I would like comments from MVP's

[Guest]

Access 2000/2003
100,000 recors with about 200 fields over around 6 tables
backend db size 60 meg

I am the database admin for my company. I use Access level security only
for accessing the db's.

I needed user security down to the field level. I also control who accesses
tabs/forms and command buttons by a table I call staff. This table has
windows user id's, and a half of dozen check boxes and text fields forlevels
of security for various fields, forms ect.. I store this table on the server
with read only access.

In my applications I use dlookup to retrieve this info when opening the
first form. Naturally they are all hidden.

I have extreme control over forms that are visible, command buttons that
are visible and how what they do depending on these looked up fields base on
user info in the staff table.

The maintenance is easy because I only have to maintain the staff table.

The applications run exceptionaly well and I have distributed to some of our
remote sites.

Do you guys have any comments?

 

[Guest]

Hi Eric,

First, I think you should always be willing to consider input given by
people who have not been awarded MVP by Microsoft.

100,000 recors with about 200 fields over around 6 tables
backend db size 60 meg

Easily handled by JET. You might want to take a look at this document to see
if you can further optimize your application:

Implementing a Successful Multiuser Access/JET Application
http://www.access.qbuilt.com/html/multiuser_applications.html

I needed user security down to the field level.

Your method seems fine to me, as long as you are happy with how it works,
and, more importantly, absolute data security is not a prime concern.
Whichever method you use in Access (User Level Security, roll-your-own, or a
combination of the two), you need to realize that this just raises the bar. A
person who has access to the file(s) can, if they are determined enough,
crack security that you build using Access.

If the security of your data is of paramount importance, then you need to
use a database such as SQL Server, Oracle, etc.


Tom Wickerath
Microsoft Access MVP
https://mvp.support.microsoft.com/profile/Tom
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Guest]

Thanks for your comments Tom. I did not mean to insult non MVP's. I am one
and have given useful advice to user questions. I do have one question. I
have disabled the shift key for access to the application. My users have
write access to the back end? How can I prevent users from opening the back
end directly or even more from seeing it?

 

[Guest]

Hi Eric,

My users have write access to the back end?

I don't understand this question...

How can I prevent users from opening the back end directly...

You can add an Autoexec macro to the BE file:
Action: Appropriate Msgbox statement
Action: Quit

... or even more from seeing it?

There is a trick of adding a $ sign to the name of a folder to cause the
folder to be hidden. I don't remember if this is a leading or trailing
character at the moment.


Tom Wickerath
Microsoft Access MVP
https://mvp.support.microsoft.com/profile/Tom
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Guest]

won't holding the shift bypass the autoexec file?

 

[Guest]

Yes, of course. But you use code to disable the Shift key in both the FE and
the BE. You should also remove the startup options to use special keys,
display the database window, etc. Access MVP Albert Kallal has a nifty
little application to disable the bypass key:

http://www.members.shaw.ca/AlbertKallal/msaccess/msaccess.html
(Scroll about half way down the page: "By Pass Shift Key Code")

Now, of course, anyone who has a copy of this application, or similar code,
can easily re-enable this setting. You can take it one step further, as
discussed in this article on MVPS:

Securing AllowBypassKey
http://www.mvps.org/access/general/gen0040.htm

This will help raise the bar. However, it is still very crackable by a
determined person.


Tom Wickerath
Microsoft Access MVP
https://mvp.support.microsoft.com/profile/Tom
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Guest]

Ofcourse I want to disable the shift key. I guess I will check the windows
user id. does that make sense?

 

[Guest]

Of course I want to disable the shift key.

Good.

I guess I will check the windows user id. does that make sense?

Not really, but what are you planning to do with this information?


Tom Wickerath
Microsoft Access MVP
https://mvp.support.microsoft.com/profile/Tom
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Jeff Conrad [MSFT]]

in message:

You can add an Autoexec macro to the BE file:
Action: Appropriate Msgbox statement
Action: Quit

To expand on Tom's excellent advice, you could also write a record to a log table that records who
entered the back end file and when. You could check this table periodically to see who's been doing
what they shouldn't be. If you want to get really devious, you could display this message box:

"Warning - Unauthorized Access
A log file has been created and the administrator is being notified."

<veg>

--
Jeff Conrad - Access Junkie - MVP Alumni
SDET - XAS Services - Microsoft Corporation

Co-author - Microsoft Office Access 2007 Inside Out
Presenter - Microsoft Access 2007 Essentials
http://www.accessmvp.com/JConrad/accessjunkie.html
Access 2007 Info: http://www.AccessJunkie.com

 

[Guest]

Or how about this? )

"Warning - Unauthorized Access
Your termination papers are not being prepared."


Tom Wickerath
Microsoft Access MVP
https://mvp.support.microsoft.com/profile/Tom
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Guest]

Arrrggghhh.

......are now being prepared.


Tom Wickerath
Microsoft Access MVP
https://mvp.support.microsoft.com/profile/Tom
http://www.access.qbuilt.com/html/expert_contributors.html

 

[Guest]

end directly or even more from seeing it?

Access/Jet uses the native file system database primitives
as a basic part of the database engine. The database is
a file on your server file system. How do you hide a file
on your server file system? This is a question best asked
to a network admin....

However, the general answer is, you 'hide' a file by
removing "browse permission". Only on a file system
that has a "browse permission", so NTFS, not FAT.

You can also "hide" a file by making it hidden or system:
of course anyone can see hidden or system files now,
provided they have policy permission to display hidden
or system files.

And you can "hide" file shares by giving them a name
ending in $, but anyone can see a hidden file share: they
just have to know it's name, because only the name is
hidden.

(david)

 

[David W. Fenton]

Do you guys have any comments?

I'm not an MVP, but I have a comment:

Who cares?

 

[David W. Fenton]

There is a trick of adding a $ sign to the name of a folder to
cause the folder to be hidden. I don't remember if this is a
leading or trailing character at the moment.

Trailing $ is for hidden shares. It does *not* work for mere
folders, only for shares.

 

[Tony Toews [MVP]]

Thanks for your comments Tom. I did not mean to insult non MVP's. I am one
and have given useful advice to user questions. I do have one question. I
have disabled the shift key for access to the application. My users have
write access to the back end? How can I prevent users from opening the back
end directly or even more from seeing it?

You can't. There are lots of tricks you can do to almost hide the BE.
However nothing is perfect in this sense. A person can copy the BE to
a thumb drive or zip it and email it.

And none of the auditing logs mentioned will help.

If your data must be
1) quite secure
2) you must *know* everyone who has accessed what data

then you have to move the data to a SQL Server or similar system.
These are much more secure because the data file is in a folder which
is not viewable on the network. The only interface to that file is by
SQL Server running on that server.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/