Re: More security questions


BruceM wrote:

I saw something about that in Jack MacDonald's article as well. I'll
need to study that some more. I think I understand that only members
of the Admins group may manage user accounts. Permissions are stored
in the database (mdb) file, so when Workgroup File 1 has the same
user and group information as Workgroup File 2, the database will
"think" that it is the same group of users, and all permissions will
continue to apply.

Exactly. But since mdw2 has a different Admins Group than mdw1, they won't
have the same permissions. So mdw2 Admins Group will be able to manage
users that is: create/delete users and add/delete them from groups, but
won't have any other permissions.

One thing I'm still trying to sort out has to do with permissions. As I
understand it, a user who is a member of two groups will have
the least restrictive permissions. If one group can add data only,
and another can add or edit but not delete data, the user will be
able to add and edit data.

Right.

What I can't quite sort out is whether
this "least restrictive" rule applies to users as well. In the
example just given, if the user is given permission to delete data,
but that permission is not allowed any group of with that user is a
member, will the user be able to delete data anyhow?

Yes they will.

I think so,
because the least restrictive permission, whether it is a user
permission or a group permission, "wins". Users don't need any
permissions at all as long as they belong to groups that have
permissions. Do I understand correctly?

Yes.

Joan, thanks again for all of your help. I don't think I could have
done gotten this far, at least not anywhere near this quickly,
without it. If you have a chance to answer the few lingering
questions, that would be great, but I think that I have enough to
keep me busy for a while. I have undertaken several times to learn
user-level security, but this is the first time I feel like I might
actually be getting it.

You're welcome; it sounds to me like you are "getting it". It takes time,
but when it clicks it makes sense.

--
Joan Wild
Microsoft Access MVP


.

Relevant Pages

  • Re: You dont have permission to read
    ... I have tried to change permissions as Admin ... > and as a user who is a member of the Admins group. ... >>> use the database but he can't modify any objects. ...
    (microsoft.public.access.security)
  • Re: Changing groups
    ... pleaderb, sue, frank, ed are members of group projectb ... Everyone is a member of group user. ... depending on the file's permissions they can read and write the ... I do this all the time, using Samba. ...
    (Debian-User)
  • Re: Outside Users RDP into WS2008???
    ... Name it DL-Consultants ... Assign permissions on a resource to domain local group '. ... add any user account belonging to your consultants to become member of G-Consultants group. ... End disconnected session: ...
    (microsoft.public.windows.server.general)
  • Re: You dont have permission to read
    ... Admins Group is not the same. ... > use the database but he can't modify any objects. ... > does not have those permissions. ... > TC seems to think that any user who is a member of the Admins Group ...
    (microsoft.public.access.security)
  • Re: How to remove a user from a mail group (Tried to search...)
    ... If you're using Distribution Groups, these cannot show up in any ACLs ... If it is a Security Group, you'll need to figure out the what different ... resources the group could have permissions on. ... I go to "member of" tab. ...
    (microsoft.public.exchange.admin)
Loading