Re: Advanced Security Issue
- From: "TC" <aatcbbtccctc@xxxxxxxxx>
- Date: 22 Jun 2005 21:00:02 -0700
theriaup wrote:
> I have a secured database and have created 2 mdw's - one for development and
> one for distribution. In the development file, I have created the user
> SuperUser, who has no permissions, but is a member of the Admins group which
> has all permissions (the Admin user has no permissions, and is a member of
> the Users group which has no permissions either).
Sounds good. We have DEV.mdw with user/pid=SuperUser/1234 (say).
> In the second file, which was created seperately (different
> Name/Organization info, not just a copy of the first mdw),
> I have created a RemoteUser account, who has permission to
> create new users and maintain groups.
So now we have PROD.mdw with user/pid=RemoteUser/4567.
> But because it has been created seperately, there are no users
> capable of modifying permissions on the database.
Your other comments make it clear that you understand how it all works.
So I'm sure you'll agree, on reflection, that the second half of the
above statement does not follow from the first half. You could easily
create a ModifyDesign user in PROD.MDW & explicitly grant him Modify
Design permission to the objects in the database. Be that as it may ...
> However, I discovered that if I recreate the SuperUser with my RemoteUser
> account in the second file with the same PID as the SuperUser in the first
> file, I suddenly have full permissions on the database.
Do you mean, that if you create user/pid=SuperUser/1234 in *PROD*.mdw,
that user then has full permissions to the database?
> It was my understanding that because the original
> SuperUser didn't have permissions, and only
> inherited them through the Admins group, ...
That does match how you say that you set up that user.
> ... and because the Admins group is not a universal group
> (basically, the Admins group in the first file is not the
> same as the Admins group in the second file), ...
That is correct. The Admins group is specific to each unique
combination of company/organization/WID values.
> ... that the second SuperUser wouldn't actually be
> the equivalent of the first SuperUser because it's in
> a different workgroup file with a different Admins group.
No, that is not correct. If two users in different workgroup files have
the exact same username and PID, they are considered to be /identical/
by Access and Jet. (Indeed, they are /indistinguishable/ to Access and
Jet.) For more information on this, google this group for posts from me
(TC) containing the word SID.
> So where is it getting these permissions from?
Um - my bet is, it's getting them from the groups to which it belongs
in *PROD*.mdw !!
Also, as the other respondent said, you need to look at who owns the
various objects. If SuperUser *owns* the objects, then of course, he
will have full access to them.
Note that regardless of common belief, the owner of the database /is
not/ one of the people who always has (or can retrieve) full access to
the database. You can easily create a database in which the owner of
the database /does not/ have full access to one or more of the objects
therein.
> Does the mdb just recognize the SuperUser account and
> apply the original permissions from the first Admins group?
Nice try! But you know the answer. (no)
> Boy I hope this makes sense... :)
Sure does. Keep me posted!
HTH,
TC
.
- Follow-Ups:
- Re: Advanced Security Issue
- From: theriaup
- Re: Advanced Security Issue
- References:
- Advanced Security Issue
- From: theriaup
- Advanced Security Issue
- Prev by Date: Re: Advanced Security Issue
- Next by Date: Re: Prevent Ctrl + C
- Previous by thread: Re: Advanced Security Issue
- Next by thread: Re: Advanced Security Issue
- Index(es):
Relevant Pages
|
