473,695 Members | 2,290 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

"Home grown" Access Security

I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?

Thanks in advance

Will
Nov 13 '05 #1
11 2191
Yes it is.

Store in either
global variables
or
database properties
or
a table.

But as Access security prompts for the username and password when the db
starts and then applies that security as they use the database I don't
really see what you are gaining, except a (possibly) bug ridden not really
secure alternative.
--
Terry Kreft
MVP Microsoft Access
"Will" <Wi*********@ho tmail.com> wrote in message
news:34******** *****@individua l.net...
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username and password in on every function?

Thanks in advance

Will

Nov 13 '05 #2
Will wrote:
I am looking at using a table with user names, passwords and user
rights, which I would administer. I have read a lot about the
shortfalls of this and the lack of security but the customer does not
wish to use Access security and what they are more focused on is a
solution for when a user performs a critical action the system can
verify that it is actually that user, e.g. Checks User Name and
Password in a table in place of just selecting from a drop down, (Has
anyone implemented similar?).


If that's all they want just capture their Windows logon. No tables and
passwords even required.

The most basic problem with home-grown security is that ANY user will be
able to see your table of UserNames and Passswords. It can work just as a
way to track who entered what, but as stated you can just capture the
Windows name for that.

--
I don't check the Email account attached
to this message. Send instead to...
RBrandt at Hunter dot com
Nov 13 '05 #3
Rick Brandt wrote:
If that's all they want just capture their Windows logon. No tables and
passwords even required.


From the access web: http://www.mvps.org/access/api/api0008.htm.
That'll get you the windows login as Rick suggested, unless there's an
easier way...
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto
Nov 13 '05 #4
"Will" <Wi*********@ho tmail.com> wrote in message
news:34******** *****@individua l.net...
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security
Why do they not wish to use ms-access security? Further, why would you
develop your own system, write tons of code,a nd cost the client more money?

It might not look very good if you sell them on the idea to writing you own
stuff. Then, someone who knows ms-access will come along and ask why did you
folks waste all this money on writing your own security system when it is
built in? The end result here that any ms-access person that comes along
will view your approach as not being very honest on your part...but perhaps
some ploy to make more work for your self!
My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their
username
and password in on every function?


Sure you can do this. I would assume that many tings such as the
company/customer name, and all kinds of setup stuff is contained, and
maintained in your application. I load all kinds of things into memory at
startup, stuff like company name, tax rates, year end dates etc. Loading
user name into memory (a global var) would simply be one of many things that
your application now no doubt maintains, and has when it runs.

Of course, any un-trapped error does re-set all global vars, but if you use
a mde, then errors don't re-set your global vars....

If you do use ms-access security, then you do have to sit down and learn
how ms-access security works. Often it seems that developers would rather
roll their own then learn how ms-access security works. The end result is a
custom security solution that any new developer now has to learn! It don't
make sense to try and write your own sql system, and the same goes for
security. Remember, even when you use ms-access security, you can and will
OFTEN wind up writing a lot of custom security code anyway. However, in the
long run you are still FAR better to use built in security as then you can
apply this knowledge to future ms-access projects..and have learned a
valuable skill in the process.

--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada
pl************* ****@msn.com
http://www.attcanada.net/~kallal.msn
Nov 13 '05 #5
Will wrote:
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?

Thanks in advance

Will


Maybe http://www.mvps.org/access/api/api0008.htm will be of assistance.
Nov 13 '05 #6
Perhaps what he is actually seeking is not the "security", but just the
permission levels. I use this scheme in my app because all users are are
already logged on to a secure intranet using Windows NT security, and are
business-wise authorized to perform all functions of my app. However, they
are not assigned to certain related areas: some data in another database
must be kept in synch with mine, unfortunately by human interface; only
two-three users per office do that, so any changes made to that set of data
by other users must be logged, and made visible to the 2-3 users who use
both systems. It's not a matter of security - nobody would have any
motivation to bypass it - it's just a matter of permissions, to make things
run smoothly.

I use Dev's fOSUserName() function to get the NT/XP user name, and assign
them to a user group upon login. From then on, a simple function call
checks if they're in the right user group to perform the function without
logging it. They of course never enter a separate password.
Darryl Kerkeslager

"Terry Kreft" <te*********@mp s.co.uk> wrote:
But as Access security prompts for the username and password when the db
starts and then applies that security as they use the database I don't
really see what you are gaining, except a (possibly) bug ridden not really
secure alternative.

Nov 13 '05 #7
"Will" <Wi*********@ho tmail.com> wrote in
news:34******** *****@individua l.net:
I am looking at using a table with user names, passwords and user
rights, which I would administer. I have read a lot about the
shortfalls of this and the lack of security but the customer does
not wish to use Access security and what they are more focused on
is a solution for when a user performs a critical action the
system can verify that it is actually that user, e.g. Checks User
Name and Password in a table in place of just selecting from a
drop down, (Has anyone implemented similar?). My question is, is
it possible for a user to enter their user name and password when
they open the database and then to store that user name for the
rest of their database activity, rather than requesting that they
put their username and password in on every function?


There's a fundamental flaw in the thinking here. You assume that the
person at the keyboard is the person associated with the
username/password pair that the system is logged in as. You *can't*
assume that.

Say, for instance, that someone logs onto the database with their
personal username/password, and then walks away to have lunch.
Someone else sits down at the computer and pulls up the database and
types all sorts of things into the database. It looks like the lunch
guy did the work, but that's not the case.

You simply cannot know from the internals of Access or any custom
application exactly who is doing the data entry unless you force
them to authenticate for every single operation. Even then, someone
can very easily give someone else their username/password.

If you're going to ask for a username/password, then use Jet
security. It's built-in, it's less crackable than anything you'd
write from scratch and it is stable. You don't have to apply
security to objects, you can use the logon simply to identify the
user (I do this all the time, with no restrictions on security,
often to selectively enable controls and subforms).

I can't think of *any* advantage to rolling your own security for
this purpose.

And even using the NT logonID is going to mean that you have to keep
a table of the usernames somewhere, mapped to their authorization
levels. Why not use the built-in capabilities for doing this?

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #8
"Will" <Wi*********@ho tmail.com> wrote:
the customer does not wish to use Access
security


Is the customer a seasoned Access developer? Has he also specified that
none of the code should contain any vowels? IMHO it is ludicrous for the
customer dictate this kind of thing to the developer - they have
requirements and you, the developer, provide the solution using whatever
methods you see fit.

The issue regarding authentication can be resolved using built-in security
and a fairly simple audit routine. If you record every user transaction
against the NT user name and a time stamp, any anomolies regarding who did
what and when can be dealt with as and when they arise.

Regards,
Keith.
www.keithwilby.com
Nov 13 '05 #9
Darryl Kerkeslager wrote:
Perhaps what he is actually seeking is not the "security", but just the
permission levels. I use this scheme in my app because all users are are
already logged on to a secure intranet using Windows NT security, and are
business-wise authorized to perform all functions of my app.


I use something similar - 90% my apps are written against an Oracle
database. It's a simple matter to set up an Oracle user table with
various columns/fields for permissions and grant select only (read only
access). In fact, the connect string can be buried in a module of an
mde making it impossible for a user to access the table (I use pass
through queries as opposed to linked tables) at all.
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto
Nov 13 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
12448
by: Luca T. | last post by:
Hello, i need a way to find the home folder of the current user no matter if i am in Linux or Windows for instance: * Linux: /home/username * Windows: C:\Documents and Settings\username Is there any general way to do this?
4
3534
by: Ed | last post by:
Hello All, I posted earlier about a problem I was having with editing or pasting/deleting files in the "Home Directory" of my web server. I just noticed that the "Home Directory" option in the "Home Directory" tab is grayed out. Why would this be grayed out? Would this be a configuration thing or a permissions thing? I have an administrator account on this server
1
8071
by: Kenjis Kaan | last post by:
I had to run DB2 on Win2k. After installation it puts a directory under c:\DB2 and c:\DB2Log and C:\Program Files\SQLLIB Now am all confused which is instance home, db2 home etc. I had to configure tivoli inventory and its all *@#$ up because of this confusion. Can someone please clarify which is which? TIA c:\DB2>wgetrim invdh_1 RIM Host: user88 RDBMS User: user881 RDBMS Vendor: DB2
81
7303
by: Matt | last post by:
I have 2 questions: 1. strlen returns an unsigned (size_t) quantity. Why is an unsigned value more approprate than a signed value? Why is unsighned value less appropriate? 2. Would there be any advantage in having strcat and strcpy return a pointer to the "end" of the destination string rather than returning a
32
2254
by: Fresh Air Rider | last post by:
Hi I understand that ASP.net 2.0 (Whidbey) is going to reduce coding by 70%. Surely this is going to de-skill or dumb down the developer's task and open up the task of web development to less qualified and trained staff. Tell me if I'm wrong.
1
6493
by: laredotornado | last post by:
Hi, I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed using Apache's apxs and the php library was installed to /usr/local/php. However, when I set my "error_reporting" setting to be "E_ALL", notices are still not getting reported. The perms on my file are 664, with owner root and group root. The php.ini file is located at /usr/local/lib/php/php.ini. Any ideas why the setting does not seem to be having an effect? ...
4
7878
by: Wayne | last post by:
How do I get rid of the generic Windows "Open File - Security Warning" that appears when I try to open a database that resides on another PC on my home network? This is not the annoying macro security warning - I have my macro security set to low. The warning I am describing only appears when a database on another machine is opened.
7
5331
by: Gabriella | last post by:
Hi, I would like to know how to find out which is the browser's "home" URL? This is so I'll be able to suggest "set as homepage" for my website, only for those who did not set it beforehand. I know there's a security issue with this, but is there some workaround it? Thanks,
4
2167
by: spoken | last post by:
Hi, How can I link to "home.htm?id=1" ? I have tried to use getURL("home.htm%3Fid-=1") and getURL("home.htm?id-=1") but it doesn't work because flash looks for the physical file which doesn't exist because I'm using the parameter id=1 to generate some values in my page. Thanks in advance. Gordon
0
8638
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9120
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
8854
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8831
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7668
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4345
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3013
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2278
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
1979
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.