Re: Permissions Keep Changing

Tech-Archive recommends: Fix windows errors by optimizing your registry

During the interim (this past weekend) the "User Group" permissions were
changed again on both front end and back ends to include ALL permissions for
MSysAccessObjects system table. The change also included removing "read"
permission to other groups for this system table. Several times, I have
removed all permissions from the Users group, including system table
permissions. To enable my other groups to use the database, I had to give to
these groups "read" permission for the MSysAccessObjects system table.
Several times, this has gotten changed back where Users group gets full
permissions to MSysAccessObjects table and my created groups get the "read"
permission to this system table removed. So, last Friday, I removed all
permissions from Users group to the MSysAccessObject table, giving "read"
permission to my created groups to this system table. On Monday when I
returned, Users group again has FULL permissions to MSysAccessObjects, and my
created groups had their "read" permission removed. I don't know how this is
happening -- someone doing it? Access doing it automatically? I have not
changed it again. I have left it where the Users group has full permissions
to the system table, but am not comfortable with it -- but haven't changed it
back since I'm getting so much flack for messing with the system tables. But
my question is: how does this keep changing back over the weekend, when I do
NOTHING to the database over the weekend (am not even here) -- but other
users are here on the weekend....

"TC" wrote:

>
> Janet wrote:
>
> > Well, TC, the people who didn't know what they were talking about
> were
> > Microsoft, as I had read that in an article from Microsoft.
>
> Sorry, my reply was probably not very clear. You said that someone had
> told you that "hackers can try to use the Admin user to get in the
> database, like a backdoor entrance". I really only meant to say: "This
> is not possible, if the database has been properly secured." Somehow,
> that came out as: "&*$$% *&%^$# $#@# !!!" :-)
>
>
> > I got the DB in a known state (again), and the permissions changed
> again
> > over the weekend. I have no idea of "who did what in the period
> inbetween"
> > which is WHY I am posting to this newsgroup. I am trying to find out
> "what
> > is happening" to cause my permissions to change.
>
> Ok, so now we have a known state, to take this further. You did not do
> /anything/ such as adding or deleting users, or changing user
> permissions yourself, or joining different workgroup files, in the
> interim period - right?
>
>
> > Oh well, it doesn't seem that anyone there really has any idea of
> what to do
> > to solve this issue, so I won't take up your time with any more of
> this.
> > Thanks for trying, though. :-)
>
> Sure we can solve it! But we need to go step by step, not changing
> /anything/ unless that is discussed "up front". With respect, your
> previous attempts were not a success, because you kept making changes
> that just caused more problems.
>
> So, if both of us have the patience to follow this through, let's get
> going!
>
> I apologise if these questions have been answered before, but I'd like
> to get the info. afresh, not go back through all the previous posts.
>
> 1. Is you db split into a front-end/back end structure?

YES, I have a back with data and a front with forms, queries, etc.
>
> 2. Is there one BE, stored on a central server? If not, what?
There is one BE and one FE, both stored on a network drive.
>
> 3. Does each user of the FE have a seperate copy of the FE, on their
> PC? If not, what? NO. There is one FE on a network drive that all users have access to. I have to upgrade the db at least weekly, so it would be impossible to go around and upgrade each person's desktop version since there are about 80 different persons who could be using this database (though usually only about 10 people are in it at one time).
>
> 4. Are you using a single workgroup file, stored on the central server?
> If not, what? YES a single workgroup file stored on a central server.
>
> 5. Does each user start the system via a shortcut of the following form
> (all on one line):
>
> "full path to msaccess.exe"
> "full path to FE on user's PC"
> /wrkgrk "full path to wgf on server"
>
NO -- Each user simply has a shortcut icon on their desktop, from
right-clicking the front-end file, and choosing "Send to Desktop as
Shortcut."


6. Do any users start the system by double-clicking a database file
> (ie. not using a shortcut)? Probably so - thinking about my answer to #5 above -- but it's a short-cut to the file, not the file itself. Does that matter?
>
> 7. Does any user use the workgroup administrator program manually? I do, and the IT Director could if she wanted (though she says she doesn't). I have the FE setup to that the tools menu is not in the Startup options so regular users can't click Tools, Security, Workgroup Administrator, and I have the shift+enter key disabled, so they can't get to it that way. Is this what you mean?
>
> 8. How /exactly/ are you checking what permissions a given user has?
> IOW, how do you know /for sure/, that someone's permissions have
> changed? I open the db, go to tools/security/permissions and look at each group and what permissions are set for what tables/forms/queries/macros, etc.
>
>
> Janet, believe me: if you follow this through in a discipled way, I
> have no doubt that I can fix your problem! [takes deep breath at
> foolish commitment] --No foolish commitment here -- this is my job and I want to keep it -- not by letting the db security be compromised either by my ignorance malicious intent by some user or hacker.
>
> Note that I can only get one session on the net, per day. Please take
> that into account, when you check for replies.
>
> Cheers,
> TC
>
Thank you so much TC, and I will hang in here and learn what I can from you.
Just so you will know, I am mostly self-taught in Access over the past 5
years -- have taken a couple of one-day seminars, but found I already knew
what was being taught (and more) -- though self-learning has its draw--backs
because some things are missed that are critical. Thanks again and will
watch for your reply.
>
.

Relevant Pages

  • Re: would it be wise???
    ... The Users group should not have any permissions to any object in the ... > group permission to open/run the database, ... >>> if passwords are stored in the workgroup file, ...
    (microsoft.public.access.security)
  • Re: Unsecuring a secure Access Database?
    ... You should also ensure that Users group has all permissions to ... I was launching each "distributed" Access session correctly. ... that *every* distributed workstation was using that workgroup file by ...
    (microsoft.public.access.security)
  • Re: Copy secured database to include security
    ... "P.S. Do NOT assign permissions to users... ... The problem with leaving permissions assigned to the default Users group is ... You can't delete the Admin user, nor can you remove Admin from the Users ... I'm learning that getting user level security right is NOT a one-shot ...
    (microsoft.public.access.security)
  • Re: Becoming the Owner
    ... so you can open the database while joined to ... and check the permissions for the Database object type. ... remove the permissions on all objects for the Users group. ... workgroup file. ...
    (microsoft.public.access.security)
  • Re: would it be wise???
    ... ...."Some permissions I allowed to the users group, because they are necessary for all ... This includes zero permissions on the Database ... By giving any permissions to the Admin User or the Users Group, ...
    (microsoft.public.access.security)