I have taken over support of an A97 application which has presented an
interesting and confounding scenario involving workgroup security. I cant
figure out whether my predecessor deliberately engineered this situation or
has hit on a bug in the security model and exploited this. The system is in
4 components, a database back end, an application front end (ODBC links to
back end), an administration front end and a workgroup security file. There
have been no write permissions assigned to the tables in the back end
database, which means that no user other than the database owner (now me)
can make changes to the data directly in the back end. When I saw this it
made me wonder how the users were able to edit data in their front end
application as I would have thought the principles of inheritance would have
prevented this. In the front end database, users have been given full
editing rights to all of the table links, but this does not permit editing -
presumably because the reciprocal rights dont exist in the back end.
However - and here's the thing - there are a heap of queries in the front
end that have also had full editing rights assigned. The users are able to
make changes to the data so long as their forms reference these queries
rather than the tables. In other words, if I open tblData as a user I cant
edit the data, but if I open qryData which is simply 'select * from tblData'
I can edit - its true I swear! If I make a copy of qryData, this does not
allow editing even though it has the same permission set as the original, so
there is something special about these queries.
So, in summary, there are a number of queries in the front end app that
have somehow been given the power to override the permissions on the source
tables. I cant see what is different about these queries but obviously
there is something. The issue that I have is that I need to give write
permission to a small group of users via the administration interface. I
cant replicate the setup with the queries in the main app, so I'm snookered.
Obviously I can work around this by granting write permissions in the back
end database, but its kind of nifty the way the thing works at the moment in
only allowing data mods to occur via the front end interface. So if I could
replicate this setup with queries in the admin db I would be happy.
Any clues out there?
1  1438 
Andrew Chanter wrote: I have taken over support of an A97 application which has presented an
interesting and confounding scenario involving workgroup security. I
cant figure out whether my predecessor deliberately engineered this
situation or has hit on a bug in the security model and exploited
this. The system is in 4 components, a database back end, an
application front end (ODBC links to back end), an administration
front end and a workgroup security file. There have been no write
permissions assigned to the tables in the back end database, which
means that no user other than the database owner (now me) can make
changes to the data directly in the back end. When I saw this it
made me wonder how the users were able to edit data in their front
end application as I would have thought the principles of inheritance
would have prevented this. In the front end database, users have
been given full editing rights to all of the table links, but this
does not permit editing - presumably because the reciprocal rights
dont exist in the back end. However - and here's the thing - there
are a heap of queries in the front end that have also had full
editing rights assigned. The users are able to make changes to the
data so long as their forms reference these queries rather than the
tables. In other words, if I open tblData as a user I cant edit the
data, but if I open qryData which is simply 'select * from tblData' I
can edit - its true I swear! If I make a copy of qryData, this does
not allow editing even though it has the same permission set as the
original, so there is something special about these queries.
So, in summary, there are a number of queries in the front end app
that
have somehow been given the power to override the permissions on the
source tables. I cant see what is different about these queries but
obviously there is something. The issue that I have is that I need
to give write permission to a small group of users via the
administration interface. I cant replicate the setup with the
queries in the main app, so I'm snookered. Obviously I can work
around this by granting write permissions in the back end database,
but its kind of nifty the way the thing works at the moment in only
allowing data mods to occur via the front end interface. So if I
could replicate this setup with queries in the admin db I would be
happy.
Those are Run-With-Owners-Permission queries and that is a standard setup for
Access security. It prevents people from importing or linking to the tables
with a file independent of the front end that the developer intends to be used.
By the way, those are not ODBC links. You can't use ODBC to link an Access file
to another Access file.
--
I don't check the Email account attached
to this message. Send instead to...
RBrandt at Hunter dot com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Newbillian |
last post by:
Is there some way of using vba to automate the processe of joining an
Access 97 security workgroup? I typed wrkgadm /? at a command prompt
and it just opens the gui, so I'm not sure what the...
|
by: Daniel |
last post by:
Thank you for reading...
I have developed two separate dbases using Access 2002. Each has
their own workgroup specifications. On each users desktop I created a
shortcut to the front end dbase...
|
by: Chris Tyson |
last post by:
My problem is this:
I have created a database, using Workgroup security features. Unique
Workgroup. New users added. Permissions to Admins, Admin, and Users revoked.
'Ownership' of database...
|
by: Paul T. Rong |
last post by:
A card where I wrote my name and WID (work group ID) was stolen
(unfortunately together with other things), therotically the one who have my
name and WID can create the same mdw file which I use...
|
by: Dom |
last post by:
Hi,
I have a problem in getting Access 2002 to read my workgroup file.
I've created different groups and users and when the db is opened the
user is prompted to enter a username and password...
|
by: raydelex |
last post by:
I am new to securing a database with logins. My questions is: I want
only one database to use a new Workgroup file that I have created, not
all the Access databases that I bring up under my...
|
by: paulsmith5 |
last post by:
Hi,
I secured a database a while back using the User-Level Security Wizard.
During this process I created a new workgroup file, modified the Admins
group by adding a new administrator and...
|
by: JaBo |
last post by:
Our company computers were recently upgraded to Windows XP with
Microsoft Office 2003. We have 3 different Access Databases (in
different directories on our network) which all require the user to...
|
by: dogman_2000 |
last post by:
Hi All
I am new to working with Access workgroup files and have a question.
I joined a new access workgroup (one which was already created by a
previous access developer) via the access Tools...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
