HELP db has become unsecured

[Ian Baker]

I had a very well secured (Access 2k & XP) backend db but suddenly it has
become unsecured and I don't know why. It can be opened by simply clicking
it i.e. using the System.mdw

The security settings are showing:
THE DATABASE
Admins (Group)
Open/Run - True
Open Exclusive - True
Administer - True
Users (Group)
Open/Run - False
Open Exclusive - False
Administer - False
Admin (Users)
Open/Run - False
Open Exclusive - False
Administer - False
Myself as a User has everything True
1 other User has Open/Run True but everything else False

USER & GROUP ACCOUNTS
Admin is member of Users only
Myself is a member of both Admins & Users
1 other user is a member of Users only

OWNERSHIP
Myself as the Owner of everything except the MSys tables who are Admin &
Engine

Any suggestions is really appreciated

 

[Joan Wild]

Double check. Specifically, what user is listed as owner of the object
'Database'

 

[Ian Baker]

Hi Joan
The Owner of the <Current Database> is myself when opened by my mdw. I
deleted the system.mdw, opened a new db to create a new system.mdw and I
still could open the db by the system.mdw which incidentally shows the Owner
of the <Current Database> as <Unknown>

Actually you responded to a question I had in the ng many months ago and
whilst I copied your answer I seem to have lost it so can you remind me
again on how I can not have to use an mdw in this scenario:
I have a FE/BE db (mde) that is secured by a mdw which is distributed with
the db. There are only myself as the db owner and the only member of the
Admins group. There is one other user who is a member of the Users group
only. That user has the minumum rights to only link the backend, Read design
only on tables and queries and only open each form. The db has its own login
form and permissions for each form object are stored in a table. Each form
On_Open checks my permissions table and sets the AllowEdits, AllowDeletes
etc properties for the form. I use RWOP queries and the backend is secured
that no one other than myself can get in. I remember you told me of a way
that users didn't need to use the mdw. It started off as a question on
whether the mdw could reside on each users PC. Does this all make sense?

 

[Joan Wild]

Hi Joan
The Owner of the <Current Database> is myself when opened by my mdw. I
deleted the system.mdw, opened a new db to create a new system.mdw and I
still could open the db by the system.mdw which incidentally shows the Owner
of the <Current Database> as <Unknown>

I'm thinking perhaps that your mdw is the same as the system.mdw. How did
you create your mdw in the first place?

I have a FE/BE db (mde) that is secured by a mdw which is distributed with
the db.

Did you actually secure the FE and BE separately? If you secured first, and
then split, the BE will not be secure. You have to secure each.

There are only myself as the db owner and the only member of the
Admins group. There is one other user who is a member of the Users group
only.

If you want to secure your db but allow them to use it with the standard
system.mdw, then you wouldn't create an 'other user'. If you were planning
to ship a mdw, then you wouldn't make any users (other than Admin) a member
of the Users group. The Users group wouldn't have any permissions.

That user has the minumum rights to only link the backend, Read design
only on tables and queries and only open each form. The db has its own login
form and permissions for each form object are stored in a table. Each form
On_Open checks my permissions table and sets the AllowEdits, AllowDeletes
etc properties for the form.

If you implement security, then this is totally unnecessary.

I use RWOP queries and the backend is secured
that no one other than myself can get in. I remember you told me of a way
that users didn't need to use the mdw. It started off as a question on
whether the mdw could reside on each users PC. Does this all make sense?

Can you go back to square one and start over with a pristine unsecured copy,
or undo what you have.

If you are using Access 2002...

Open your FE mdb using the standard system.mdw.

Run the security wizard.

At step 1, ensure you choose to create a new workgroup file.
At step 2, click browse and a suitable location for the mdw, and be sure to
give it a name (but don't name it system.mdw).
Also choose 'make a shortcut', rather than 'make it the default'
At step 3, select all objects
At step 4, do not choose any groups
At step 5, choose 'yes, I would like to assign permissions to the Users
group', and assign the permissions that you want the world to have. From
your description, you are using RWOP queries, so in the frontend, Open the
database, full permissions on the tables (links), read data on the queries,
open forms, and open reports.
At step 6, do not add any users at all (you should see one user i.e. you).
You can set a password for the one user if you like.
At step 7, there should be nothing for you to do. It will have your
username selected and show that you are a member of the Admins group
At step 8, verify that the location/name of your backup is suitable and
click Finish.
It should preview the security wizard report, which you should print.
Read the messages that pop up at this point - it's not the time to get click
happy.
Close Access, and use the desktop shortcut to launch your mdb, logging in
with your username (and password if you set it at step 6).
Go to Tools, Security, Permissions as you need to modify the permissions on
your queries. You set them to read data during the wizard, but you will
need to modify them. Click on Groups and choose Users. For each of your
RWOP queries, modify the permissions depending on what you want - update,
insert, delete.
Now test it.

You should still be joined by default to the standard mdw. Use Windows
Explorer to open your mdb. You should not get a login screen; you'll be
logging in as 'Admin'.

Now, to secure the BE. Open your FE via the shortcut.
Choose File, Open and open your BE. Run the security wizard
At step 1, choose to modify your existing mdw.
At step 2, select all objects
At step 3, do not choose any groups
At step 4, choose to assign the the Users group and give them Open
permission on the database
At step 5, don't add any users
At step 6, click next
At step 7, verify the backup location
Print the wizard report

Close Access. In your folder you will have
Your secure mdbs:
SomeDB.mdb
SomeDB_be.mdb

Your unsecure backups:
SomeDB.bak
SomdDB_be.bak

Your secure mdw
secure.mdw

Ship to your user(s) only the SomeDB.mdb and SomeDB_be.mdb

If you need to make changes, use your desktop shortcut, and log in as you.

 

[Ian Baker]

Thanks Joan (as usual)
I have followed your instructions to the letter. I desecured the FE/BE using
the Security FAQ No 34. how Do I Descure A Database then secured my FE &
BE's as below but the strangest thing is that it hasn't secured the BE at
all. Using my own mdw the security shows:
Memberships:
Admin is only a member of Users
Ian (me) is a member of both Admins and Users

Database Owner is Ian (MSysAccessStorage is Admin & the other MSys... is
Engine)

Permissions:
Admins has ALL rights to the Database and Tables
Users have Open/Run on Database only and nothing on all tables
Admin has nothing on the Database and nothing on the Tables
Ian has ALL rights on the database and nothing on the tables

Now, the problem is although it seems to show it is locked down I can still
open and edit any of the tables using the System.mdw even though I have
deleted the System.mdw and got Access to recreate it.

--
Regards
Ian Baker
Jackaroo Solutions Pty Ltd
(Download Jackaroo IT - an IT Mgmt and Help Desk application at
http://jackaroo.net.au)

 

[Joan Wild]

Hi Ian,

Thanks Joan (as usual)
I have followed your instructions to the letter. I desecured the FE/BE using
the Security FAQ No 34. how Do I Descure A Database then secured my FE &
BE's as below but the strangest thing is that it hasn't secured the BE at
all.

To secure the BE, it's important that you open the FE via the shortcut, and
then use File, Open to open the BE. This ensures you are using your secure
mdw. It sounds as though you secured it using the standard mdw.

Database Owner is Ian (MSysAccessStorage is Admin & the other MSys... is
Engine)

You should not change anything regarding the MSys objects.

Now, the problem is although it seems to show it is locked down I can still
open and edit any of the tables using the System.mdw even though I have
deleted the System.mdw and got Access to recreate it.

I don't know what you think you are accomplishing by deleting the system.mdw
and recreating it. Please explain.

 

[Ian Baker]

Hi Joan

To secure the BE, it's important that you open the FE via the shortcut,

Yes, I did open it via the shortcut I even made sure I was using my own mdw
which is why this all seems weird. I have on previous installations of 2002
experienced situations where the security box as displayed by
Tools->Security.... displays one set of security information but when I get
the security settings by code they say something different.

I don't know what you think you are accomplishing by deleting the system.mdw
and recreating it. Please explain.

I did this just in case anything weird happened to the system.mdw.

I have over the last 10 years always believed that the security options in
Access have not been trouble free or exactly accurate (through experience)

Anyway Joan, I really appreciate your help.

--
Regards
Ian Baker
Jackaroo Solutions Pty Ltd
(Download Jackaroo IT - an IT Mgmt and Help Desk application at
http://jackaroo.net.au)

 

[Joan Wild]

I have not had the same experience as you.

 

[Ian Baker]

Hi Joan
I found out more info. I downloaded the Security Manager addin for 2002.
Open my secured FE using the shortcut
Opened the Sec Mgr to make sure I was in my mdw
Went to File->Open and opened my BE (which naturally closes my FE)
Opened the Sec Mgr to make sure I was still in my mdw
Went to Tools->Security->Security Wizard
- Modify my current workgroup file - next
- (listing object tab) Next
- (groups) Next
- Yes grant permissions to users - Clicked Open/Run - Next
- (add new user) Next
- (groups and users) Next
- Finish
- Closed BE and went out of Access
Opened my BE from Explorer where I could then still open and edit any table
Tried to open the Sec Mgr and got the message that I was logged in as the
unsecured default Admin account

BUT, when I opened my FE by using the shortcut (again)
- This time create a new database by File->New->Blank Database
- Open Sec Mgr to make sure I am still in my mdw (just checking)
- Import the tables from my unsecured backend (deselecting the MSys...)
- Open Sec Mgr to make sure I am still in my mdw (can't be to careful)
- Run the security wizard again as above
Opened the BE from explorer and this time it is secured

So, the difference is that I had to create a new db and import the objects
whilst in my mdw before running the security wizard. Running the security
wizard whilst in my own mdw on an unsecured db didn't work.

This is my point that implementing Access security isn't black or white.
Whilst the tools->security->User & Grp Permissions represents the db as
secured it is not. The only problem with Access is that you need to Access
your imagination.

--
Regards
Ian Baker
Jackaroo Solutions Pty Ltd
(Download Jackaroo IT - an IT Mgmt and Help Desk application at
http://jackaroo.net.au)