Administrator can configure a password policy, password expiry, and password recovery for system user passwords (not directory servers). The password policy is enabled by default and is customizable, optionally a minimum number of characters can be specified along with other controls on what the password should/not contain. Password expiration is disabled by default, but if enabled will force users to reset their password after the specified time period. To enable password recovery a System Email must be configured and all users must have an email address associated with their account. 
 

Token Security

FME Flow can receive requests from outside a user session through the REST API for example, if you are developing a custom application or through transformation services, for example when you submit a job using a webhook URL or workspace app. 
 
Token Security provides an encrypted string that is passed with the request, bypassing the interactive need to log in to FME Flow. Tokens can be granted a restricted set of permissions, are stored securely, and can be set to expire.
 

Log In Sessions

FME Flow implements functionality that will keep the user session alive for as long as the application is running in the browser. Users should be encouraged to log out of FME Flow when it is not in use.

The System Administrator can disable Multiple Web Sessions. This will restrict users to a single session, forcing FME Flow to log a user out of any previous session opened in another browser. 
 

Authorization

Authorization is the process used to determine what activities a user is permitted to undertake.


Role-Based and User-Based Access

FME Flow includes a role-based control framework, a role is a group of one or more users and this allows System Administrators to grant a set of permissions to a role, and these permissions will then be applied to all users to whom that role is assigned. This is configured in the User Management page of the FME Flow Web UI. Alternatively, permissions can be assigned to the individual user account. Through role/user permissions a person can be granted access to different items and functionality in FME Flow, restricting the tasks that they are able to perform. 
 

Workspace and Data Access

Workspaces are managed in a folder system known as repositories. In FME Flow, via role/user-based access, permissions can be granted to workspaces at the repository level, and include options to download, read, publish, run and remove.

Data can be uploaded to FME Flow: 

  • With the workspace and stored in the same repository 
  • Through the data upload service, in which case it is stored in the TEMP folder
  • Uploaded via the Web UI or REST API into another Resources folder


Data that is stored with the workspace can be used by that workspace only and the same repository level permissions apply as above. Data uploaded temporarily is accessible to the user who performs this action. The System Administrator can grant varying permissions to all folders in Resources, including read and download, list, write, upload and remove. Users can also share resource folders they create with other roles/users via the Web UI. 

If a workspace is referencing a file stored in a network-based resource outside of FME Flow’s System Share read/write access is not controlled by the user/role, instead, the service account running the FME Flow Web Application, Core and Engine Service must have read/write permissions to this file path. 
 

Password Encryption 

System user account passwords and tokens along with other passwords stored in FME Flow, such as web/database connections and workspace published parameters, are encrypted and stored in the system database. The FME Flow database password specified in the installer is encrypted by default and stored in the fmeDatabaseConfig.txt.
 
The key used for encryption can be configured in the FME Server Web UI under System Configuration > Security > System Encryption. Enabling restricted mode will create a key that is unique to your FME Flow installation. Passwords stored in the system database will be automatically re-encrypted but you must manually re-encrypt the database password.
 
If you choose to connect and import users from a Directory Server, these user passwords are not stored on FME Flow and reside with the LDAP Server / Identity Provider.
 

Web Application Security

FME Flow is shipped with a third-party Web Application Server, the version shipped with each FME Flow release can be found here. Optionally, you can provide your own Web Application Server
 
By default, FME Flow uses standard HTTP* requests and responses. FME Flow can be configured to use the HTTPS protocol using customer-supplied certificates to encrypt communication between the client and FME Flow. 
 
*FME Flow Hosted (formerly FME Cloud) and containerized FME Flow deployments are configured for HTTPS by default with a certificate provided during the installation. 
 

Risk Assessments

FME Flow undergoes regular penetration and security assessments. If your organization has conducted a security scan that has reported a vulnerability or you have any other security concerns, please submit a case to Safe Software Support
 

Other Resources

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.