Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can do damage. I only want them to access the app through my forms.
So I deny them access rights (talking Access, not NT) to the back end data
tables. Then I use RWOP queries in the forms. This is a standard technique,
no?
User Frank I want to be able to read, update, insert, delete records in
table A
User Harry I want to be able to read, update, insert but NOT delete records
in table A
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
How can I set a fine level of granularity of permissions, while still
ensuring that users can't get at the back end tables directly atall.
Mike
6  3532 
Mike MacSween wrote: Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can do damage. I only want them to access the app through my forms.
So I deny them access rights (talking Access, not NT) to the back end data
tables. Then I use RWOP queries in the forms. This is a standard technique,
no?
User Frank I want to be able to read, update, insert, delete records in
table A
User Harry I want to be able to read, update, insert but NOT delete records
in table A
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
How can I set a fine level of granularity of permissions, while still
ensuring that users can't get at the back end tables directly atall.
Mike
See my reply to your message in the earlier thread. The RWOP queries
need to have an Owner that has the appropriate rights, not be owned by
the administrator.
--
Bri
"Mike MacSween" <mi************ *************** @btinternet.com > wrote in
message news:42******** *************** @news.aaisp.net .uk...
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
No, you misunderstand. Users are still restricted based on the permissions
you give them on the *query*. So if you give Frank read permission on the
query, that's all he'll be able to do (regardless that the query owner has
full permission on the table).
Give Frank read, update, insert, delete permission on the query, and Harry
read, update, insert permission on the query.
Actually you should apply permissions to groups; it's easier to manage
security.
--
Joan Wild
Microsoft Access MVP
Joan Wild wrote: "Mike MacSween" <mi************ *************** @btinternet.com > wrote in
message news:42******** *************** @news.aaisp.net .uk...
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
No, you misunderstand. Users are still restricted based on the permissions
you give them on the *query*. So if you give Frank read permission on the
query, that's all he'll be able to do (regardless that the query owner has
full permission on the table).
Give Frank read, update, insert, delete permission on the query, and Harry
read, update, insert permission on the query.
Actually you should apply permissions to groups; it's easier to manage
security.
Joan,
I originally thought that too, but I then tested it and it doesn't work
that way (in AC97 anyway). I created a test user in a secured DB. I gave
that user NO rights to a table, created a RWOP query based on the table,
gave only read rights to the query. I then logged in as the test user
and had FULL rights to the table via the query, not the read only rights
I thought I would get. My solution was to create a new UserID with the
appropriate rights to the Table and made it the owner of the query. Then
it worked. The query inherites the rights of the OWNER in a RWOP query,
reguardless of what rights you assign to the query. In a regular query,
the rights of it cannot give you more rights to the underlying table
than you have for the table itself.
At least in my experience and testing.
--
Bri
"Bri" <no*@here.com > wrote in message
news:wvWxe.1860 786$6l.456831@p d7tw2no...
Joan,
I originally thought that too, but I then tested it and it doesn't work
that way (in AC97 anyway).
Yes it does work in 97. I've never had an issue with this.
I created a test user in a secured DB. I gave that user NO rights to a table, created a RWOP query based on the table,
gave only read rights to the query. I then logged in as the test user and
had FULL rights to the table via the query, not the read only rights I
thought I would get.
There could be a number of reasons like the users group has permissions on
the tables (or any group that the user is a member of).
My solution was to create a new UserID with the appropriate rights to the Table and made it the owner of the query. Then
it worked.
So who was the owner of the query before?
The query inherites the rights of the OWNER in a RWOP query, reguardless of what rights you assign to the query.
That is not correct; they are restricted by the permissions on the query.
The query doesn't inherit the rights of the owner. It just means that,
although the user has no permissions on the underlying table(s), when they
run this query, give them access to the tables as though the query owner
were running the query. However, still restrict them based on the
permissions I assign to this query.
If a user has full permissions on a table, and then creates a RWOP query,
but only gives read permissions on the query, any user running the query
will have read only capabilities while using the query. I have done this
countless times and never seen what you have.
It suggests to me that your test user is getting their permissions from some
group membership that you've overlooked, or that your database isn't secured
properly.
--
Joan Wild
Microsoft Access MVP
Joan Wild wrote: "Bri" <no*@here.com > wrote in message
news:wvWxe.1860 786$6l.456831@p d7tw2no...
Joan,
I originally thought that too, but I then tested it and it doesn't work
that way (in AC97 anyway).
Yes it does work in 97. I've never had an issue with this.
There could be a number of reasons like the users group has permissions on
the tables (or any group that the user is a member of).
It was a member of only one group, that group had the Read only
permission on the query and no permissions on the table.
My solution was to create a new UserID with the
appropriate rights to the Table and made it the owner of the query. Then
it worked.
So who was the owner of the query before?
My Administrator UserID that I used to create the query.
The query inherites the rights of the OWNER in a RWOP query,
reguardless of what rights you assign to the query.
That is not correct; they are restricted by the permissions on the query.
The query doesn't inherit the rights of the owner. It just means that,
although the user has no permissions on the underlying table(s), when they
run this query, give them access to the tables as though the query owner
were running the query. However, still restrict them based on the
permissions I assign to this query.
If a user has full permissions on a table, and then creates a RWOP query,
but only gives read permissions on the query, any user running the query
will have read only capabilities while using the query. I have done this
countless times and never seen what you have.
It suggests to me that your test user is getting their permissions from some
group membership that you've overlooked, or that your database isn't secured
properly.
I went back to test this again it now works as you describe. This is
also the behavior that I had expected originally. I can no longer
explain how my first test did not behave like this. In it, the test ID
had the full rights to the data via the query that it only had read
rights assigned to (no rights to the table). I did it again from scratch
and only got read rights (as originally expected). Must have screwed up
something in the first test.
--
Bri
"Joan Wild" <jw***@nospamty enet.com> wrote in message
news:11******** *****@corp.supe rnews.com... "Mike MacSween" <mi************ *************** @btinternet.com > wrote in
message news:42******** *************** @news.aaisp.net .uk...
I can't set those permissions using Access security on the form can I?
And owners permission is going to give all users complete privileges (or
at least the greatest freedom that I grant to the 'owner').
No, you misunderstand. Users are still restricted based on the
permissions you give them on the *query*. So if you give Frank read
permission on the query, that's all he'll be able to do (regardless that
the query owner has full permission on the table).
Ahhh! I see.
Give Frank read, update, insert, delete permission on the query, and Harry
read, update, insert permission on the query.
Actually you should apply permissions to groups; it's easier to manage
security.
Yes, that's what I've been doing.
Thanks Joan
Mike This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: NB |
last post by:
Hi
This has been tickling my mind for quite some time. Can someone tell
me if Access 2003 has a solution for it.
After a period of development, your front end will definitely bloat
despite all the compacting and decompiling you do. The best solution
so far I have found is to create a fresh new mdb file and import all
table (links), queries, forms, reports, menu, macros and modules. That
is great: file size shrinks and it runs faster...
|
by: Freeserve |
last post by:
Not sure whether this is the right group, but I can't find anything in the
..NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an Access database to hold data which will be handled
via VB.NET and I am not sure about some of the security aspects. I am going
the .NET route as part of the application involves using a Pocket PC and I
don't want part to involve deploying...
|
by: Bob Weisenburger |
last post by:
If a user starts up access while holding down the shift key, the
database will open without going to the startup form. This allows the
user to actually open a table and change data that he would not
normally be able to change. His user name would not allow him to open
a form that give him access to all fields in a record. Normally he is
restricted to a form that only shows fields that he is allowed to
change.
Is there a way to keep...
|
by: karinski |
last post by:
I have a form that allows users to select criteria for a report. One of
the controls on the form is a multi-select list box. Using the MS
Knowledge Base, I wrote my code to pull the items from the list and
make a querydef for the report. Everything runs great for me but if I
log on as one of my users, I get the "You do not have the necessary
permissions to use the "myquery" object" error. I have given the users
modify permission on this...
|
by: robert demo via AccessMonster.com |
last post by:
I've done all the recommended things with workgroup security, creating a
..mde file, and splitting the application into a front end and, in my case,
multiple backends.
The problem is that users that have access to the application (thru the
custom workgroup file) can import the tables into a blank database.
My application has no queries and uses SQL statements in the VBA code to
read/update table information. I have hundreds of SQL...
| | |
by: TechBoy |
last post by:
Re:Access 2002
If I base my form on an RWOP query, can I dynamically select from an
RWOP query result set to display on the form? Does someone have an
example?
Thanks.
|
by: google |
last post by:
I am creating a new database for use within our company, that I'd like
to make reasonably secure (short of a true server based solution). The
back-end of a non-server based database seems to be the biggest
security hole, due to the ease of opening, linking, and/or importing
raw data directly from the back-end database. I've read information
that indicates that locking down the back-end tables to the owner, then
using RWOP queries in the...
|
by: John |
last post by:
Tried this on microsoft.public.access.gettingstarted - no response -
perhaps more appropriate here.
I'm not a database user, simply helping someone get started with a new
computer.
The old computer (win98se) runs a database in MS Access 97 pro, with
all the attendant permissions etc. I can work on the database without
problems, once I've opened the file with the requisite user name and
|
by: rdemyan |
last post by:
Is there a way to check the validity of front-end table links on a
backend file where all permissions to data have been revoked. To get
at the data, the front end uses RWOP queries.
What I'm trying to do is to avoid having to always delete table links
and recreate them at startup since this takes quite awhile.
I know you can try to open a recordset, but this fails because unless
the user is the owner, they have no permissions on the...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |
