Re: Permissions Keep Changing

Janet,
I believe Joan Wild told you, in another thread, that you should NOT be
attempting to do anything with permissions to System tables. That is a
dangerous practice.

--
Lynn Trapp
MS Access MVP
www.ltcomputerdesigns.com
Access Security: www.ltcomputerdesigns.com/Security.htm
Jeff Conrad's Big List: www.ltcomputerdesigns.com/JCReferences.html


"Janet" <Janet@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7546F480-7363-4AE8-92EC-A72EAD5FB736@xxxxxxxxxxxxxxxx
> About a year ago, I set up User Level Security per some step-by-step
> instructions I found from the internet. I set up different groups with
> different permission levels, and assigned each user (we have about 90
> users)
> to the appropriate group. I then removed the Admin user from the Admins
> group, placed Admin in the Users group, assigned a password to the Admin
> user, as well. I then eliminated all permissions from the Users group.
> This
> seemed to work out well. All users have been getting the correct access,
> no
> problems.
>
> There are only 2 persons with permissions to do everything in the database
> (design, delete records, and modify permissions) -- myself and the IT
> Director. No one knows anyone else's passwords because I have a button
> where
> the users changes his/her password as often as they like to whatever they
> like. I don't have the IT Director's password, and she doesn't have
> mine --
> so there is no password sharing.
>
> No one (except IT Director and myself) can delete any data from the
> database. There is a frontend and backend, and data can only be deleted
> from
> the backend tables.
>
> Recently, there have been some odd things happening with the data --
> mainly
> records disappearing. I have audit tables, too, and when the records
> disappear, all related insert/modify records in the audit table disappear
> as
> well. Kinda looked like someone deleted records, then deleted any
> evidence
> the records were there. BUT, the evidence that the records was there
> because
> there was still related data in other tables, once connected to the client
> id
> that had been deleted.
>
> I was puzzled by the fact that records were being deleted when no one had
> permission to do so except myself and the IT Dir. Neither of us were
> doing
> this. I looked at the permissions, and it had all been changed, where
> most
> of the groups had permission to delete records. AND -- ALL the User group
> permissions (that I so carefully removed a year ago) had been restored.
>
> I fixed all the permissions the way they were supposed to be, and
> eliminated
> all permissions from the Users group. Records continued to be deleted. I
> checked the permissions again, and the Users group had again been
> restored.
> I removed permissions from that group again. Records still were being
> deleted.
>
> I looked at the hidden system tables, and saw that the Users group had
> full
> permissions for all of the System tables, so I deleted permissions from
> the
> Users group for the system tables. I had to GIVE "read" permission to all
> of
> the groups for the MSysAccessObjects, MSysObjects, and MSysQueries tables
> in
> order for staff to use the database.
>
> The reason I did this is because a couple of months ago, one of our staff
> suddenly couldn't open the database. When I watched her try to open it,
> her
> computer attempted to bypass the login screen to open the database
> directly,
> but instead she got an error message saying something like she didn't have
> design permissions for MSysAccessObjects -- and she could not get in. One
> of
> the IT people found something from Microsoft about how hackers try to use
> the
> Admin user to get in the database, like a "backdoor" entrance -- so I
> thought
> there might have been some vb code on her computer that was attempting to
> bypass the login and go straight into the computer as the Admin user, but
> failed because I had the Admin user disabled in the Users group. IT
> worked
> on this person's computer for a long time, could NEVER get it to be able
> to
> open an access database, and finally had to trash it. It wasn't just a
> simple matter of not being connected to the wrong workgroup, it wouldn't
> open
> any database due to "you don't have design permissions for
> MSysAccessObject"
> (or something to that effect). So, when I saw the Users group having
> permission to MSysAccessObject (knowing that the Admin user is part of the
> Users group), I removed all permissions to the system tables from the
> Users
> group.
>
> A week later, the Users group had permissions restored to the system
> tables,
> and it was removed from all the other groups. I removed permissions for
> System tables from Users group, and restored it for the staff groups. A
> day
> later, Users group had System table permissions again (that was
> yesterday),
> so I removed again. So far, today, Users group does not have any
> permissions
> to the systems table, but I keep checking throughout the day.
>
> The IT Dir has been on vacation all week, and we both changed our
> passwords
> just before she left. If someone is getting into the database on one of
> our
> passwords, how could they get the password since we don't share with
> anyone?
> Or, does Access automatically restore permissions to the Users group for
> system tables after a day or so? If so or if not, how could records get
> deleted when only the IT dir and myself have delete permissions (and she
> is
> on vacation)? And how could all the other group permissions for delete get
> restored when I painstakingly removed delete permissions a year ago to all
> the tables? I'm stumped and not quite sure which way to proceed to get
> this
> database secured.
>
> Oh, I disabled the shift+enter key bypass on both front and backends. I
> also unchecked all the boxes in the startup menu except for the db to open
> to
> the main menu. I also password-protected all the modules. Does anyone
> understand what's going on and/or how to fix it?
>
> All advice greatly appreciated.


.

Loading