Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can do damage. I only want them to access the app through my forms.
So I deny them access rights (talking Access, not NT) to the back end data
tables. Then I use RWOP queries in the forms. This is a standard technique,
no?
User Frank I want to be able to read, update, insert, delete records in
table A
User Harry I want to be able to read, update, insert but NOT delete records
in table A
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
How can I set a fine level of granularity of permissions, while still
ensuring that users can't get at the back end tables directly atall.
Mike
6  3516 
Mike MacSween wrote: Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can do damage. I only want them to access the app through my forms.
So I deny them access rights (talking Access, not NT) to the back end data
tables. Then I use RWOP queries in the forms. This is a standard technique,
no?
User Frank I want to be able to read, update, insert, delete records in
table A
User Harry I want to be able to read, update, insert but NOT delete records
in table A
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
How can I set a fine level of granularity of permissions, while still
ensuring that users can't get at the back end tables directly atall.
Mike
See my reply to your message in the earlier thread. The RWOP queries
need to have an Owner that has the appropriate rights, not be owned by
the administrator.
--
Bri
"Mike MacSween" <mi***************************@btinternet.com> wrote in
message news:42***********************@news.aaisp.net.uk.. .
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
No, you misunderstand. Users are still restricted based on the permissions
you give them on the *query*. So if you give Frank read permission on the
query, that's all he'll be able to do (regardless that the query owner has
full permission on the table).
Give Frank read, update, insert, delete permission on the query, and Harry
read, update, insert permission on the query.
Actually you should apply permissions to groups; it's easier to manage
security.
--
Joan Wild
Microsoft Access MVP
Joan Wild wrote: "Mike MacSween" <mi***************************@btinternet.com> wrote in
message news:42***********************@news.aaisp.net.uk.. .
I can't set those permissions using Access security on the form can I? And
owners permission is going to give all users complete privileges (or at
least the greatest freedom that I grant to the 'owner').
No, you misunderstand. Users are still restricted based on the permissions
you give them on the *query*. So if you give Frank read permission on the
query, that's all he'll be able to do (regardless that the query owner has
full permission on the table).
Give Frank read, update, insert, delete permission on the query, and Harry
read, update, insert permission on the query.
Actually you should apply permissions to groups; it's easier to manage
security.
Joan,
I originally thought that too, but I then tested it and it doesn't work
that way (in AC97 anyway). I created a test user in a secured DB. I gave
that user NO rights to a table, created a RWOP query based on the table,
gave only read rights to the query. I then logged in as the test user
and had FULL rights to the table via the query, not the read only rights
I thought I would get. My solution was to create a new UserID with the
appropriate rights to the Table and made it the owner of the query. Then
it worked. The query inherites the rights of the OWNER in a RWOP query,
reguardless of what rights you assign to the query. In a regular query,
the rights of it cannot give you more rights to the underlying table
than you have for the table itself.
At least in my experience and testing.
--
Bri
"Bri" <no*@here.com> wrote in message
news:wvWxe.1860786$6l.456831@pd7tw2no...
Joan,
I originally thought that too, but I then tested it and it doesn't work
that way (in AC97 anyway).
Yes it does work in 97. I've never had an issue with this.
I created a test user in a secured DB. I gave that user NO rights to a table, created a RWOP query based on the table,
gave only read rights to the query. I then logged in as the test user and
had FULL rights to the table via the query, not the read only rights I
thought I would get.
There could be a number of reasons like the users group has permissions on
the tables (or any group that the user is a member of).
My solution was to create a new UserID with the appropriate rights to the Table and made it the owner of the query. Then
it worked.
So who was the owner of the query before?
The query inherites the rights of the OWNER in a RWOP query, reguardless of what rights you assign to the query.
That is not correct; they are restricted by the permissions on the query.
The query doesn't inherit the rights of the owner. It just means that,
although the user has no permissions on the underlying table(s), when they
run this query, give them access to the tables as though the query owner
were running the query. However, still restrict them based on the
permissions I assign to this query.
If a user has full permissions on a table, and then creates a RWOP query,
but only gives read permissions on the query, any user running the query
will have read only capabilities while using the query. I have done this
countless times and never seen what you have.
It suggests to me that your test user is getting their permissions from some
group membership that you've overlooked, or that your database isn't secured
properly.
--
Joan Wild
Microsoft Access MVP
Joan Wild wrote: "Bri" <no*@here.com> wrote in message
news:wvWxe.1860786$6l.456831@pd7tw2no...
Joan,
I originally thought that too, but I then tested it and it doesn't work
that way (in AC97 anyway).
Yes it does work in 97. I've never had an issue with this.
There could be a number of reasons like the users group has permissions on
the tables (or any group that the user is a member of).
It was a member of only one group, that group had the Read only
permission on the query and no permissions on the table.
My solution was to create a new UserID with the
appropriate rights to the Table and made it the owner of the query. Then
it worked.
So who was the owner of the query before?
My Administrator UserID that I used to create the query.
The query inherites the rights of the OWNER in a RWOP query,
reguardless of what rights you assign to the query.
That is not correct; they are restricted by the permissions on the query.
The query doesn't inherit the rights of the owner. It just means that,
although the user has no permissions on the underlying table(s), when they
run this query, give them access to the tables as though the query owner
were running the query. However, still restrict them based on the
permissions I assign to this query.
If a user has full permissions on a table, and then creates a RWOP query,
but only gives read permissions on the query, any user running the query
will have read only capabilities while using the query. I have done this
countless times and never seen what you have.
It suggests to me that your test user is getting their permissions from some
group membership that you've overlooked, or that your database isn't secured
properly.
I went back to test this again it now works as you describe. This is
also the behavior that I had expected originally. I can no longer
explain how my first test did not behave like this. In it, the test ID
had the full rights to the data via the query that it only had read
rights assigned to (no rights to the table). I did it again from scratch
and only got read rights (as originally expected). Must have screwed up
something in the first test.
--
Bri
"Joan Wild" <jw***@nospamtyenet.com> wrote in message
news:11*************@corp.supernews.com... "Mike MacSween" <mi***************************@btinternet.com> wrote in
message news:42***********************@news.aaisp.net.uk.. .
I can't set those permissions using Access security on the form can I?
And owners permission is going to give all users complete privileges (or
at least the greatest freedom that I grant to the 'owner').
No, you misunderstand. Users are still restricted based on the
permissions you give them on the *query*. So if you give Frank read
permission on the query, that's all he'll be able to do (regardless that
the query owner has full permission on the table).
Ahhh! I see.
Give Frank read, update, insert, delete permission on the query, and Harry
read, update, insert permission on the query.
Actually you should apply permissions to groups; it's easier to manage
security.
Yes, that's what I've been doing.
Thanks Joan
Mike This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: NB |
last post by:
Hi
This has been tickling my mind for quite some time. Can someone tell
me if Access 2003 has a solution for it.
After a period of development, your front end will definitely bloat
despite...
|
by: Freeserve |
last post by:
Not sure whether this is the right group, but I can't find anything in the
..NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an...
|
by: Bob Weisenburger |
last post by:
If a user starts up access while holding down the shift key, the
database will open without going to the startup form. This allows the
user to actually open a table and change data that he would...
|
by: karinski |
last post by:
I have a form that allows users to select criteria for a report. One of
the controls on the form is a multi-select list box. Using the MS
Knowledge Base, I wrote my code to pull the items from the...
|
by: robert demo via AccessMonster.com |
last post by:
I've done all the recommended things with workgroup security, creating a
..mde file, and splitting the application into a front end and, in my case,
multiple backends.
The problem is that users...
|
by: TechBoy |
last post by:
Re:Access 2002
If I base my form on an RWOP query, can I dynamically select from an
RWOP query result set to display on the form? Does someone have an
example?
Thanks.
|
by: google |
last post by:
I am creating a new database for use within our company, that I'd like
to make reasonably secure (short of a true server based solution). The
back-end of a non-server based database seems to be...
|
by: John |
last post by:
Tried this on microsoft.public.access.gettingstarted - no response -
perhaps more appropriate here.
I'm not a database user, simply helping someone get started with a new
computer.
The old...
|
by: rdemyan |
last post by:
Is there a way to check the validity of front-end table links on a
backend file where all permissions to data have been revoked. To get
at the data, the front end uses RWOP queries.
What I'm...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| | |
