NT/W2K users as Access Users

[Bruce Hensley]

The following model seems to work for us, but I would appreciate any advice
as to the risks, or a simpler/safer way to accomplish the same goals.

The goals are:

- utilize Access user-level security within the application
- not require users to learn a new password for the application
- allow authenticated network users to run the app without Access login

We are working on a local intranet, with the MDB and MDW on a fileserver.

We create user accounts in Access with the same user ID as their network
username, but without passwords.

In Access, there is an AUTOEXEC, or procedure attached to the startup form,
that gets the network user ID and compares it to the Access user ID. If
they don't match, then the application exits. Since the user must first log
on to the network with network user ID and password, we know the user is
valid. If another network user tries to start the app with someone else's
Access user ID, the app will then exit.

To further simplify the startup, we launch the application using a VBScript
file. The VBS file gets the network username and launches the Access app,
passing it the user ID and a blank password. This way, the user need not
even be prompted for user ID and password.

Thanks,
Bruce Hensley

 

[TC]

Seems fair to me - unless I'm missing something really obvious!

Just a few points.

- Make sure the users can not bypass your startup code by holding the shift
key down when they open the database. There is a property that you can set
to prevent that occurring, but be careful to set the DDL parameter to True
in the CreateProperty statement, when you create that property. Otherwise, a
non-administrative user can run VBA code from any suitable client, to delete
that property from your database. Then they can start it with the shift key
down, bypassing all your startup code.

- Er, this is a multi-user database with a single copy of the MDB file on
the server? That is a sure recipe for (a) database corruption, and (b)
difficulty distributing code updates. The application should be split into a
so-called front-end/back-end structure. The BE database has all of the
tables, but nothing else. The FE database has all of the queries, forms,
reports, macros & modules, and links to the actual tables in the BE. Each
user should have their own copy of the FE - on their own PC, or on the
server.

HTH,
TC

 

[Bruce Hensley]

TC,

Thanks for the review.

I should have mentioned, we are using Access 97.

We set AllowBypassKey. But, I can't find anything in help about a DDL
parameter.

We use a frontend/backend arrangement, with linked tables and all forms
driven from queries. Sometimes the backend is Access, sometimes Oracle,
sometimes a combination of both. But, we keep the frontend on the server
with the backend. We have no more than 20 users, probably 3, or less,
concurrent. We keep a separate isolated copy of the frontend for
development, and back up the server 3 times a day.

I'm not clear on how I should set up security on the backend when it is
Access.

Thanks again.

Bruce

 

[Douglas J. Steele]

As TC stated, it's the CreateProperty statement that has a DDL parameter.

Check http://www.mvps.org/access/general/gen0040.htm at "The Access Web" for
details.

 

[Bruce Hensley]

Thanks. I was just looking at the example, and not at the details in help.
Silly me.