FE/BE Security

[dickw]

I have an DB split to a FE and BE. I have setup security on the BE to give
one group Read-Only permission. I have given this same group full data
permissions in the FE. When I run the application logged in as a Read-Only
user, I can still add/modify data in the BE. My understanding was that the
more restrictive permissions in the BE would rule. Am I mistaken?

The reason I am giving the Read-Only group full data permissions in the FE
is that this DB will not open otherwise. I get an error in one of my
modules ("Run-time error '2455': You entered an expression that has a
involid reference to the property Form/Report."). I can't understand why
this is happening since it would appear to have nothing to do with security
settings. The application works great in all other respects with users with
full data permissions. I was going to overlook this problem if I could get
the Read-Only between the FE/BE resolved.

Thanks for any information you can provide.

Dick

 

[Joan Wild]

I have an DB split to a FE and BE. I have setup security on the BE to give
one group Read-Only permission. I have given this same group full data
permissions in the FE. When I run the application logged in as a Read-Only
user, I can still add/modify data in the BE. My understanding was that the
more restrictive permissions in the BE would rule. Am I mistaken?

No you aren't. Double check that the Users Group doesn't have some
permissions - it shouldn't have any. Also double check the other groups
that the read-only user is a member of. Remember that users will inherit
permissions from groups, and these won't show in the permission dialog.

The reason I am giving the Read-Only group full data permissions in the FE
is that this DB will not open otherwise. I get an error in one of my
modules ("Run-time error '2455': You entered an expression that has a
involid reference to the property Form/Report."). I can't understand why
this is happening since it would appear to have nothing to do with security
settings.

It doesn't, perhaps you could post the code.

 

[dickw]

Thanks for your prompt reply.

No you aren't. Double check that the Users Group doesn't have some
permissions - it shouldn't have any. Also double check the other groups
that the read-only user is a member of. Remember that users will inherit
permissions from groups, and these won't show in the permission dialog.

I have double checked that the Users group has no permissions. The
Read-Only user is only a member of the Read-Only group and users. If I open
the BE, the Read-Only user has only read permission. As soon as I open the
FE, this same user has full data permissions, even when I open a linked
table directly.

It doesn't, perhaps you could post the code.

I have solved the second problem. I have forgotten to give the Read-Only
group Open/Run permissions for the database itself.

 

[dickw]

Thanks for your prompt reply.


I have double checked that the Users group has no permissions. The
Read-Only user is only a member of the Read-Only group and users. If I open
the BE, the Read-Only user has only read permission. As soon as I open the
FE, this same user has full data permissions, even when I open a linked
table directly.
the

Sorry my first reply was in error. I still get the error message.

The line of code (part of the Open Form event) is:

Me!subfrmReportCriteria!lblArea1.Caption = DLookup("Activity",
"tblActivities", "ActivityID = 1")

What I am doing is dynamically changing captions on the form based on the
values in the table. As I say, this line works great as long as the DB as
full data permission on ALL the linked tables. It seems that the DLookup
functions needs full permission to operate.


I have solved the second problem. I have forgotten to give the Read-Only

 

[Joan Wild]

I have double checked that the Users group has no permissions. The
Read-Only user is only a member of the Read-Only group and users. If I open
the BE, the Read-Only user has only read permission. As soon as I open the
FE, this same user has full data permissions, even when I open a linked
table directly.

That is baffling. I don't know what to suggest. I was about to say that in
the frontend they might be adding/modifying because they are using a RWOP
query, but then you said they can add/modify in the linked table.

Doesn't make sense to me; shouldn't be so.

 

[Joan Wild]

Sorry my first reply was in error. I still get the error message.

The line of code (part of the Open Form event) is:

Me!subfrmReportCriteria!lblArea1.Caption = DLookup("Activity",
"tblActivities", "ActivityID = 1")

What I am doing is dynamically changing captions on the form based on the
values in the table. As I say, this line works great as long as the DB as
full data permission on ALL the linked tables. It seems that the DLookup
functions needs full permission to operate.

You may be able to get that to work by creating a RWOP query based on
tblActivities. They wouldn't need permission on the table then.
DLookup("Activity","qryActivities" "ActivityID=1")

 

[dickw]

You may be able to get that to work by creating a RWOP query based on
tblActivities. They wouldn't need permission on the table then.
DLookup("Activity","qryActivities" "ActivityID=1")

I tried a RWOP query and it didn't help. I'm going to load a fresh
unsecured copy of the database and try securing it again.

 

[dickw]

There is definately something strang going on. I tried securing a new copy
and got the same performance. The first time I secured the db I used the
wizard. This time it secured it manually. I made a new simple db and
linked to the tables. With this db, the permissions applied to the BE
override any more liberal permissions applied to the test db. I don't know
where to look for the problems in the FE. The I would think it must be
something in my coding but the same thing happens when I open the FE with no
forms opening or autoexec running, only the database window showing. I
can't see anything that should affect security.

I certainly would appreciate any ideas.

Dick

 

[Joan Wild]

Did you secure both databases using the same workgroup file?

There is something amiss given your test FE performed correctly.

 

[dickw]

Thanks so much for staying with me.

I tried securing a previous revision of my FE db using the same workgroup
file. It works correctly with respect to the security, ie, even with full
permissions in the FE, the permissions in the BE rule. The changes between
the versions were minor but unfortunately I don't have a record of what they
were. I believe they were only cosmetic. When I try to open my master form
I get the same error message as I got before:

("Run-time error '2455': You entered an expression that has a invalid
reference to the property Form/Report.").

The line of code (part of the Open Form event) is:

Me!subfrmReportCriteria!lblArea1.Caption = DLookup("Activity",
"tblActivities", "ActivityID = 1")

What I am doing is dynamically changing captions on the form based on the
values in the table. It seems that the DLookup functions needs full
permission to operate.

The db works great with other users will full permissions.

Dick

 

[Joan Wild]

Thanks so much for staying with me.

I tried securing a previous revision of my FE db using the same workgroup
file. It works correctly with respect to the security, ie, even with full
permissions in the FE, the permissions in the BE rule. The changes between
the versions were minor but unfortunately I don't have a record of what they
were. I believe they were only cosmetic.

So the security issue is resolved now?

("Run-time error '2455': You entered an expression that has a invalid
reference to the property Form/Report.").

The line of code (part of the Open Form event) is:

Me!subfrmReportCriteria!lblArea1.Caption = DLookup("Activity",
"tblActivities", "ActivityID = 1")

What I am doing is dynamically changing captions on the form based on the
values in the table. It seems that the DLookup functions needs full
permission to operate.

That is not true (although it appears so to you). DLookup needs nothing
more than Read Data. I thought you had resolved this before by giving the
users open/run permission on the database. Also you could try the RWOP
suggestion I made earlier.

 

[dickw]

The security issue is resolved in that any older version works correctly.
The current db still has the problem that the FE overrides the BE
permissions.

I also appears that there is a security issue in getting the application to
run at all with readonly permission. I took out the offending lines of code
in the FE. The application now opens but all the forms are blank with no
data or form content. This all happens when the security permissions are
changed. It's seems very confusing. I am going to have to take some time
to sort out what makes things work and what doesn't. Unfortunately, the FE
has several thousand lines of code and trouble shooting may be difficult.

Thanks for your help. I will have to post back after I have a better handle
on what is going on.

Dick

 

[Joan Wild]

It's possible you're seeing some corruption. Creating a new frontend and
importing all the objects and resecuring may be the ticket.

But as you say, take your time and sort it out.