Dual Workgroup - Problem with creating administrators

I have created a second workgroup file (different from my developer file) for
distribution of my database. I followed the Access Security FAQ (Item 33).
It works and I can log on to the application using this second workgroup file.


In my application, I have custom menus. I use code to allow administrators
to create new users as opposed to allowing access to the menu item that does
this. The application has the following groups:

Admins
PowerUsers
Users

All permissions to the database have been revoked for the Users group and the
specific user known as Admin. Neither the Admin user or anyone solely in the
Users group can logon.

I discovered with my second workgroup file that I could create new users (who
are not administrators) and they could successfully log on to the application.
These users were created to be members of PowerUsers and Users groups.
However, creating additional administrators seemed to work, but these
individuals could not logon. Administrators were made members of the Admins
and Users group.

I thought maybe my code was in some way deficient, so I turned the Access
default menu bar back on and created the administrator using the menu item.
Again added to Admins and Users groups.

The new administrator could STILL NOT LOGON. Error message "You don't have
permission,,,,,,".

So it occurred to me to add the administrator to the PowerUsers group as well.
Voila, now the adminstrator can logon and does have full adminstrative rights.


I didn't see this wrinkle documented anywhere. It is documented that any new
user must be a part of the Users group. I guess the issue is that since I
revoked permissions to open the database to the Users group and since the
Admins groups are not identical between my developer workgroup file and this
second workgroup file, the only commonality between the two workgroup files
is the creation of the PowerUsers group. Hence every user must also be a
member of this group in order to be able to open the database.

This is easy to implement, but my question is:

Is my analysis correct? Do I uhderstand what happened here or is there
something else going on that I'm not aware of.

Thanks.

--
Message posted via http://www.accessmonster.com
.

Relevant Pages

  • Re: Becoming the Owner
    ... so you can open the database while joined to ... and check the permissions for the Database object type. ... remove the permissions on all objects for the Users group. ... workgroup file. ...
    (microsoft.public.access.security)
  • Re: would it be wise???
    ... The Users group should not have any permissions to any object in the ... > group permission to open/run the database, ... >>> if passwords are stored in the workgroup file, ...
    (microsoft.public.access.security)
  • Re: How do I remove my security.mdw file from my database?
    ... My manager did not like the users having to login. ... the login screen and wants the users to be able to access the database ... In your file grant full permissions to all objects to the Users group. ... Close Access and then open using the default System.MDW workgroup file. ...
    (microsoft.public.access.security)
  • Re: user level security wizard
    ... When I click on the shortcut on the desktop, the error message box shows the ... the name of the database in this shortcut was not the copy, ... you said that every mdw file has the admin user and the Users Group ... where in the wizard do you tell it who the users are, ...
    (microsoft.public.access.security)
  • Re: Decompile a secured mdb
    ... It's not properly secured if the default Admin user can open the database. ... You should also remove the ability of the Users group to open the database. ... Don't give permissions to open/run those forms except to the groups that are ...
    (microsoft.public.access.security)
Loading