Jim Dettman
jimdettman at earthlink.net
Tue Jun 7 07:05:26 CDT 2005
Josh, First let me say that the security in Access has always been weak. If security is a concern, then you need to be using something other then Access/JET. This is even outside of the fact that cracking tools for both database and user level security are now widespread, which makes talking about Access security at all a rather moot point. I don't use it at all any more. It's not worth the effort. Second, keep in mind that we are talking about JET as the database engine, not with SQL server as the BE. <<In terms of front-end security, can a front-end truly be locked down to force a user to remain in the GUI and abide by it's code?>> Yes. <<Coding in C++ with an interface to an Access backend allows you to allow the user to only work in the program your way, without tinkering with the tables (you can always password protect the Access database then encode the password into the program itself). However, in also using Access as a front end, it seems to me that a user could still break out the loop and use whatever queries had write access to manually go in and mess around with things, sometimes allowing a bypass of a transaction log.>> It depends on how you set things up. If you open workspace objects in code and access the tables that way and your distributing as a mde, then there is no way for them to get at them other then through the FE. If you setup queries to run with owner permissions, then you must keep them out of the database container. That still partially works as they won't be able to open the tables directly, but they will be able to execute any of the queries. I see someone has already posted the link to the FAQ, which is the #1 resource for the security stuff. Give it a read if you have time. Jim. -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Josh McFarlane Sent: Monday, June 06, 2005 6:23 PM To: Access Developers discussion and problem solving Subject: Re: [AccessD] Access security question On 6/6/05, Jim Dettman <jimdettman at earthlink.net> wrote: > Steve, > > <<Or is it even possible for the application to handle Access security > like this. That is, can Access security work without a user explicitly > typing in a password?>> > > Yes it can. Access security is always "on", it's just that you don't get > a password prompt if the admin user has a blank password (JET always > attempts a logon with username admin and a blank password when it first > tries to open a database). > > <<Lets > say that the tables in the BE have Access security invoked. If the > FE/BE is distributed in MDE format with Access Runtime, can a user > with a full-bore package of Access start the application, break out of > it, and wind up with all the tables available to him for editing, etc? > This is provided that the security is administered by the software so > that the actual security password is not known by the user. Only user > names and application passwords would be known.>> > > Without Access user level security in place on the BE tables, yes. To > prevent that, they need to be properly secured with user level security and > all the queries will need RWO (Run with owner permissions) set or you need > to open a workspace object with the correct username/password in code. > > Jim. Here's another access security question: In terms of front-end security, can a front-end truly be locked down to force a user to remain in the GUI and abide by it's code? Coding in C++ with an interface to an Access backend allows you to allow the user to only work in the program your way, without tinkering with the tables (you can always password protect the Access database then encode the password into the program itself). However, in also using Access as a front end, it seems to me that a user could still break out the loop and use whatever queries had write access to manually go in and mess around with things, sometimes allowing a bypass of a transaction log. Can Access be locked down so someone who knows a thing or two about Access can't modify data directly? Thanks, Josh McFarlane "Peace cannot be kept by force. It can only be achieved by understanding." -Albert Einstein -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com