I'm not quite sure if I have done something wrong or what the problem is. I
created a test database and several test users. Now, I put test user Batman
in a group with no administrative rights and was also sure not to give the
dark knight himself any more rights than the group gives him.

For some reason, though, when I log into my database as Batman, all his
rights work correctly (for example, he can open design view of the form, but
it tells him he cannot change anything), but he is able to change user and
group permissions. This should not be. Only my administrative users should be
able to do that. What's wrong? Is there a permission I may have forgotten to
take away from the caped crusader?

--
Have a nice day!

~Paul
Express Scripts,
Charting the future of pharmacy

"Paul (ESI)" <(E-Mail Removed)> wrote in message
news:F9CB3596-1DFC-4F2B-A7E4-(E-Mail Removed)...
> I'm not quite sure if I have done something wrong or what the problem is.
> I
> created a test database and several test users. Now, I put test user
> Batman
> in a group with no administrative rights and was also sure not to give the
> dark knight himself any more rights than the group gives him.
>
> For some reason, though, when I log into my database as Batman, all his
> rights work correctly (for example, he can open design view of the form,
> but
> it tells him he cannot change anything), but he is able to change user and
> group permissions. This should not be. Only my administrative users should
> be
> able to do that. What's wrong? Is there a permission I may have forgotten
> to
> take away from the caped crusader?
>
Sounds like you may have missed a step in the secure process (eg have you
removed rights from the "Users" group?). Have you read the MS FAQ on
security? It's essential reading and you must follow every instruction in
every step. There's a link to it on my web site along with a worked
example. Always back up your files in case you lock yourself out!

Regards,
Keith.
www.keithwilby.com

Keith's post is on the mark, however, in the cut-to-the-chase department, is
Batman the owner of the database in question? If so, he will be able to,
among other things, administer the database even though his user and any
groups to which the user belongs lack the permission.

Thank you both very much for your help. First, though, I thought you weren't
supposed to give the users group ANY permissions if the typical person
shouldn't have access to your database. I therefore left the users group at
the default of having no rights. The real database we will be creating should
only be accessed by people we set up with a user name and password.
Therefore, the default group shouldn't even be able to open it. This way, if
some random person in our company who has Microsoft Access tries to open it,
it will not even open for them.

Also, Batman is not the owner of any of the objects in my database. I can
definitely see what you both mean, though. When I first started learning how
to set up security, these were mistakes I made, but not the case this time.

--
Have a nice day!

~Paul
Express Scripts,
Charting the future of pharmacy


"John Slattery" wrote:

> Keith's post is on the mark, however, in the cut-to-the-chase department, is
> Batman the owner of the database in question? If so, he will be able to,
> among other things, administer the database even though his user and any
> groups to which the user belongs lack the permission.
>
>
>

"Paul (ESI)" <(E-Mail Removed)> wrote in message
news:915A68DA-BEC2-4D5F-9A77-(E-Mail Removed)...
> Thank you both very much for your help. First, though, I thought you
> weren't
> supposed to give the users group ANY permissions if the typical person
> shouldn't have access to your database. I therefore left the users group
> at
> the default of having no rights.

But that is not the default. Double check the permissions for *all* objects
including the database object. Double check that Admin doesn't own any
objects, including the database object.

When you started the process of securing, did you create a new workgroup
file, or simply copy system.mdw and rename it? You *must* do the former.



--
Joan Wild
Microsoft Access MVP

Holy cow, Batman!

Methinks the Boy Wonder has BOO-BOO'd !

BOOHOO, BEMUSED BATMAN AND BOYHOOD BUDDY !!

KAPOW! KABLUIE!! etc.

HTH,
TC :-)

"TC" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> KAPOW! KABLUIE!! etc.
>
> HTH,
> TC :-)
>

I'll get you for this Top Cat ;-)

Neither Admin nor Batman are the owners of anything. I checked all objects.
Two of my users own the objects. Both are set up with Admin rights. They have
completely full permissions to all objects.

Also, I went through the User-level Security Wizard. I'm not an expert on
security, but know a little bit about it. I know enough to get through the
Wizard correctly (unless maybe I am missing something). In other words,
whatever the Wizard defaults to having me do, that is what I did. I'm not
really sure, but doesn't the Wizard have you define a new workgroup?

By the way, TC, that was hilarious! LOL!!! Na na na na na na na na Access!

--
Have a nice day!

~Paul
Express Scripts,
Charting the future of pharmacy


"Joan Wild" wrote:

> "Paul (ESI)" <(E-Mail Removed)> wrote in message
> news:915A68DA-BEC2-4D5F-9A77-(E-Mail Removed)...
> > Thank you both very much for your help. First, though, I thought you
> > weren't
> > supposed to give the users group ANY permissions if the typical person
> > shouldn't have access to your database. I therefore left the users group
> > at
> > the default of having no rights.
>
> But that is not the default. Double check the permissions for *all* objects
> including the database object. Double check that Admin doesn't own any
> objects, including the database object.
>
> When you started the process of securing, did you create a new workgroup
> file, or simply copy system.mdw and rename it? You *must* do the former.
>
>
>
> --
> Joan Wild
> Microsoft Access MVP
>
>
>

Oh fuzz bunnies! I just realized I didn't post my response after the last
repsonse in this thread. I hope folks don't just briefly skim over this and
not notice that my response wasn't the last. I'm hoping somebody knows how to
help me. This is quite the melon scratcher.

--
Have a nice day!

~Paul
Express Scripts,
Charting the future of pharmacy


"Keith" wrote:

> "TC" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >
> > KAPOW! KABLUIE!! etc.
> >
> > HTH,
> > TC :-)
> >
>
> I'll get you for this Top Cat ;-)
>
>
>

Oh, and I just went back in and noticed that it saved my workgroup as
system1.mdw, not just system.mdw if that helps clear up the situation at all.

--
Have a nice day!

~Paul
Express Scripts,
Charting the future of pharmacy


"Paul (ESI)" wrote:

> Neither Admin nor Batman are the owners of anything. I checked all objects.
> Two of my users own the objects. Both are set up with Admin rights. They have
> completely full permissions to all objects.
>
> Also, I went through the User-level Security Wizard. I'm not an expert on
> security, but know a little bit about it. I know enough to get through the
> Wizard correctly (unless maybe I am missing something). In other words,
> whatever the Wizard defaults to having me do, that is what I did. I'm not
> really sure, but doesn't the Wizard have you define a new workgroup?
>
> By the way, TC, that was hilarious! LOL!!! Na na na na na na na na Access!
>
> --
> Have a nice day!
>
> ~Paul
> Express Scripts,
> Charting the future of pharmacy
>
>
> "Joan Wild" wrote:
>
> > "Paul (ESI)" <(E-Mail Removed)> wrote in message
> > news:915A68DA-BEC2-4D5F-9A77-(E-Mail Removed)...
> > > Thank you both very much for your help. First, though, I thought you
> > > weren't
> > > supposed to give the users group ANY permissions if the typical person
> > > shouldn't have access to your database. I therefore left the users group
> > > at
> > > the default of having no rights.
> >
> > But that is not the default. Double check the permissions for *all* objects
> > including the database object. Double check that Admin doesn't own any
> > objects, including the database object.
> >
> > When you started the process of securing, did you create a new workgroup
> > file, or simply copy system.mdw and rename it? You *must* do the former.
> >
> >
> >
> > --
> > Joan Wild
> > Microsoft Access MVP
> >
> >
> >