Re: More security questions
- From: "BruceM" <bamoob@xxxxxxxxxxxxxxxxx>
- Date: Wed, 29 Nov 2006 09:01:27 -0500
"Joan Wild" <jwild@xxxxxxxxxxxxxxxx> wrote in message
news:OHLy45zEHHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
BruceM wrote:
1) From what I can tell, when I go to User and Group permissions and
view group permissions, one of the items that can be checked is
"Administer". I expect this is to administer user accounts, assign
ownership if needed, clear passwords, and all that sort of thing. Is
that correct?
Modify permissions on that object. A person needs to be a member of the
Admins Gruop in order to administer user accounts, clear passwords. Also
it's the owner who can change ownership (as well as the owner of the
database object)
2) I have created a number of test users, all of whom have the same
password and the default PID (that 20-character string of letters and
numbers).
There is no 'default' PID; also I don't understand why you'd give everyone
the same password.
When I create a user the PID is filled in with a 20-character string. I
called it the default PID, but "automatically generated" would probably have
been more accurate. Regarding the password, I was testing security by
"pretending" to be different users with different permissions. To do that I
used the same password just so it would be easy to remember for the testing.
I'm ot sure why I bothered to add the detail about the password, as it could
only have muddied the waters.
Is there any value to using something other than the automatically generated
PID?
The idea is that I will create shortcuts for individual
users so that clicking on the shortcut fills in that person's user
ID. To do that I am using this as the target in the shortcut:
"path to msaccess.exe" "path to the mdb file" /user UserName /wrkgrp
"path to secure mdw file"
OK, you can do that. However without the /user switch, Access will
automatically fill in the last Access username that opened a secure mdb on
that computer. It's only the first time that it'll use the user's Windows
login name. So I'm not sure there is any advantage to doing this.
I once attempted to deploy a front end by e-mail, but could neither send the
front end or link to it because of security settings in Microsoft Exchange.
I renamed it as a text file, and send it in an e-mail that started with (in
all caps) "Do not try to open the file from the e-mail", followed by
instructions for saving and renaming the file. Sure enough, I got calls
saying "When I tried to open the file I just got a lot of gibberish." There
are a number of people here who are very good at their jobs, but struggle
with things like this.
The trouble is that a number of computers are shared. On those computers
there may need to be a user-specific shortcut. Without it people would
double click the shortcut, add their passwords (regardless of the user
name), and then complain that the database doesn't work. It will not occur
to them to check the user name.
Anyhow, my question is about a strategy for
deploying the shortcuts, and specifically about forcing the users to
choose a password.
I would deploy without a password set. You can check that the password
isn't blank; if it is, then give them a form to set their password. Also
you can then send everyone the same shortcut (assuming they have installed
Access to the same folder, and installed the frontend to the same
location).
Perhaps I can start with the same shortcut for everybody, then modify it as
the circumstances demand. For a single-user computer there shouldn't be a
problem.
My main question regarding user passwords is how to get a user to enter a
password. The only way I can find is to log on as the user, then navigate
to User and Group Accounts by way of the menu (or I suppose I could have an
icon). Also, I would need either to rely on the user to navigate to the
appropriate dialog box, or I would need to go to each workstation, navigate
to the password dialog, and leave the user to enter a password.
You say that I can check that the password isn't blank, but the only way I
can figure out how to do that is to log on as that user. Is there another
way of doing that? Regarding giving the user a form, I'm not sure what you
mean by that. Are you talking about having them tell me the password so
that I can enter it for them, or are you talking about an Access form, or
something else? I'm sorry if I'm being dense about this, but I just don't
get how to do this.
A person's signature on a document is unique unless somebody is skilled at
forgery. I am looking for a way to simulate that assurance of uniqueness in
Access. As the Administrator I can clear a user's password and log in as
that user. Since I will also be using the database, it may be necessary to
set up an administrator who can only administer accounts, but not work
directly with data.
When my e-mail account and network logon were implemented there was a dialog
box asking for the password. Without completing the information I could
never have logged in. I get a similar sort of thing from time to time when
I need to change the password. Is there a way of producing the "You can't
go any further without a password" dialog in Access, or must it be a manual,
station-by-station process?
4) In a split database, I'm still trying to sort out when I assign
permissions. Do I assign permissions to objects, then split the
database, or do I assign permissions for tables in the back end and
other objects in the front end, or what? I'm still having trouble
getting a conceptual handle on this aspect of security.
One can do it either way.
1. - split first - just be sure you use the same secure mdw to secure both
the FE and BE
2. - secure first - be sure you don't use the splitter wizard as that will
result in an unsecure BE. There's a page on my site explaining how to
split manually (which is very easy to do).
I generally give only Open Permission on the BE database object. All data
interaction is done via RWOP queries; users then don't need any permission
on the backend tables.
I will try again to comprehend the MS FAQ. I must say it is really too bad
that such important information has not been updated in over six years. I'm
not sure how much to believe (for instance, it is among the very few
documents I have read that mention without any caveats using a database
password), but in any case there is a discussion of RWOP queries which
should be of value now that I know a little more about how the security
works.
5) I would like to have the username appear in records at times. Are
spaces in the user name OK, or is it like spaces in field names,
which can create extra work down the road?
In this case you can use CurrentUser() function to retrieve the Access
username. Since this is data (as opposed to a field name), spaces are
just fine
6) If I assign permissions to groups, but there is one user with a
unique set of permissions, can I assign permissions to that user
independent of the group? Even if it is possible, is it advisable,
or should I create a custom group for that one user?
You can. I always use groups; as soon as you think there is only one user
in a group, you'll find another user that needs to be a member.
7) Why would I as the developer want to change ownership of database
objects? It is possible, I know, but I can't quite imagine why
unless maybe on a large project with several developers.
The main thing is that neither the Users Group, nor the Admin User own
anything. These two entities are common to every mdw. So if either owns
something, then anyone with Access (i.e. they'd be using system.mdw)
could, as owner, do anything with the object.
I have already banished the Admin user to the Users group, and removed all
permissions from the Users group, thanks in large part to your instructions
and reinforced by other things I have read (Jack MacDonald's paper in
particular). I really appreciate all of your help with this. I could not
have done it using only Microsoft's documentation.
--
Joan Wild
Microsoft Access MVP
.
- Follow-Ups:
- Re: More security questions
- From: Joan Wild
- Re: More security questions
- References:
- More security questions
- From: BruceM
- Re: More security questions
- From: Joan Wild
- More security questions
- Prev by Date: Re: Secured Database works exactly right on one computer, but on another not quite r
- Next by Date: Re: Secured Database works exactly right on one computer, but on another not quite r
- Previous by thread: Re: More security questions
- Next by thread: Re: More security questions
- Index(es):
Relevant Pages
|
