Database security

One of the main reasons that people use Access security is so that they can
set up a variety of "roles"; some users can perform certain functions but
not others; other users may have a different set of functions they can
perform on the same database.

"Paul .V." <pr*******@shaw .ca> wrote in message
news:41******** *************** ***@posting.goo gle.com...

I have read many long articles in this group about securing my
database for distribution. This is the advise I have taken:

1. Hardcoded the purchasing company's name into the program. The
limitations are that the company can't get a instant download as I
need to manually code their name. That's fine for now.

2. Make both the front and the backend databases MDE. This protects
my code.

3. I will implement the lock software at www.zappersoftware.com to
require a registration code on install which would be limiting only in
that the program would now be machine specific.

With those 2-1/2 or 3 things done, why would I want to implement MS
Security as found in the Security FAQ on the Microsoft site?

The way I see it, with #3 they can't really copy the database. If
they do figure out a way to copy it they would still be limited to
having that certain company name (#1) appearing on all forms &
reports. With #2, they can't touch my code.

Is there something I'm missing. What benefit would the MS Security be
for my situation?

Thanks,

Paul .V.

On 4 Feb 2005 17:41:43 -0800, pr*******@shaw. ca (Paul .V.) wrote:

Re 2: There should typically not be any code in the backend db, so it
should be an MDB.

MacDermott is correct about the role-based security. Let's say there
is a Salary table that not everyone should have access to...

-Tom.

I have read many long articles in this group about securing my
database for distribution. This is the advise I have taken:

1. Hardcoded the purchasing company's name into the program. The
limitations are that the company can't get a instant download as I
need to manually code their name. That's fine for now.

2. Make both the front and the backend databases MDE. This protects
my code.

3. I will implement the lock software at www.zappersoftware.com to
require a registration code on install which would be limiting only in
that the program would now be machine specific.

With those 2-1/2 or 3 things done, why would I want to implement MS
Security as found in the Security FAQ on the Microsoft site?

The way I see it, with #3 they can't really copy the database. If
they do figure out a way to copy it they would still be limited to
having that certain company name (#1) appearing on all forms &
reports. With #2, they can't touch my code.

Is there something I'm missing. What benefit would the MS Security be
for my situation?

Thanks,

Paul .V.

I have setup my own internal security to limit users to specific
activities so it sounds to me like I do not need to use the Access
Security.

On another note, I put my current project backend to an mde because
somewhere in the help file I read that both files must be mde to work
although an older project I worked on I did exactly as you said...My
frontend is a mde and the backend is an mdb. I wonder why the help file
says that won't work.

Thanks for your input(s),

Paul .V.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

"Need" is always a relative term.
In my experience, as a general rule, developer-created internal security
systems are not as secure as Access's own security.
Which is not to tout Access Security -
a simple Google search will find you several low-cost options to crack
even that.
I've contended for some time that if you have an internal application, and
employees who are clearly circumventing the established rules about who can
do what in that application, you have an HR problem more than an IT problem.

As for the help files -
I'm not connected with Microsoft, other than as a user, but I see Help
file development like this:
You can't write an effective help file until the product is finished,
because what you document could change.
Once the product is finished, there's tremendous pressure to release it -
nobody wants to wait for the help files to be finished.
You can still find scattered references in the Help files to using
Access on McIntosh machines - something which has never, to my knowledge,
gotten past the drawing boards.
It's also been my experience that the quality of Access Help files has
declined with each release. (I still sometimes go back to Access 97 help,
because it's so much easier to find things there. But I can remember when
that first came out, how much I missed the printed Access 2.0 help.)
Nevertheless, Access Help is the first place I go to answer my Access
questions, and it's rare for me to have to go further than that. It's a
good product, but not perfect - doesn't excuse us from doing our own
thinking. But then, that's what we programmers do, isn't it?

"Paul V" <pr*******@shaw .ca> wrote in message news:42******** **@127.0.0.1...

I have setup my own internal security to limit users to specific
activities so it sounds to me like I do not need to use the Access
Security.

On another note, I put my current project backend to an mde because
somewhere in the help file I read that both files must be mde to work
although an older project I worked on I did exactly as you said...My
frontend is a mde and the backend is an mdb. I wonder why the help file
says that won't work.

Thanks for your input(s),

Paul .V.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Yep, you're right. My internal security probably isn't as secure as
Access security but I did realise that upon setting it up. I also agree
with you in that that poses the question more of HR problems rather than
IT problems. The way I see it for now, if someone decides to mess with
the tables then "I'm on by the hour" to fix what has been done. It's
always possible to make something more secure but for the intended
purpose of this program, my security messures should suffice.

Thanks again for all your input. It sounds as though I have taken the
necessary steps to secure my database for distribution.

Paul .V.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!