User Group Permission Read/Update/Insert/Delete NOT READ DESIGN.

[Andy]

Hi;

Just learned something "Frightening" by trial and error.

Have a runtime version created in A2K.

Used "User and Group permissions" to secure it.

The Administrator has a password to open the dbase and be able to access the
designs and codes. (user name: Admin, Pword: *****
The users open the dbase w/o a password, (they do have a password to protect
their data.), (user name: My Name, Pword is left blank.

Discovered this:
If on a "foreign" computer I add a user in Windows called "My Name" without
a password and then open a full version of Access I can import the
tables/qrys/macros into that dbase.

I know why its happening:
To be able to use the secured dbase package the user has to be granted
permissions to "Read, Update, Insert and Delete Data" in the
tables/qrys/macros.

BUT to do that You must also grant permission to "READ DESIGN".

With the Forms and Reports the only permission needed is "Open/Run", the
Forms and Reports CANNOT be imported by user "My Name".

Is there a workaround or another way to block this.

Thank You.

Andy

 

[Chris Mills]

If the database can be opened without a password then it was not secured
properly. In fact, you have used the standard test to tell if it is.

For more information on User Level Security see the SecFAQ at:
http://support.microsoft.com/?id=207793
....or see microsoft.public.access.security

It is true that table Read Design permissions are required (unless one perhaps
uses RWOP queries), but this is not regarded as a security breach.

If you secure it properly, only someone with a valid password can access the
tables. Of course, THEY can copy data out, since you've given them permission
to the data! This is why you commonly lock down your database with other
things as well, such as the AllowBypassKeys property.

And there are some articles like this:
www.access.qbuilt.com/html/security.html#PreventImportFrSecDB

This has nothing to do with runtime. Runtime does limit what a user can do,
but that's for licensing reasons and can't be used as a security measure (they
can just buy Full Acess).

Chris

 

[Andy]

Chris;

Thank You.

Me

If the database can be opened without a password then it was not secured
properly. In fact, you have used the standard test to tell if it is.

For more information on User Level Security see the SecFAQ at:
http://support.microsoft.com/?id=207793
...or see microsoft.public.access.security

It is true that table Read Design permissions are required (unless one
perhaps
uses RWOP queries), but this is not regarded as a security breach.

If you secure it properly, only someone with a valid password can access
the
tables. Of course, THEY can copy data out, since you've given them
permission
to the data! This is why you commonly lock down your database with other
things as well, such as the AllowBypassKeys property.

And there are some articles like this:
www.access.qbuilt.com/html/security.html#PreventImportFrSecDB

This has nothing to do with runtime. Runtime does limit what a user can
do,
but that's for licensing reasons and can't be used as a security measure
(they
can just buy Full Acess).

Chris