Security Challenge

Hello there nice folks,

OS: NT
Office: XP
Assumption 01: Already read MS's Security FAQ
Assumption 02: Good knowledge of how to secure a database


Scenario:

1) Tables in a "secured"mdb backend
2) Forms, Code, Queries and linked tables in a "secured" .mde front
end
3) "Users" group given no access at all
4) By pass key permanently disabled in the mde file by passing the ddl
parameter (checked and works like a charm)
5) People accessing the database through the mde file have an intense
logic behind the forms where Form 1 has to have information Before
Entering/viewing Information in Form 2 and so on and so forth
6) Based on the status of a record, user's are permitted/ not
permitted to view record

Challenge:
As you can see, everything looks hunky dory from the scenario above.
However, let's say user JOEBLOE has read access on Table 1 and Table 2
but is not suppose to see Table 2 until data has been entered in Table
1.

JOEBLOE is a curious user, who has nothing else to do at work except
for exploring Access databases lying around. Also, JOEBLOE knows quite
a bit of Access and thinks he is a programmer. To hack into the
system, JOEBLOE makes a new Access database but opens it using the MDW
file located on his system. Because JOEBLOE has read ….and also write
access to these tables, he can import them and view Table 1 and Table
2 without following the enforced system implemented through forms in
the MDE.

How do I prevent JOEBLOE from doing this?

All help is really appreciated

Thanks
JOEBLOES despiser


Farooq

re: Security Challenge

Item #25 in the security FAQ deals with this issue:
25. How can I help prevent users from updating any tables by any means
other than through forms?

Haven't done it personally, but sounds like it should work in your
situation.


On 18 Jun 2004 05:12:30 -0700, kfc1976@yahoo.com (Farooq) wrote:
[color=blue]
>Hello there nice folks,
>
>OS: NT
>Office: XP
>Assumption 01: Already read MS's Security FAQ
>Assumption 02: Good knowledge of how to secure a database
>
>
>Scenario:
>
>1) Tables in a "secured"mdb backend
>2) Forms, Code, Queries and linked tables in a "secured" .mde front
>end
>3) "Users" group given no access at all
>4) By pass key permanently disabled in the mde file by passing the ddl
>parameter (checked and works like a charm)
>5) People accessing the database through the mde file have an intense
>logic behind the forms where Form 1 has to have information Before
>Entering/viewing Information in Form 2 and so on and so forth
>6) Based on the status of a record, user's are permitted/ not
>permitted to view record
>
>Challenge:
>As you can see, everything looks hunky dory from the scenario above.
>However, let's say user JOEBLOE has read access on Table 1 and Table 2
>but is not suppose to see Table 2 until data has been entered in Table
>1.
>
>JOEBLOE is a curious user, who has nothing else to do at work except
>for exploring Access databases lying around. Also, JOEBLOE knows quite
>a bit of Access and thinks he is a programmer. To hack into the
>system, JOEBLOE makes a new Access database but opens it using the MDW
>file located on his system. Because JOEBLOE has read ….and also write
>access to these tables, he can import them and view Table 1 and Table
>2 without following the enforced system implemented through forms in
>the MDE.
>
>How do I prevent JOEBLOE from doing this?
>
>All help is really appreciated
>
>Thanks
>JOEBLOES despiser
>
>
>Farooq[/color]


**********************
jackmacMACdonald@telusTELUS.net
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security