FME Flow Administration: User Administration

Richard Mosley
Richard Mosley
  • Updated


After FME Flow has been configured, you can start adding users to your FME Flow. This guide is intended to provide you with all the options and share additional considerations/observations noted from experience by the FME Flow Technical Support team.

​​​​​ Authentication Types

FME Flow has four authentication types. You can use all or one of these types, but a user cannot have more than one authentication type, so multiple accounts will be needed if a user would like to use multiple authentication types.

  1. System Users
  2. LDAP and Integrated Windows Authentication Users
  3. Azure AD Users
  4. SAML Users


System Users

System users are built into FME Flow and are not integrated with external systems. These accounts can be easily migrated from one system (e.g. development to production). FME Flow starts with several default user accounts and roles. All these accounts can be removed; however, we advise you to keep at least one system user with the superuser role to allow access in case one of the authentication services is inaccessible.

LDAP and Integrated Windows Authentication Users

LDAP users are brought in from a local LDAP Server and authenticate with the LDAP server when a user logs on. After you have configured FME Flow for LDAP, you can optionally configure FME Flow for single sign-on by configuring it for Integrated Windows Authentication. Lastly, users can be brought into FME Flow through the import of a specific user or from an import of a role. In the latter, the role will be added to FME Flow roles too.

Azure AD Users

Azure AD integration works similarly to LDAP but authenticates through OIDC protocol with the Azure Tennant. Similar to LDAP, Azure AD users and roles can both be imported into FME Flow.

SAML Users 

SAML authentication can be configured with a variety of identity providers. Safe Software has not tested all identity providers. However, we have some suggested steps for a few of the more common providers. Unlike LDAP and Azure AD authentication, users and roles cannot be imported in bulk. Instead, users are added to a default system role when they log in for the first time. Users will then have to be added manually to the right roles after the initial import.

User and Group Permissions and Ownership

Users can either be the owner of an object or they can be granted permission to access that object. Users can have the ability to share their owned objects with users and groups, or the admin can apply permissions to objects. It's a good idea to have working rules to ensure that users are sharing their owned objects consistently to help manage. Please see the Role-Based and User-Based Access Control for information on owned and granted permissions.

Permissions can be added on a user level; however, in most cases, it's recommended that permissions are set at the role level to allow for easy management of users and resources. You can apply a role template to an Active Directory group role to easily establish FME Flow role permissions to an external group/role.

Token Management

Managing your tokens, especially API tokens, can help ensure you don’t run into expired ones. It's a good idea to set reminders for token expiration and guarantee FME Flow's security. Ensure a token's permissions are configured so that it can be used only for its intended purpose, such as running a particular workspace. For details on Managing Security Tokens, please see the documentation

Password Management

As an administrator, you can control the complexity of the password through password policies, set password expiration, and enable/disable password reuse. Lastly, you can enable password reset to give the option for users to reset their password for system users, not LDAP, SAML, or Azure AD users.

Upgrade and Migration  

All users, groups, tokens, and their associated permissions authentication configurations are included in the backup. Additionally, the authentication configuration will also be restored. Note that when migrating the configuration to a new server that may use a different LDAP Server, you can update the LDAP configuration in FME Flow if the users are the same. If the users have different names or you want to use different authentication types, then you will have to reimport new users and manage the permissions based on adding them to a role or template of a role.

What's Next?

With FME Flow fully configured, learn how to optimize your server and how to vertically or horizontally scale your installation. For further guidance, see FME Flow Administration: Job Scalability and Management

Was this article helpful?



Please sign in to leave a comment.