Drew Wutka
DWUTKA at Marlow.com
Fri Sep 7 00:30:20 CDT 2007
True, it's not right or wrong. I am not trying to 'blast' your methods. I had a talk with my bosses boss one day, years ago (ironically, he turned in his notice, after working with Marlow for over 20 years, and tomorrow is his last day). He was asking about certain security aspects of our network. When I started there, our network was in shambles, and Mark (our old network administrator) and I spent years tightening things up to a respectable level. But one of the things I told Robbie was that one of our main security measurements was the ignorance of our users. At the time, what protected much of our stuff was that most people just didn't know where things were, or how to get into them, and that's not talking about passwords, just simply not knowing how to run something. However, our debate here takes a different turn when you change the type of application. If you are building a database for a customer to track some of there information, 'trusting' them with the data isn't an issue, if the data is for their own use. Who cares if they go in and change an a to a b. It's their data. Data Integrity is only used to make sure the processes work. But what if the data IS the process. Case in point, I built a system we call the ISFE. Information Systems Front End. It's our request tracking system (asset management, etc.). We are a public company, we use the ISFE to PROVE that the work we do was authorized. It has an electronic signature capability. We get audited based on the information in that system AND based on the integrity of that system. If I was an auditor, and I was able to just get directly into the tables, with no security stopping me, I would fail the company using that application. Drew -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Steve Schapel Sent: Thursday, September 06, 2007 10:16 PM To: Access Developers discussion and problem solving Subject: Re: [AccessD] Transactions Hi Drew, Drew Wutka wrote: > The biggest hole in the 'GUI' data integrity process is the .mdb itself. Yes, I know. Well, I don't call it a "hole". But yes, I know. > You can link tables or import them into another .mdb with a few clicks > of the mouse. Yes, I know. > So, if you have a table that you really don't want people editing data > in, no amount of GUI tricks are going to prevent that if you don't put > security on a table. If someone wants to get at the data, they can just > link the tables in a blank database, and have at the data. Yes, I know they can. But they don't... that's the point. > So, in the case of your customers, who want to have access to write > their own queries and reports, you are simply getting by with having > uninformed or inexperienced customers. No. Some would be uninformed or inexperienced. But that's not as relevant as professional and responsible. > A user of Access, who knows the > just a fraction of how Access works can link to the tables in your > database. I don't think that's true. There are a lot of people who know a fair bit about Access, who wouldn't think of that possibility. Of course, many of my customers have no idea that we are using Access anyway. But again, that's not the main point. You are making the assumption that just because people *can* stuff around with stuff they've got no business with, that they *will*. That's very sad. I have good relationships with my clients. Those that have the skills and knowledge to link to the backend from another Access file would discuss it with me before they went near it. But again, Drew, I am happy for you to take additional precautions if you feel the need to. This is not a "right or wrong" consideration here. Regards Steve -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com The information contained in this transmission is intended only for the person or entity to which it is addressed and may contain II-VI Proprietary and/or II-VI BusinessSensitve material. If you are not the intended recipient, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. You are notified that any review, retransmission, copying, disclosure, dissemination, or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.