FME Flow Best Practices Guide for IT Ops and Flow Admins

Introduction

After installing FME Flow (formerly FME Server), there are some additional steps to perform to enhance security and ensure that FME Flow is being used to its full potential. The following is a list of actions to perform and links to the documentation that details how to perform these actions. If you have any questions along the way, contact Safe Software Support. This list is available as a printable checklist.

In 2023, FME Server underwent a name change and is now known as FME Flow. Since this article discusses features present in previous versions of FME, it will refer to both names interchangeably, using the appropriate product name based on the year the feature was introduced. For more information on the rebranding, see our website. 
 

Passwords

Change the ‘admin’ user password immediately after installing: As of 2019.0, the admin password is automatically set to admin at the time of installation. You will be prompted to change the password after installation before being able to log in. Changing the Login Password and Default User Accounts and Passwords documentation. Note: It is important to double-check your admin password security and change it often.

Enable Reset Password: As of 2018.0, the admin can grant users the option to reset their passwords if they were forgotten. This option also allows the admin to create accounts for everyone and then have the user set up their new password when they first log in by clicking on the Forgot Password button. Reset Password documentation.

Enable Password Policy: As of 2019.0, the admin can enable a password policy to force users to create more secure passwords, such as the password requiring mixed case, and/or numbers and special characters. Password Policy documentation. As of 2020.0, this is enabled by default, but can be disabled.

Enable Password Expiry: As of 2020.0, the admin can enable password expiration for any number of days. As of 2020.1, there is now a warning icon on the Users page indicating that the user’s password needs to be changed. Password Expiration documentation.

Enable Password Reuse: As of 2022.1, the admin can enable passwords not to be reused within a certain number of password changes. Password Reuse documentation.

Change the Database Password:  As of 2021.0, during installation, the admin will be prompted to set the password for the FME Flow / FME Server Database. For older versions of FME Server, we recommend updating the password for the FME Server Database following installation. If the password is not updated, a user with knowledge of the default settings for connecting to the FME Server Database may log in and make changes. For instructions on how to update the password, see the Install FME Flow: Express Installation for Windows documentation.

Accounts and Roles

Role-Based and User-Based Account Access: Once FME Flow is installed, it is important to set up who has access to what. The admin can create roles with various permissions and assign users to each role for quick control over security. It is a good idea to regularly audit roles to ensure the users still have the appropriate access. Role-Based and User-Based Account Access documentation.

Configure Directory Servers (and Import Users/Groups): As of 2021.0, Active Directory and Generic Directory can be configured under Directory Servers. Active Directory can be set up to allow users to use the same credentials on FME Flow as they use to sign-on to their computer. It also allows for quick role assignment on FME Flow as the roles can be imported from Windows. Directory Servers, Azure Active Directory, and Troubleshooting Active Directory Configurations documentation.

Configure Windows Services Account: Optional step if setting up Active Directory; this allows Windows users to sign-on to FME Flow using the Windows Credentials button. Additionally, setting this up would provide FME Flow Core and Engines access to network locations. Configuring Integrated Windows Authentication and Running the FME Flow System Services Under Different Accounts (Windows) documentation.

Disable Multiple Web Sessions: As of 2020.0, the admin can disable multiple web sessions for each user. When a user is logged into one browser and then logs in to a second browser, the first one will be logged out. This restricts the user from running multiple FME Flow sessions simultaneously. Multiple web sessions are enabled by default and can be disabled in the General System Configuration settings. Multiple Web Sessions documentation.

Disabled Default Accounts: As of 2020.0, the Author, Guest, and User default accounts are disabled with a new installation. These can be enabled under User Management. Users documentation.

Configure SAML Authentication: As of 2022.0, SAML authentication can be enabled for users to log into FME Server in addition to system accounts. SAML Configuration documentation. 

Review Account and Group Permissions: In Linux installations, the installer creates a fmeserver user account and group. The system administrator should adjust the permissions to a ‘least privileged’ set as needed for their workflows and business rules.  For information regarding Windows operating systems, see Running the FME Flow System Services Under Different Accounts.

Security and Sharing

Set System Encryption to ‘Restricted’ (and Download Key): FME Flow encrypts sensitive data in the FME Flow Database and passwords of FME Flow configuration backups. By default, this encryption is managed using an encryption key that is common to any FME Flow installation. You may wish to enhance encryption security by generating your own custom encryption keys, which you can apply on a rotating basis. System Encryption documentation.

Configure HTTPS/SSL: HTTPS ensures that communication between the client and server is encrypted so that if it is intercepted, the third party cannot easily view or use the information. Configuring for HTTPS documentation or Configuring FME Flow for HTTPS article.

Configure CORS: Cross-Origin Resource Sharing allows the admin to specify websites hosted on other domains that can access resources from FME Flow through AJAX requests. Since 2017.0, CORS is set to open (Allow All) by default. Cross-Origin Resource Sharing documentation.

Configure Proxy: FME Flow can be connected to a proxy server on your organization’s network to connect to external servers without compromising the security of the internal network. As of 2020.1, the proxy can be configured to use wildcards and exceptions. Using FME Flow with a Proxy Server documentation.

Configure Reverse Proxy: FME Flow can be connected to a reverse proxy server, which is an intermediary server that forwards client requests from the internet/intranet to a private server that fulfills the requests. Use a Reverse Proxy with FME Flow article.

Encrypt Database Password: As of 2021.0, the FME Flow Database password is only stored in a new fmeDatabaseConfig.txt and the password is encrypted by default. In older versions of FME Server, the password that is stored in configuration files fmeCommonConfig.txt and fmeServerWebApplicationConfig.txt for the FME Server Database are not encrypted. Encrypting the FME Flow Database Password documentation.

Database and Web Connections: Access to database and web connections can be controlled by modifying the permissions for each user or role. Connections should be audited regularly to maintain security. Web connections and Database connections documentation.

Create Broadcast Messages: As of 2020.0, the admin can create broadcast messages to be displayed for all users. In addition, the admin can also dismiss broadcast messages created by Safe Software. Broadcast Messages documentation.

FME Flow Optimization

Configure System Email: Before the FME Flow system email can be used, it needs to be configured. This email will be used for sending emails about system events and password resets. System Email documentation.
 

Enable System Event Email Notifications:  Enable this to receive emails when certain System Events take place. At a minimum, we’d recommend setting up notifications for “License About to Expire” and if you use Dynamic Engines, “Low Credits” to ensure you are never without engines in a production environment. There are additional System Events for which email notifications can be enabled, it is best to review them for your environment. System Events documentation. 
 

Enable Version Control: Version control allows access to previous versions of repository files. Optionally, version control can be set up to store to an external Git repository. Version control is not enabled at installation and must be configured manually by an FME Flow admin. Version Control documentation.

Enable Queue Control: As of 2021.0, FME Flow Engines can be set up with job queues, job routing rules, and engine assignment rules, which can help prioritize certain jobs or repositories to use different engines. This can be set up at the beginning or later on once job backlogs have been determined. Queue Control documentation.

Review Scheduled Cleanup Tasks: FME Flow will automatically clean up old logs, system event history, and expired session tokens. Review these settings to ensure that they correspond with your organization’s data policy and are kept for the correct amount of time. If FME Flow runs out of space, these files can be backed up externally. Scheduled Cleanups documentation.

Setup Backup Schedule: It is a good idea to establish a regular backup schedule of the FME Flow configuration. This can be done manually, but it can also be created as a scheduled task. Performing a Scheduled Backup of an FME Flow Configuration documentation.

Data Published to Repositories: As of 2020.1, on the repository/workspaces page, all the data uploaded with the workspace can now be seen and managed. Manage Workspaces documentation.

View All Scheduled Automations: As of 2020.1, all automations that are triggered by a schedule can now be viewed on the Schedules page by clicking on the Show Automations button. This is only available to the superuser role. Schedules documentation.