FME Flow Best Practices Guide for IT Ops and Flow Admins

Liz Sanderson
Liz Sanderson
  • Updated

Introduction

After installing FME Flow (formerly FME Server), there are some additional steps to perform to enhance security and ensure that FME Flow is being used to its full potential. The following is a list of actions to perform and links to the documentation that details how to perform these actions. If you have any questions along the way, contact Safe Software Support. This list is available as a printable checklist.

In 2023, FME Server underwent a name change and is now known as FME Flow. Since this article discusses features present in previous versions of FME, it will refer to both names interchangeably, using the appropriate product name based on the year the feature was introduced. For more information on the rebranding, see our website
 

Passwords

Change the ‘admin’ user password immediately after installing: As of FME Server 2019.0, the admin password is automatically set to admin at the time of installation. You will be prompted to change the password after installation before being able to log in. Changing the Login Password and Default User Accounts and Passwords documentation. Note: It is important to double-check your admin password security and change it often.

 

Enable Reset Password: As of FME Server 2018.0, the admin can grant users the option to reset their passwords if they were forgotten. This option also allows the admin to create accounts for everyone and then have the user set up their new password when they first log in by clicking on the Forgot Password button. Reset Password documentation.

 

Enable Password Policy: As of FME Server 2019.0, the admin can enable a password policy to force users to create more secure passwords, such as the password requiring mixed case, and/or numbers and special characters. Password Policy documentation. As of FME Server 2020.0, this is enabled by default, but can be disabled.

 

Enable Password Expiry: As of FME Server 2020.0, the admin can enable password expiration for any number of days. As of FME Server 2020.1, there is now a warning icon on the Users page indicating that the user’s password needs to be changed. Password Expiration documentation.

Enable Password Reuse: As of FME Server 2022.1, the admin can enable passwords not to be reused within a certain number of password changes. Password Reuse documentation.

 

Change the Database Password:  As of FME Server 2021.0, during installation, the admin will be prompted to set the password for the FME Flow / FME Server Database. For older versions of FME Server, we recommend updating the password for the FME Server Database following installation. If the password is not updated, a user with knowledge of the default settings for connecting to the FME Server Database may log in and make changes. For instructions on how to update the password, see the Install FME Server: Express Installation for Windows documentation.

 

Accounts and Roles

Role-Based and User-Based Account Access: Once FME Flow is installed, it is important to set up who has access to what. The admin can create roles with various permissions and assign users to each role for quick control over security. It is a good idea to regularly audit roles to ensure the users still have the appropriate access. Role-Based and User-Based Account Access documentation and Role- and User-Based Access course manual.

 

Configure Directory Servers (and Import Users/Groups): As of FME Server 2021.0, Active Directory and Generic Directory can be configured under Directory Servers. Active Directory can be set up to allow users to use the same credentials on FME Server as they use to sign-on to their computer. It also allows for quick role assignment on FME Server as the roles can be imported from Windows. Directory ServersActive Directory, and Troubleshooting Active Directory Configurations documentation.

 

Configure Windows Services Account: Optional step if setting up Active Directory; this allows Windows users to sign-on to FME Flow using the Windows Credentials button. Additionally, setting this up would provide FME Flow Core and Engines access to network locations. Configuring Integrated Windows Authentication and Running the FME Flow System Services Under Different Accounts (Windows) documentation.

 

Disable Multiple Web Sessions: As of FME Server 2020.0, the admin can disable multiple web sessions for each user. When a user is logged into one browser and then logs in to a second browser, the first one will be logged out. This restricts the user from running multiple FME Server sessions simultaneously. Multiple web sessions are enabled by default and can be disabled in the General System Configuration settings. Multiple Web Sessions documentation.

 

Disabled Default Accounts: As of FME Server 2020.0, the Author, Guest, and User default accounts are disabled with a new installation. These can be enabled under User Management. Users documentation.


Enable Workspace Viewer Permission: As of FME Flow 2023.0, this feature has been deprecated and is no longer available; workspaces will need to be viewed in FME Form (formerly FME Desktop). As of FME Server 2022.0, new users will not be granted permissions to see the Workspace Viewer; this functionality will need to be enabled by the superuser/admin role. Current users who are upgrading will not see their permissions revoked. Workspace Viewer Deprecation article. 


Configure SAML Authentication: As of FME Server 2022.0, SAML authentication can be enabled for users to log into FME Server in addition to system accounts. SAML Configuration documentation. 

Review Account and Group Permissions: In Linux installations, the installer creates a fmeserver user account and group. The system administrator should adjust the permissions to a ‘least privileged’ set as needed for their workflows and business rules.  For information regarding Windows operating systems, see Running the FME Flow System Services Under Different Accounts.

 

Security and Sharing

Set System Encryption to ‘Restricted’ (and Download Key): FME Flow encrypts sensitive data in the FME Flow Database and passwords of FME Flow configuration backups. By default, this encryption is managed using an encryption key that is common to any FME Flow installation. You may wish to enhance encryption security by generating your own custom encryption keys, which you can apply on a rotating basis. System Encryption documentation.

 

Configure HTTPS/SSL: HTTPS ensures that communication between the client and server is encrypted so that if it is intercepted, the third party cannot easily view or use the information. Configuring for HTTPS documentation or Configuring FME Server for HTTPS article.

 

Configure CORS: Cross-Origin Resource Sharing allows the admin to specify websites hosted on other domains that can access resources from FME Flow through AJAX requests. Since FME Server 2017.0, CORS is set to open (Allow All) by default. Cross-Origin Resource Sharing documentation.

 

Configure Proxy: FME Flow can be connected to a proxy server on your organization’s network to connect to external servers without compromising the security of the internal network. As of FME Server 2020.1, the proxy can be configured to use wildcards and exceptions. Using FME Flow with a Proxy Server documentation.

Configure Reverse Proxy: FME Flow can be connected to a reverse proxy server, which is an intermediary server that forwards client requests from the internet/intranet to a private server that fulfills the requests. Use a Reverse Proxy with FME Flow article.

 

Encrypt Database Password: As of FME 2021.0, the FME Server Database password is only stored in a new fmeDatabaseConfig.txt and the password is encrypted by default. In older versions of FME Server, the password that is stored in configuration files fmeCommonConfig.txt and fmeServerWebApplicationConfig.txt for the FME Server Database are not encrypted. Encrypting the FME Server Database Password documentation.

 

Database and Web Connections: Access to database and web connections can be controlled by modifying the permissions for each user or role. Connections should be audited regularly to maintain security. Connections documentation.

 

Create Broadcast Messages: As of FME Server 2020.0, the admin can create broadcast messages to be displayed for all users. In addition, the admin can also dismiss broadcast messages created by Safe Software. Broadcast Messages documentation.

 

FME Flow Optimization

Configure System Email: Before the FME Flow system email can be used, it needs to be configured. This email will be used for sending emails about system events and password resets. System Email documentation.
 

Enable System Event Email Notifications:  Enable this to receive emails when certain System Events take place. At a minimum, we’d recommend setting up notifications for “License About to Expire” and if you use Dynamic Engines, “Low Credits” to ensure you are never without engines in a production environment. There are additional System Events for which email notifications can be enabled, it is best to review them for your environment. System Events documentation. 
 

Enable Version Control: Version control allows access to previous versions of repository files. Optionally, version control can be set up to store to an external Git repository. Version control is not enabled at installation and must be configured manually by an FME Flow admin. Version Control documentation.

 

Enable Queue Control: As of FME Server 2021.0, FME Server Engines can be set up with job queues, job routing rules, and engine assignment rules, which can help prioritize certain jobs or repositories to use different engines. This can be set up at the beginning or later on once job backlogs have been determined. Queue Control documentation.

 

Review Scheduled Cleanup Tasks: FME Flow will automatically clean up old logs, system event history, and expired session tokens. Review these settings to ensure that they correspond with your organization’s data policy and are kept for the correct amount of time. If FME Flow runs out of space, these files can be backed up externally. Scheduled Cleanups documentation.

 

Setup Backup Schedule: It is a good idea to establish a regular backup schedule of the FME Flow configuration. This can be done manually, but it can also be created as a scheduled task. Performing a Scheduled Backup of an FME Flow Configuration documentation.

 

Data Published to Repositories: As of FME Server 2020.1, on the repository/workspaces page, all the data uploaded with the workspace can now be seen and managed. Manage Workspaces documentation.

 

View All Scheduled Automations: As of FME Server 2020.1, all automations that are triggered by a schedule can now be viewed on the Schedules page by clicking on the Show Automations button. This is only available to the superuser role. Schedules documentation.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.