Security/User Groups

[Teewan]

Hi folks,

I have been developing a training database and have been asked to install
security and user groups on it. I dutifully went searching for information
and found a site with some great information
www.microsoft-accesssolutions.co.uk/access_security.htm after reading
carefully I decided that this would work and step by step proceeded to set a
new workgroup with 3 usergroups with different permissions. All working
perfectly until I needed to move the database to another location to setup a
local version of it there. I had forgotten to move the workgroup file
TrainingDatabase.mdw to my surprise the database opened and allowed all and
sundry full access. Further checking this morning shows that if I move the
workgroup file for the original database to a different location then here
too anyone with access to the location can gain full access to the database.
It appears as though if the workgroup file is unlocatable or the machine
which is being used is utilising the default system workgroup file then it
doesn't stop anyone from getting in.

All suggestions appreciated. My boss is expecting me to lock this thing up
very quickly.

 

[Rick Brandt]

Hi folks,

I have been developing a training database and have been asked to install
security and user groups on it. I dutifully went searching for information
and found a site with some great information
www.microsoft-accesssolutions.co.uk/access_security.htm after reading
carefully I decided that this would work and step by step proceeded to set a
new workgroup with 3 usergroups with different permissions. All working
perfectly until I needed to move the database to another location to setup a
local version of it there. I had forgotten to move the workgroup file
TrainingDatabase.mdw to my surprise the database opened and allowed all and
sundry full access. [snip]

If the file can be opened with another workgroup then you didn't secure it
properly.

When opening an Access file with an mdw that doesn't prompt you for a login you
are always silently logged in as user "Admin", member of group "Users". In that
particular workgroup file "Admin" is also a member of the group "Admins", but
that doesn't matter as the "Admins" groups in all non-default workgroups all
have a different internal IDs so your MDB file will not recognize any "Admins"
group except the one from the workgroup file used to secure it.

So...if "Admin" member of "Users" can open your file then either "Admin" or
"Users" still have permissions or ownership (something that should not be true
if you secured the app properly). The most common mistake is to leave "Admin"
as the owner of the database or other objects. Owners have rights above and
beyond the permissions they are granted.

 

[Guest]

You need to carefully read the security FAQ several times:
http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp

However, the short answer is that you need to login to the secure
workgroup and then create a new database. Your new database
will be owned by your secure user - not owned by the universal
Admin user.

(david)

 

[Teewan]

Hi guys,

Many thanks for your responses but if you have further suggestions I'd
really like to hear them.

I followed your advice David a read carefully the FAQs and did note point 10
which advises to log on "as a member of the Admins group and import all of
the objects....." etc I thought this will have been my original problem and
started from scratch following the FAQ step by step. The result was that I
had a database with teewan as the owner of the Database and of all the tables
(working with just the backend here) Admin had no permission for Database or
Tables. teewan had all permissions for Database and Tables. Admin is a member
of Users only, teewan is a member of Users and Admins. Users had no
permissions, Admins had all permissions.

When I logged out and logged in to the database it happily asked for my
password. When I removed the work group information file from it's location
and attempted to open the database the work group file reverted to the system
default work group file. The owner of the Database and all the tables is now
<Unknown>. The custom user groups I created are gone. teewan as a user is
gone. Admins is in control again and happily allowing all and sundry to get
to my data.

I've been working with/developing Access databases on a small scale for over
3 years but this is my first experience with Security on one. I have repeated
this process several times today with the same end result each time. Any
advice you can offer is appreciated.

Cheers
Teewan

 

[david epsom dot com dot au]

Is it possible that you have created the new workgroup file
with a matching Admins Group? You need to use a different
Security String to get a different Admins group.

By the way, you may also create a new Group to put
teewan in, rather than using the Admins group.
Using a new group, you can see explicitly which
permissions the group has (unlike the Admins group,
which has implicit permissions you can't see).
For clearer security, you can then add the new group
to any workgroup file, so that you have a workgroup
with only the security group and clear permissions -
no active Admins group at all. Without the Admins
group or the owner, you won't be able to change
security settings at all, but to manage security
you will still be able to move people into and out
of the new security group.