For Jack Macdonald - admin user question

[Guest]

Hi jack,

I followed your security papers to a T and I found them very helpful.
However, when i log in to my secure database using default mdw, user admin
can open the database and I thought he couldn't. Please review my steps and
let me know if i have missed something. Thanks in advance:

1. I created a new workgroup using wrkgadm.exe and open a DB with it.
(checked using ?dbengine.systemdb)
2. I created password for user admin, create new user (me), added (me) to
admin group and remove admin user from admin group.
3. I login as me and create password.
4. I create AppUser group and SuperAdmin group.
5. I create new DB for which user (me) am the owner and owner of all objects.
6. I remove ALL permissions for the Admin Group, User group, And Admin
user.(giving SuperAdmin group all rights and AppUser Group some, and remove
all user level permissions).

Now when I log into my DB using my (or anyone else's for that matter)
default system.mdw (silently as user admin), I should be locked out b/c
permissions are saved with the db... right? However I can open the db. Did
I miss something?

Thanks for all your help!

Matt
(access 2000)

 

[Jack MacDonald]

Matt
It sounds like you did everything right, so I am not sure what is
going on. One possibility: you said "... I should be locked out..."
which I interpret to mean that the Admin user can open the database.
You don't say explicitly whether Admin is denied permission to any of
the database objects. The admin user can still open the database
unless you remove the Run/Open permission from the Database object.

Hi jack,

I followed your security papers to a T and I found them very helpful.
However, when i log in to my secure database using default mdw, user admin
can open the database and I thought he couldn't. Please review my steps and
let me know if i have missed something. Thanks in advance:

1. I created a new workgroup using wrkgadm.exe and open a DB with it.
(checked using ?dbengine.systemdb)
2. I created password for user admin, create new user (me), added (me) to
admin group and remove admin user from admin group.
3. I login as me and create password.
4. I create AppUser group and SuperAdmin group.
5. I create new DB for which user (me) am the owner and owner of all objects.
6. I remove ALL permissions for the Admin Group, User group, And Admin
user.(giving SuperAdmin group all rights and AppUser Group some, and remove
all user level permissions).

Now when I log into my DB using my (or anyone else's for that matter)
default system.mdw (silently as user admin), I should be locked out b/c
permissions are saved with the db... right? However I can open the db. Did
I miss something?

Thanks for all your help!

Matt
(access 2000)

**********************
(e-mail address removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

 

[Guest]

I will look into it... thanks!

Matt
It sounds like you did everything right, so I am not sure what is
going on. One possibility: you said "... I should be locked out..."
which I interpret to mean that the Admin user can open the database.
You don't say explicitly whether Admin is denied permission to any of
the database objects. The admin user can still open the database
unless you remove the Run/Open permission from the Database object.





**********************
(e-mail address removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security