Re: Access: Protect data in tables from copy and export...
From: Adrian Jansen (qqv_at_noqqwhere.com)
Date: 04/20/04
- Next message: BrettsNEWS: "Re: Users and Groups"
- Previous message: Harmannus: "Re: Reservation db"
- In reply to: TC: "Re: Access: Protect data in tables from copy and export..."
- Next in thread: test: "Re: Access: Protect data in tables from copy and export..."
- Reply: test: "Re: Access: Protect data in tables from copy and export..."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 20 Apr 2004 17:04:04 +1000
Yes, you are correct, as usual.
Somewhere in playing around with the security during testing, I had set read
permissions on the tables for the group I was adding, as well, and that
allowed users in that group to create queries on them. When I removed that
permission, the user could no longer get access, apart from using a RWOP
query owned by someone else.
Fortunately this was only a test version. The production release is secure.
Access security is complex !
-- Regards, Adrian Jansen J & K MicroSystems Microcomputer solutions for industrial control "TC" <no@email.here> wrote in message news:408486f3$1_3@news.chariot.net.au... > Erm, I doubt it! :-) > > Say that user NO has no direct access to table T, but user YES does have > access to that table. > > User NO will not be able to run this query, under any circumstances, afaik: > SELECT * FROM T > > If you add WITH OWNERACCESS OPTION (or whatever it is), user NO >will< be > able to run that query, >>but only if the query is owned by user YES - not > if the query is still owned by user NO<<. > > So, adding WITH OWNERACCESS OPTION to a query, is not a sneaky way of > defeating the access restrictions of the user who owns that query. It is, > conversely, a way for a higher-level user, to delegate his authority to a > lower-level user, in a manner completely controlled by the higher-level > user. > > So in our example, when user YES (>>not NO<<) creates the WITH OWNERACCESS > OPTION query, he is delegating his read authority to table T, to owner NO, > who does not have that authority directly. User NO is not grabbing that > authority "out of thin air", as it were. > > IMO, the ownership issue is sadly neglected when people discuss these > queries. They say: "add a WITH OWNER ACCESS OPTION and it will all work!" - > neglecting that the >ownership< of that query must often be changed as well. > > Cheers, > TC > > > "Adrian Jansen" <qqv@noqqwhere.com> wrote in message > news:40836bb8$2@duster.adelaide.on.net... > > Yes, that what I thought too. But I am sure I created a situation where I > > had a user with only read/write permissions able to create a query and > view > > data in a table ( to which they did not have access ), merely by adding > the > > "With Owner Access" clause to the SQL in the query. I will have to check > > further. > > > > -- > > Regards, > > > > Adrian Jansen > > J & K MicroSystems > > Microcomputer solutions for industrial control > > "TC" <no@email.here> wrote in message > news:4083300c_4@news.chariot.net.au... > > > Adrian, I don't follow you there. If a user has "no permissions directly > > on > > > the tables", they definitely should not be able to create & run a query > on > > > those tables, no? > > > > > > Cheers, > > > TC > > > > > > > > > > > >
- Next message: BrettsNEWS: "Re: Users and Groups"
- Previous message: Harmannus: "Re: Reservation db"
- In reply to: TC: "Re: Access: Protect data in tables from copy and export..."
- Next in thread: test: "Re: Access: Protect data in tables from copy and export..."
- Reply: test: "Re: Access: Protect data in tables from copy and export..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
