Peter Baanen, Mar 21, 2020, Troi Plugins blog

Source: https://www.troi.com/additional/how-to-investigate-access-privileges-of-plug-ins-and-filemaker/

With macOS 10.14 Mojave Apple added new (and more strict) security measures, which may cause some functions of the Troi File Plug-in to return an error. Some FileMaker script steps that worked before, will now return error code $$-5000, which is error afpAccessDenied (User does not have the correct access to the file). You can get this error on Mojave or Catalina for example when you use the TrFile_CreateFile function.

Reasons for access denied errors

There might be several reasons that you get access denied errors. It might have to do with the more strict System Integrity Protection of macOS. Below we look in detail which access privileges a file or folder has.

How to investigate the access privileges

There might be several reasons you get access denied errors. It might have to do with System Integrity Protection of macOS. To further troubleshoot problems with creating file or modifying data, it is helpful to get detailed information.

We assume here that you want to create a zip file (with the Create Zip step) on an external disk called ExternalHD, and that a $$-5000 is returned. We are going to investigate the access privileges that you have.

Get Info

First step is to investigate with the Get Info command:

Get Info window

In this case we see that user system and group admin has full access (read and write).

More info with the terminal

Now open the Terminal app, which is located in the /Applications/Utilities folder.

In the Terminal now type these commands.

First go to /Volumes:
cd /Volumes

Then list the privileges of the Volumes (disks):
ls -al

This will for example return:
drwxr-xr-x+ 4 root wheel 128 Mar 21 13:07 . drwxr-xr-x@ 33 root wheel 1056 Feb 21 11:12 .. lrwxr-xr-x 1 root wheel 1 Mar 21 11:22 MacHD -> / drwxrwxr-x+ 15 root admin 578 Jan 22 2020 AnotherHD drwxrwxr-x@ 15 root admin 578 Dec 22 2018 ExternalHD

The last line is the External disk. “drwxrwxr-x@” indicates that it is a directory, the owner and group have read/write/execute privileges. Everyone else has read and execute privileges. Note that the @ in the last line indicates that this folder has extended attributes set.

Then get a list of ACL (Access Control List) privileges:

ls -le
This will for example return lines like this:
drwxr-xr-x+ 4 root wheel 128 Jan 22 2020 AnotherHD 0: group:everyone deny add_file,add_subdirectory,directory_inherit,only_inherit

Then you can get a list of extended privileges:

ls -l@

Which might return lines like this:
drwxrwxr-x@ 15 root admin 578 Dec 22 2018 ExternalHD com.apple.FinderInfo 32

When creating files or folders the user that runs FileMaker need to have write access. The commands above should help determine if that is the case.

We hope this helps with troubleshooting access denied errors.  If this does not fix it we might ask you to send the output of the terminal to us in an email.

How to fix access denied errors with Troi File Plug-in and FileMaker running on Mojave or later

Source: https://www.troi.com/additional/access-denied-errors-on-mojave/
July 22, 2019

With macOS 10.14 Mojave Apple added new (and more strict) security measures, which may cause some functions of the Troi File Plug-in to return an error. Some FileMaker script steps that worked before, will now return error code $$-5000, which is error afpAccessDenied (User does not have the correct access to the file). You can get this error on Mojave for example when you use the TrFile_CreateFile function.

Note the steps below are shown with macOS 10.14 (Mojave). But these steps can also fix it for later macOS version like macOS 10.15 (Catalina).

System Integrity Protection may cause the $$-5000 error

The reason for this error is that the System Integrity Protection feature, usually referred to as SIP, prevents access to more folders than before. System Integrity Protection is a security feature built into the macOS operating system that’s designed to protect system locations and processes from being written to, modified, or replaced.

For example, if you want your script to write in to a folder of Mail in the users Library, this script would work before Mojave and return without an error (error code zero):

Set Variable [$Filepath ; "filemac:/macHD/Users/user/Library/Mail/V6/MailData/test.txt" ]
Set Variable [$ErrorCode ; TrFile_CreateFile( "-Unused "; $Filepath) ]

However when you try to run this script on Mojave you will get an error: $ErrorCode will be $$-5000.

Affected functionality

The error will only occur if you try to change in a folder or file protected by SIP. This means that you can get the $$-5000 error with any step or function that modifies that folder or file. This will be the case with for example the functions  TrFile_AppendContents, TrFile_CopyFile or TrFile_DeleteFile.
It can also occur with these script steps: Create File, Create Folder, Create Thumbnail, Create Zip, Delete File, Delete Folder or Insert in File.
NOTE the error can occur in other script steps or functions too.

Giving FileMaker Pro Full Disk access

To fix this problem you have to give FileMaker Pro Full Disk Access. You have to do this manually once on your computer:

• Go to System Preferences
• Open the Security & Privacy Preferences pane and select the Privacy tab
• Select Full Disk Access from the list of services

click the image to enlarge

• Click the lock icon in the bottom left corner to unlock the interface
• Enter your macOS administrator password
• Click on the plus and add FileMaker Pro to the list of applications with Full Disk Access, by navigating to the FileMaker Pro app:

click the image to enlarge

• If FileMaker Pro is running you get a warning to quit FileMaker Pro. Click on the Quit Now button.

click the image to enlarge

Now you should no longer get the $$-5000 error when creating or modifying files or folder in SIP protected folders with Troi File Plug-in for FileMaker Pro.