I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?
Thanks in advance
Will 11 2066
Yes it is.
Store in either
global variables
or
database properties
or
a table.
But as Access security prompts for the username and password when the db
starts and then applies that security as they use the database I don't
really see what you are gaining, except a (possibly) bug ridden not really
secure alternative.
--
Terry Kreft
MVP Microsoft Access
"Will" <Wi*********@hotmail.com> wrote in message
news:34*************@individual.net... I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does not wish to use Access security and what they are more focused on is a solution for when a user performs a critical action the system can verify that it is actually that user, e.g. Checks User Name and Password in a table in place of just selecting from a drop down, (Has anyone implemented similar?). My
question is, is it possible for a user to enter their user name and password when they open the database and then to store that user name for the rest of their database activity, rather than requesting that they put their
username and password in on every function?
Thanks in advance
Will
Will wrote: I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does not wish to use Access security and what they are more focused on is a solution for when a user performs a critical action the system can verify that it is actually that user, e.g. Checks User Name and Password in a table in place of just selecting from a drop down, (Has anyone implemented similar?).
If that's all they want just capture their Windows logon. No tables and
passwords even required.
The most basic problem with home-grown security is that ANY user will be
able to see your table of UserNames and Passswords. It can work just as a
way to track who entered what, but as stated you can just capture the
Windows name for that.
--
I don't check the Email account attached
to this message. Send instead to...
RBrandt at Hunter dot com
Rick Brandt wrote: If that's all they want just capture their Windows logon. No tables and passwords even required.
From the access web: http://www.mvps.org/access/api/api0008.htm.
That'll get you the windows login as Rick suggested, unless there's an
easier way...
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto
"Will" <Wi*********@hotmail.com> wrote in message
news:34*************@individual.net... I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does not wish to use Access security
Why do they not wish to use ms-access security? Further, why would you
develop your own system, write tons of code,a nd cost the client more money?
It might not look very good if you sell them on the idea to writing you own
stuff. Then, someone who knows ms-access will come along and ask why did you
folks waste all this money on writing your own security system when it is
built in? The end result here that any ms-access person that comes along
will view your approach as not being very honest on your part...but perhaps
some ploy to make more work for your self!
My question is, is it possible for a user to enter their user name and password when they open the database and then to store that user name for the rest of their database activity, rather than requesting that they put their username and password in on every function?
Sure you can do this. I would assume that many tings such as the
company/customer name, and all kinds of setup stuff is contained, and
maintained in your application. I load all kinds of things into memory at
startup, stuff like company name, tax rates, year end dates etc. Loading
user name into memory (a global var) would simply be one of many things that
your application now no doubt maintains, and has when it runs.
Of course, any un-trapped error does re-set all global vars, but if you use
a mde, then errors don't re-set your global vars....
If you do use ms-access security, then you do have to sit down and learn
how ms-access security works. Often it seems that developers would rather
roll their own then learn how ms-access security works. The end result is a
custom security solution that any new developer now has to learn! It don't
make sense to try and write your own sql system, and the same goes for
security. Remember, even when you use ms-access security, you can and will
OFTEN wind up writing a lot of custom security code anyway. However, in the
long run you are still FAR better to use built in security as then you can
apply this knowledge to future ms-access projects..and have learned a
valuable skill in the process.
--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada pl*****************@msn.com http://www.attcanada.net/~kallal.msn
Will wrote: I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does not wish to use Access security and what they are more focused on is a solution for when a user performs a critical action the system can verify that it is actually that user, e.g. Checks User Name and Password in a table in place of just selecting from a drop down, (Has anyone implemented similar?). My question is, is it possible for a user to enter their user name and password when they open the database and then to store that user name for the rest of their database activity, rather than requesting that they put their username and password in on every function?
Thanks in advance
Will
Maybe http://www.mvps.org/access/api/api0008.htm will be of assistance.
Perhaps what he is actually seeking is not the "security", but just the
permission levels. I use this scheme in my app because all users are are
already logged on to a secure intranet using Windows NT security, and are
business-wise authorized to perform all functions of my app. However, they
are not assigned to certain related areas: some data in another database
must be kept in synch with mine, unfortunately by human interface; only
two-three users per office do that, so any changes made to that set of data
by other users must be logged, and made visible to the 2-3 users who use
both systems. It's not a matter of security - nobody would have any
motivation to bypass it - it's just a matter of permissions, to make things
run smoothly.
I use Dev's fOSUserName() function to get the NT/XP user name, and assign
them to a user group upon login. From then on, a simple function call
checks if they're in the right user group to perform the function without
logging it. They of course never enter a separate password.
Darryl Kerkeslager
"Terry Kreft" <te*********@mps.co.uk> wrote: But as Access security prompts for the username and password when the db starts and then applies that security as they use the database I don't really see what you are gaining, except a (possibly) bug ridden not really secure alternative.
"Will" <Wi*********@hotmail.com> wrote in
news:34*************@individual.net: I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does not wish to use Access security and what they are more focused on is a solution for when a user performs a critical action the system can verify that it is actually that user, e.g. Checks User Name and Password in a table in place of just selecting from a drop down, (Has anyone implemented similar?). My question is, is it possible for a user to enter their user name and password when they open the database and then to store that user name for the rest of their database activity, rather than requesting that they put their username and password in on every function?
There's a fundamental flaw in the thinking here. You assume that the
person at the keyboard is the person associated with the
username/password pair that the system is logged in as. You *can't*
assume that.
Say, for instance, that someone logs onto the database with their
personal username/password, and then walks away to have lunch.
Someone else sits down at the computer and pulls up the database and
types all sorts of things into the database. It looks like the lunch
guy did the work, but that's not the case.
You simply cannot know from the internals of Access or any custom
application exactly who is doing the data entry unless you force
them to authenticate for every single operation. Even then, someone
can very easily give someone else their username/password.
If you're going to ask for a username/password, then use Jet
security. It's built-in, it's less crackable than anything you'd
write from scratch and it is stable. You don't have to apply
security to objects, you can use the logon simply to identify the
user (I do this all the time, with no restrictions on security,
often to selectively enable controls and subforms).
I can't think of *any* advantage to rolling your own security for
this purpose.
And even using the NT logonID is going to mean that you have to keep
a table of the usernames somewhere, mapped to their authorization
levels. Why not use the built-in capabilities for doing this?
--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
"Will" <Wi*********@hotmail.com> wrote: the customer does not wish to use Access security
Is the customer a seasoned Access developer? Has he also specified that
none of the code should contain any vowels? IMHO it is ludicrous for the
customer dictate this kind of thing to the developer - they have
requirements and you, the developer, provide the solution using whatever
methods you see fit.
The issue regarding authentication can be resolved using built-in security
and a fairly simple audit routine. If you record every user transaction
against the NT user name and a time stamp, any anomolies regarding who did
what and when can be dealt with as and when they arise.
Regards,
Keith. www.keithwilby.com
Darryl Kerkeslager wrote: Perhaps what he is actually seeking is not the "security", but just the permission levels. I use this scheme in my app because all users are are already logged on to a secure intranet using Windows NT security, and are business-wise authorized to perform all functions of my app.
I use something similar - 90% my apps are written against an Oracle
database. It's a simple matter to set up an Oracle user table with
various columns/fields for permissions and grant select only (read only
access). In fact, the connect string can be buried in a module of an
mde making it impossible for a user to access the table (I use pass
through queries as opposed to linked tables) at all.
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto
Will,
Clients can sure ask for a lot of stupid stuff! You need to write a
convincing argument outlining the benefits of Access Security and give it to
your client. Of course to do that you need to know it inside out. I believe
that to be your challenge.
Writing a function that records and tracks adds and updates by user
(currentuser) is a lot easier to implement when Access Security is
implemented first which is what your client is looking for.
Regards, and good luck with your client.
Barry
"Will" <Wi*********@hotmail.com> wrote in message
news:34*************@individual.net...
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?
Thanks in advance
Will
Yes, you could have a login form with user name and password. After
validating the login, make the form hidden and open the next form. Although
the login form is hidden, you can still reference the values on the form in
code. I am looking at using a table with user names, passwords and user rights, which I would administer. I have read a lot about the shortfalls of this and the lack of security but the customer does not wish to use Access security and what they are more focused on is a solution for when a user performs a critical action the system can verify that it is actually that user, e.g. Checks User Name and Password in a table in place of just selecting from a drop down, (Has anyone implemented similar?). My question is, is it possible for a user to enter their user name and password when they open the database and then to store that user name for the rest of their database activity, rather than requesting that they put their username and password in on every function?
Thanks in advance
Will This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Luca T. |
last post by:
Hello,
i need a way to find the home folder of the current user no matter if i am
in Linux or Windows for instance:
* Linux: /home/username
*...
|
by: Ed |
last post by:
Hello All,
I posted earlier about a problem I was having with editing
or pasting/deleting files in the "Home Directory" of my
web server. I...
|
by: Kenjis Kaan |
last post by:
I had to run DB2 on Win2k. After installation it puts a directory
under c:\DB2 and c:\DB2Log and C:\Program Files\SQLLIB
Now am all confused...
|
by: Matt |
last post by:
I have 2 questions:
1. strlen returns an unsigned (size_t) quantity. Why is an unsigned
value more approprate than a signed value? Why is...
|
by: Fresh Air Rider |
last post by:
Hi
I understand that ASP.net 2.0 (Whidbey) is going to reduce coding by
70%.
Surely this is going to de-skill or dumb down the developer's...
|
by: laredotornado |
last post by:
Hi,
I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed
using Apache's apxs and the php library was installed to...
|
by: Wayne |
last post by:
How do I get rid of the generic Windows "Open File - Security Warning"
that appears when I try to open a database that resides on another PC
on my...
|
by: Gabriella |
last post by:
Hi,
I would like to know how to find out which is the browser's "home"
URL?
This is so I'll be able to suggest "set as homepage" for my website,...
|
by: spoken |
last post by:
Hi,
How can I link to "home.htm?id=1" ? I have tried to use
getURL("home.htm%3Fid-=1") and getURL("home.htm?id-=1")
but it doesn't work because...
|
by: concettolabs |
last post by:
In today's business world, businesses are increasingly turning to PowerApps to develop custom business applications. PowerApps is a powerful tool...
|
by: better678 |
last post by:
Question:
Discuss your understanding of the Java platform. Is the statement "Java is interpreted" correct?
Answer:
Java is an object-oriented...
|
by: teenabhardwaj |
last post by:
How would one discover a valid source for learning news, comfort, and help for engineering designs? Covering through piles of books takes a lot of...
|
by: Naresh1 |
last post by:
What is WebLogic Admin Training?
WebLogic Admin Training is a specialized program designed to equip individuals with the skills and knowledge...
|
by: Matthew3360 |
last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function.
Here is my code.
...
|
by: Matthew3360 |
last post by:
Hi, I have a python app that i want to be able to get variables from a php page on my webserver. My python app is on my computer. How would I make it...
|
by: AndyPSV |
last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
|
by: Arjunsri |
last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and...
|
by: Oralloy |
last post by:
Hello Folks,
I am trying to hook up a CPU which I designed using SystemC to I/O pins on an FPGA.
My problem (spelled failure) is with the...
| |