Re: More security questions

BruceM wrote:

1) From what I can tell, when I go to User and Group permissions and
view group permissions, one of the items that can be checked is
"Administer". I expect this is to administer user accounts, assign
ownership if needed, clear passwords, and all that sort of thing. Is
that correct?

Modify permissions on that object. A person needs to be a member of the
Admins Gruop in order to administer user accounts, clear passwords. Also
it's the owner who can change ownership (as well as the owner of the
database object)

2) I have created a number of test users, all of whom have the same
password and the default PID (that 20-character string of letters and
numbers).

There is no 'default' PID; also I don't understand why you'd give everyone
the same password.

The idea is that I will create shortcuts for individual
users so that clicking on the shortcut fills in that person's user
ID. To do that I am using this as the target in the shortcut:
"path to msaccess.exe" "path to the mdb file" /user UserName /wrkgrp
"path to secure mdw file"

OK, you can do that. However without the /user switch, Access will
automatically fill in the last Access username that opened a secure mdb on
that computer. It's only the first time that it'll use the user's Windows
login name. So I'm not sure there is any advantage to doing this.

Anyhow, my question is about a strategy for
deploying the shortcuts, and specifically about forcing the users to
choose a password.

I would deploy without a password set. You can check that the password
isn't blank; if it is, then give them a form to set their password. Also
you can then send everyone the same shortcut (assuming they have installed
Access to the same folder, and installed the frontend to the same location).


4) In a split database, I'm still trying to sort out when I assign
permissions. Do I assign permissions to objects, then split the
database, or do I assign permissions for tables in the back end and
other objects in the front end, or what? I'm still having trouble
getting a conceptual handle on this aspect of security.

One can do it either way.
1. - split first - just be sure you use the same secure mdw to secure both
the FE and BE
2. - secure first - be sure you don't use the splitter wizard as that will
result in an unsecure BE. There's a page on my site explaining how to split
manually (which is very easy to do).

I generally give only Open Permission on the BE database object. All data
interaction is done via RWOP queries; users then don't need any permission
on the backend tables.

5) I would like to have the username appear in records at times. Are
spaces in the user name OK, or is it like spaces in field names,
which can create extra work down the road?

In this case you can use CurrentUser() function to retrieve the Access
username. Since this is data (as opposed to a field name), spaces are just
fine

6) If I assign permissions to groups, but there is one user with a
unique set of permissions, can I assign permissions to that user
independent of the group? Even if it is possible, is it advisable,
or should I create a custom group for that one user?

You can. I always use groups; as soon as you think there is only one user
in a group, you'll find another user that needs to be a member.

7) Why would I as the developer want to change ownership of database
objects? It is possible, I know, but I can't quite imagine why
unless maybe on a large project with several developers.

The main thing is that neither the Users Group, nor the Admin User own
anything. These two entities are common to every mdw. So if either owns
something, then anyone with Access (i.e. they'd be using system.mdw) could,
as owner, do anything with the object.

--
Joan Wild
Microsoft Access MVP


.

Relevant Pages

  • Re: security only works on my PC
    ... shortcut successfully on my PC. ... Just open Windows Explorer and double click the 'secure' mdb. ... I opened the workgroup administrator ... I'm not sure about changing the permissions. ...
    (microsoft.public.access.security)
  • Re: Desktop shortcuts dont work
    ... I don't see anything that strikes me from a security perspective. ... Since the permissions on the redirected Desktop folder seem OK, have you run that tool to check the context menu handlers? ... The other diagnostic tool you could try is filemon - start monitoring, try to access the shortcut, and see what it logs when it fails. ... The shortcut has grayed out Full Control given to Administrator and to System. ...
    (microsoft.public.windows.server.sbs)
  • Re: Desktop shortcuts dont work
    ... Since the permissions on the redirected ... Desktop folder seem OK, have you run that tool to check the context menu ... The shortcut has grayed out Full Control given to Administrator and to ...
    (microsoft.public.windows.server.sbs)
  • Re: security only works on my PC
    ... shortcut successfully on my PC. ... Just open Windows Explorer and double click the 'secure' mdb. ... I opened the workgroup administrator ... I'm not sure about changing the permissions. ...
    (microsoft.public.access.security)
  • Re: security only works on my PC
    ... I checked the permissions box and the Users group has no ... Open/Run and open exclusive on database object ... Open it using your shortcut and log in. ... Click on the Groups option and select the Users Group. ...
    (microsoft.public.access.security)