Introduction
FME allows users to set up web connections for a variety of commonly used web services. Web connections store users’ web service credentials for reuse in FME, so a user does not have to manually enter access credentials each time a web service is needed. The Google family of web services is frequently used in FME workflows, and setting up a web connection to a Google service is fairly straightforward.
Restricting user permissions to Google services, however, can be a bit tricky without some guidance. It is important to consider these user permissions when setting up a new Google web service; users who only require read access to a service should not be granted read/write access to prevent inadvertent overwriting of critical resources.
User permissions for Google web services are called scopes. Thus, user permissions for a Google web service are established by first setting its scope. This article explains how to set the scope of your Google web service so that users can still access the functionality they require while your resources remain protected against inadvertent changes. For demonstration purposes, this article will use a Google Drive web service definition, though other Google web service definitions are available in FME Form.
Step-by-Step Instructions
1. Access FME Options
Open FME Workbench, and access FME Options from the Utilities (FME 2025.1+) or Tools tab.
2. Access the Manage Web Services Dialog
Select Web Connections from the menu on the left, and then select the Manage Services button in the lower-right corner of the Web Connections display.
3. Select the Google Web Service to Restrict
Find the + button at the bottom left of the Manage Web Services dialog, and select the drop-down arrow next to it. Hover over the Create From option, and then select the Google Service whose scope you wish to restrict. For the purposes of this article, the Google Drive web service option will be selected.
4. Name Your Google Web Service
Give this new Google Drive web service definition a meaningful name in the New Web Service (Created from Google Drive) template. This demonstration will add the .metadata.readonly scope to the Google Drive web service definition, so you could name this new web service Google Drive Metadata ReadOnly.
5. Apply a Scope to the Google Web Service
Here, specify the scope of this Google Drive web service. Click on the ellipses next to the URL field under Authorization Parameters to open a text editor containing a long URL.
The URL contained within the text editor is the default URL for a Google Drive web service with the default scope applied, copied below:
https://accounts.google.com/o/oauth2/auth?response_type=code&access_type=offline&approval_prompt=force&scope=https://www.googleapis.com/auth/drive
In this case, the URL ends with /drive, indicating that no restrictions have been applied to this authorization URL. Each Google web service will use a different URL path after/drive, but the general format of the default URL is relatively consistent across all Google web services.
You will set the scope parameter for your Google Drive web service at the end of this default URL. If, for example, you would like users to have read-only access to the metadata of files stored on a Google Drive, you would add a .metadata.readonly to the end of the URL as follows:
https://accounts.google.com/o/oauth2/auth?response_type=code&access_type=offline&approval_prompt=force& scope=https://www.googleapis.com/auth/drive.metadata.readonly
From the text editor accessed at the beginning of this step, simply add the .metadata.readonly scope to the end of the default URL text. Select OK once the scope is added.
Google Drive and all other Google web services offer several other scopes for use, as described in the Scopes for Google APIs documentation. A simple search of this document by the Google web service you would like to restrict (Ctrl + F, then enter "Drive" for this example) will direct you to the different scope parameters applicable to your Google web service of interest, and how to correctly append them to the end of the default URL.
However, these scopes must be enabled when you initially register a third-party application with the Google Drive web service. Safe Software only enabled the .metadata.readonly scope during registration with Google Drive, so this scope is the only scope available for restricting the Google Drive web service definition linked with the Safe Software client ID and client secret.
If you would like to take advantage of the other scopes available, you must obtain your own client ID and client secret values from Google by registering FME Form (or FME Flow, if applicable) as a third-party app of Google Drive, under your own Google login credentials. This is done by first logging in to your Google user account and then creating a new project using the Google Developers' Console Library.
6. Create the New Web Service Connection for Your Restricted Google Web Service
Once the URL is formatted correctly for the required scope, select Apply, then Close to return to the main Web Connections view in FME Options. Now you can create a web connection using your newly established, restricted Google Drive web service. To create this new web connection, click on the + button beneath the Connections table.
In the Web Service field of the dialog that opens, select your new web service (in this example, Google Drive Metadata ReadOnly). Name your new connection and select Authenticate.
7. Verify Restrictions Have Been Applied
Verify in the resulting authentication window that the scope is restricted as expected.
8. Apply the New Web Connection
Use your new Google web connection in FME just as you would any other web connection.
FME does not restrict access to web connections based on their scope or permissions, so it is possible for your connection to be chosen even though the resulting call within a workspace will fail. For example, if you create a read-only Google Drive web connection, your connection will be available within the GoogleDriveConnector transformer even if the ‘upload’ option is selected. In this case, the translation will fail at runtime due to insufficient permissions.