[AccessD] Database Needs Password Protection

Jim Hewson jm.hwsn at gmail.com
Mon Apr 26 09:30:11 CDT 2010 

Lambert,

For A2007 you're not too far off though.
In a pure (no other versions) A2007 scenario I would probably do the same.
Except, I would hide the subdirectory using the "$" from the typical UNC
path and encrypt and password protect the backend.  Prior to that, I would
create a couple of dummy tables and hide (change table attribute to hidden)
then ensure the tables are not showing in the navigation pane in the front
end.

My explanation:  If the directory is hidden, most users wouldn't be able to
find the directory where the BE resides.  The BE is easily encrypted with a
password.  Access 2007 uses 40 bit encryption to encrypt a file.  But that
can be pushed to 128 if really needed.  If someone attempts to link or
import any tables then they are required to supply the password before they
can even see anything.  The reason I would create dummy tables and hide them
is that if someone wanted to look at the tables linked in the front end they
could do that.  But if the tables are hidden they won't know they are there.
With a few lines of XML code in a hidden system table, ALL ribbons and
commands are hidden and cannot be used except to Exit Access.  Of course, it
goes without saying... disable the By Pass key.
 
Jim

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Heenan, Lambert
Sent: Monday, April 26, 2010 8:48 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Database Needs Password Protection

No. Nobody will be able to open the folder in which the backends reside
(except for the admins). So they cannot open them directly at all.Not being
able to open the folder, they cannot discover the name of the files in
there, so cannot link to them from any other application.

Your task will be to restrict them from getting access to the databse window
where they will see the tables and queries, and to prevent them from running
any code they may craft themselves. Standard Access stuff.

As long as nobody in the user pool knows the names of the backend files they
will not be able to open them in any access app. They may put together
themselves. They will only have access vie the approved applications.

# HOLD THE PRESSES!!! #####*($*#*$#*$#*$#*$#*$*#*$*#*$*#*$*#
###################################### Dang!!! ###########

Just found the elephant sized hole in my suggestion. All they need to do is
import the table links from an approved application front end and bingo...
they have full access to the tables.

Back to the drawing board.

#############################################################

Lambert

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Rocky Smolin
Sent: Monday, April 26, 2010 9:25 AM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Database Needs Password Protection

Lambert:

His requirement is that anyone who tries to modify the back end directly
will be unable to do so but will still be able to modify the data through
the front end. It looks like with your approach a member of the group will
be able to open the back end directly and be able to modify the data in the
tables.  True?

Rocky
 

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Heenan, Lambert
Sent: Monday, April 26, 2010 6:18 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Database Needs Password Protection

Rocky,

What kind of restrictions do they want? If they simply want to prevent users
from getting into the folder that holds the backend files then you can do
all of that with Windows security (NT/2K/XP/Vista/7)and not a line of code
needed.

You'll need cooperation from the client's network people but...

First thing you want is a windows user group into which all the users are
added. This makes it much simpler when applying permissions to folders.

So. First make a folder on the server say 'Databases'

Next create a subfolder called 'Backends'.
Third create a subfolder in Backends which you can call 'Data'.

Now modify the permissions on 'Databases' granting the user group modify
permissions and apply the permissions to the folder and all sub-folders.
Also make sure that an administrator's ID and or the Database
administrator's ID is granted full control of the folder tree.

Now you need to modify the permissions on the 'Backends' folder.  Open the
properties sheet for the folder and select the 'Security' tab. Click the
'Advanced' button. Select the user group in the permissions listing, and
click 'Edit'. In the resulting dialog box clear the check boxes for
'Traverse Folder / Execute File', 'List Folder /Read Data' and (most
importantly) 'Delete Subfolders and Files'.

Click OK and OK.

The end result is that the user in the user group have modify permissions to
the 'Data' folder , and that is where all the backends would reside, in
their own sub-folders if desired. However, the users will only be able to
look inside the folder 'Databases' where they will see that there is a
folder called 'Data' inside it, but they will not be able to browse into
'Data' nor delete it. Is that sufficiently restricted access?

HTH

Lambert

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Rocky Smolin
Sent: Sunday, April 25, 2010 3:28 PM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] Database Needs Password Protection

Dear List:

In my manufacturing software users log in with a password that gives them 1)
read only, 2) read write, 3) administrator access.  But the back end is wide
open. So far this has not been a problem.  Everywhere the system is
installed people 'play by the rules'.  

Now comes a client who wants access to the back end restricted.  So I'm
trying to think of way to do that with the least disruption to the system
which BTW supports multiple back ends - the user can open a different back
end through an 'Open a Database' utility.

In the code, of course, I'd have to change all occurrence of 

set db = CurrentDb to 

Set db = DBEngine.OpenDatabase(gstrDB, False, False, ";pwd=" & gstrPWD)


where the password would be in gstrPWD.

Then I would have to add a utility accessible only by someone with admin
rights, to 1) set, 2) remove, and 3) change the password on the currently
linked back end.  Don't know what that code looks like but I suppose I can
figure it out.

Question is - is this the shortest distance between the two points?  Or is
there another approach which would be faster/better/easier?

 

MTIA

Rocky Smolin

Beach Access Software

858-259-4334

www.e-z-mrp.com <http://www.e-z-mrp.com/> 

www.bchacc.com <http://www.bchacc.com/> 

 

 

 


--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list