473,322 Members | 1,734 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

"Home grown" Access Security

I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?

Thanks in advance

Will
Nov 13 '05 #1
11 2148
Yes it is.

Store in either
global variables
or
database properties
or
a table.

But as Access security prompts for the username and password when the db
starts and then applies that security as they use the database I don't
really see what you are gaining, except a (possibly) bug ridden not really
secure alternative.
--
Terry Kreft
MVP Microsoft Access
"Will" <Wi*********@hotmail.com> wrote in message
news:34*************@individual.net...
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username and password in on every function?

Thanks in advance

Will

Nov 13 '05 #2
Will wrote:
I am looking at using a table with user names, passwords and user
rights, which I would administer. I have read a lot about the
shortfalls of this and the lack of security but the customer does not
wish to use Access security and what they are more focused on is a
solution for when a user performs a critical action the system can
verify that it is actually that user, e.g. Checks User Name and
Password in a table in place of just selecting from a drop down, (Has
anyone implemented similar?).


If that's all they want just capture their Windows logon. No tables and
passwords even required.

The most basic problem with home-grown security is that ANY user will be
able to see your table of UserNames and Passswords. It can work just as a
way to track who entered what, but as stated you can just capture the
Windows name for that.

--
I don't check the Email account attached
to this message. Send instead to...
RBrandt at Hunter dot com
Nov 13 '05 #3
Rick Brandt wrote:
If that's all they want just capture their Windows logon. No tables and
passwords even required.


From the access web: http://www.mvps.org/access/api/api0008.htm.
That'll get you the windows login as Rick suggested, unless there's an
easier way...
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto
Nov 13 '05 #4
"Will" <Wi*********@hotmail.com> wrote in message
news:34*************@individual.net...
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security
Why do they not wish to use ms-access security? Further, why would you
develop your own system, write tons of code,a nd cost the client more money?

It might not look very good if you sell them on the idea to writing you own
stuff. Then, someone who knows ms-access will come along and ask why did you
folks waste all this money on writing your own security system when it is
built in? The end result here that any ms-access person that comes along
will view your approach as not being very honest on your part...but perhaps
some ploy to make more work for your self!
My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their
username
and password in on every function?


Sure you can do this. I would assume that many tings such as the
company/customer name, and all kinds of setup stuff is contained, and
maintained in your application. I load all kinds of things into memory at
startup, stuff like company name, tax rates, year end dates etc. Loading
user name into memory (a global var) would simply be one of many things that
your application now no doubt maintains, and has when it runs.

Of course, any un-trapped error does re-set all global vars, but if you use
a mde, then errors don't re-set your global vars....

If you do use ms-access security, then you do have to sit down and learn
how ms-access security works. Often it seems that developers would rather
roll their own then learn how ms-access security works. The end result is a
custom security solution that any new developer now has to learn! It don't
make sense to try and write your own sql system, and the same goes for
security. Remember, even when you use ms-access security, you can and will
OFTEN wind up writing a lot of custom security code anyway. However, in the
long run you are still FAR better to use built in security as then you can
apply this knowledge to future ms-access projects..and have learned a
valuable skill in the process.

--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada
pl*****************@msn.com
http://www.attcanada.net/~kallal.msn
Nov 13 '05 #5
Will wrote:
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?

Thanks in advance

Will


Maybe http://www.mvps.org/access/api/api0008.htm will be of assistance.
Nov 13 '05 #6
Perhaps what he is actually seeking is not the "security", but just the
permission levels. I use this scheme in my app because all users are are
already logged on to a secure intranet using Windows NT security, and are
business-wise authorized to perform all functions of my app. However, they
are not assigned to certain related areas: some data in another database
must be kept in synch with mine, unfortunately by human interface; only
two-three users per office do that, so any changes made to that set of data
by other users must be logged, and made visible to the 2-3 users who use
both systems. It's not a matter of security - nobody would have any
motivation to bypass it - it's just a matter of permissions, to make things
run smoothly.

I use Dev's fOSUserName() function to get the NT/XP user name, and assign
them to a user group upon login. From then on, a simple function call
checks if they're in the right user group to perform the function without
logging it. They of course never enter a separate password.
Darryl Kerkeslager

"Terry Kreft" <te*********@mps.co.uk> wrote:
But as Access security prompts for the username and password when the db
starts and then applies that security as they use the database I don't
really see what you are gaining, except a (possibly) bug ridden not really
secure alternative.

Nov 13 '05 #7
"Will" <Wi*********@hotmail.com> wrote in
news:34*************@individual.net:
I am looking at using a table with user names, passwords and user
rights, which I would administer. I have read a lot about the
shortfalls of this and the lack of security but the customer does
not wish to use Access security and what they are more focused on
is a solution for when a user performs a critical action the
system can verify that it is actually that user, e.g. Checks User
Name and Password in a table in place of just selecting from a
drop down, (Has anyone implemented similar?). My question is, is
it possible for a user to enter their user name and password when
they open the database and then to store that user name for the
rest of their database activity, rather than requesting that they
put their username and password in on every function?


There's a fundamental flaw in the thinking here. You assume that the
person at the keyboard is the person associated with the
username/password pair that the system is logged in as. You *can't*
assume that.

Say, for instance, that someone logs onto the database with their
personal username/password, and then walks away to have lunch.
Someone else sits down at the computer and pulls up the database and
types all sorts of things into the database. It looks like the lunch
guy did the work, but that's not the case.

You simply cannot know from the internals of Access or any custom
application exactly who is doing the data entry unless you force
them to authenticate for every single operation. Even then, someone
can very easily give someone else their username/password.

If you're going to ask for a username/password, then use Jet
security. It's built-in, it's less crackable than anything you'd
write from scratch and it is stable. You don't have to apply
security to objects, you can use the logon simply to identify the
user (I do this all the time, with no restrictions on security,
often to selectively enable controls and subforms).

I can't think of *any* advantage to rolling your own security for
this purpose.

And even using the NT logonID is going to mean that you have to keep
a table of the usernames somewhere, mapped to their authorization
levels. Why not use the built-in capabilities for doing this?

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #8
"Will" <Wi*********@hotmail.com> wrote:
the customer does not wish to use Access
security


Is the customer a seasoned Access developer? Has he also specified that
none of the code should contain any vowels? IMHO it is ludicrous for the
customer dictate this kind of thing to the developer - they have
requirements and you, the developer, provide the solution using whatever
methods you see fit.

The issue regarding authentication can be resolved using built-in security
and a fairly simple audit routine. If you record every user transaction
against the NT user name and a time stamp, any anomolies regarding who did
what and when can be dealt with as and when they arise.

Regards,
Keith.
www.keithwilby.com
Nov 13 '05 #9
Darryl Kerkeslager wrote:
Perhaps what he is actually seeking is not the "security", but just the
permission levels. I use this scheme in my app because all users are are
already logged on to a secure intranet using Windows NT security, and are
business-wise authorized to perform all functions of my app.


I use something similar - 90% my apps are written against an Oracle
database. It's a simple matter to set up an Oracle user table with
various columns/fields for permissions and grant select only (read only
access). In fact, the connect string can be buried in a module of an
mde making it impossible for a user to access the table (I use pass
through queries as opposed to linked tables) at all.
--
Tim http://www.ucs.mun.ca/~tmarshal/
^o<
/#) "Burp-beep, burp-beep, burp-beep?" - Quaker Jake
/^^ "What's UP, Dittoooooo?" - Ditto
Nov 13 '05 #10
Will,
Clients can sure ask for a lot of stupid stuff! You need to write a
convincing argument outlining the benefits of Access Security and give it to
your client. Of course to do that you need to know it inside out. I believe
that to be your challenge.

Writing a function that records and tracks adds and updates by user
(currentuser) is a lot easier to implement when Access Security is
implemented first which is what your client is looking for.

Regards, and good luck with your client.
Barry
"Will" <Wi*********@hotmail.com> wrote in message
news:34*************@individual.net...
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their username
and password in on every function?

Thanks in advance

Will

Nov 13 '05 #11
Yes, you could have a login form with user name and password. After
validating the login, make the form hidden and open the next form. Although
the login form is hidden, you can still reference the values on the form in
code.
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does not wish to use Access
security and what they are more focused on is a solution for when a user
performs a critical action the system can verify that it is actually that
user, e.g. Checks User Name and Password in a table in place of just
selecting from a drop down, (Has anyone implemented similar?). My
question
is, is it possible for a user to enter their user name and password when
they open the database and then to store that user name for the rest of
their database activity, rather than requesting that they put their
username
and password in on every function?

Thanks in advance

Will

Nov 13 '05 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Luca T. | last post by:
Hello, i need a way to find the home folder of the current user no matter if i am in Linux or Windows for instance: * Linux: /home/username * Windows: C:\Documents and Settings\username Is...
4
by: Ed | last post by:
Hello All, I posted earlier about a problem I was having with editing or pasting/deleting files in the "Home Directory" of my web server. I just noticed that the "Home Directory" option in the...
1
by: Kenjis Kaan | last post by:
I had to run DB2 on Win2k. After installation it puts a directory under c:\DB2 and c:\DB2Log and C:\Program Files\SQLLIB Now am all confused which is instance home, db2 home etc. I had to...
81
by: Matt | last post by:
I have 2 questions: 1. strlen returns an unsigned (size_t) quantity. Why is an unsigned value more approprate than a signed value? Why is unsighned value less appropriate? 2. Would there...
32
by: Fresh Air Rider | last post by:
Hi I understand that ASP.net 2.0 (Whidbey) is going to reduce coding by 70%. Surely this is going to de-skill or dumb down the developer's task and open up the task of web development to less...
1
by: laredotornado | last post by:
Hi, I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed using Apache's apxs and the php library was installed to /usr/local/php. However, when I set my "error_reporting"...
4
by: Wayne | last post by:
How do I get rid of the generic Windows "Open File - Security Warning" that appears when I try to open a database that resides on another PC on my home network? This is not the annoying macro...
7
by: Gabriella | last post by:
Hi, I would like to know how to find out which is the browser's "home" URL? This is so I'll be able to suggest "set as homepage" for my website, only for those who did not set it beforehand. I...
4
by: spoken | last post by:
Hi, How can I link to "home.htm?id=1" ? I have tried to use getURL("home.htm%3Fid-=1") and getURL("home.htm?id-=1") but it doesn't work because flash looks for the physical file which doesn't...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.