MY Alternative to MS Access User Level Security - Yes or No?

[Warren]

Hello friends,

My files:
~~~~~~
My backend lies in a hidden network folder (in citrix) with a Database
Password on it. My frontend exists as an MDE that is copied to the
user's home folder each time they start the application using a batch
file linked from a desktop icon.

My security:
~~~~~~~~~
I like my security because I created it and I seem to have full control
over it. Basically, users must exist in my 'users' table before an
AutoExec function will allow them to proceed, otherwise, they are
exited. The same table defines permissions for each user that are read
on each form's startup. Users do not have to 'log on' as usernames are
obtained the the OS logon. The shift key is disabled.

My questions:
~~~~~~~~~~
Like I said, I seem to have full control of the security and, as I
created it all, I know it backwards. Do MVPs and other professionals
here think that this is ok? I don't know how to 'break in' to my
database given only a front-end because the shift key is disabled, is
there a way? And finally, I have read that database passwords are
almost useless.

I am asking these questions because I feel that I have more control
over what the user can do, and I can make it simpler for admins to
change user persmissions etc. User level security seems more
complicated that what I've done. Am I right?

Thanks, Warren

 

[Rick Brandt]

Hello friends,

My files:
~~~~~~
My backend lies in a hidden network folder (in citrix) with a Database
Password on it. My frontend exists as an MDE that is copied to the
user's home folder each time they start the application using a batch
file linked from a desktop icon.

My security:
~~~~~~~~~
I like my security because I created it and I seem to have full control
over it. Basically, users must exist in my 'users' table before an
AutoExec function will allow them to proceed, otherwise, they are
exited. The same table defines permissions for each user that are read
on each form's startup. Users do not have to 'log on' as usernames are
obtained the the OS logon. The shift key is disabled.

My questions:
~~~~~~~~~~
Like I said, I seem to have full control of the security and, as I
created it all, I know it backwards. Do MVPs and other professionals
here think that this is ok? I don't know how to 'break in' to my
database given only a front-end because the shift key is disabled, is
there a way? And finally, I have read that database passwords are
almost useless.

I am asking these questions because I feel that I have more control
over what the user can do, and I can make it simpler for admins to
change user persmissions etc. User level security seems more
complicated that what I've done. Am I right?

Thanks, Warren

 

[Rick Brandt]

Hello friends,

My files:
~~~~~~
My backend lies in a hidden network folder (in citrix) with a Database
Password on it. My frontend exists as an MDE that is copied to the
user's home folder each time they start the application using a batch
file linked from a desktop icon.

My security:
~~~~~~~~~
I like my security because I created it and I seem to have full control
over it. Basically, users must exist in my 'users' table before an
AutoExec function will allow them to proceed, otherwise, they are
exited. The same table defines permissions for each user that are read
on each form's startup. Users do not have to 'log on' as usernames are
obtained the the OS logon. The shift key is disabled.

My questions:
~~~~~~~~~~
Like I said, I seem to have full control of the security and, as I
created it all, I know it backwards. Do MVPs and other professionals
here think that this is ok? I don't know how to 'break in' to my
database given only a front-end because the shift key is disabled, is
there a way? And finally, I have read that database passwords are
almost useless.

I am asking these questions because I feel that I have more control
over what the user can do, and I can make it simpler for admins to
change user persmissions etc. User level security seems more
complicated that what I've done. Am I right?

Open a new file and import all objects from your MDE. There will be a link to
your users table (as well as all other tables) for anyone to see and modify to
their hearts content. This would take all of 20 seconds to do.

What you have is a drawn curtain, not security. If that is all you need, fine.
Just don't expect it to deter anyone who is familiar with Access.

 

[Warren]

Rick, you have just scared the crap outta me!

I would never have thought of that...


Many thanks, Warren.

 

[John Vinson]

Rick, you have just scared the crap outta me!

I would never have thought of that...


Many thanks, Warren.

I can think of at least two other methods of cracking your security as
described. Won't post them here of course.

Security is DIFFICULT to do right. Microsoft put a *lot* of work -
person-years - into Workgroup Security, and even it can be cracked
with enough work.

John W. Vinson[MVP]

 

[John Vinson]

I've never had a security breach but then, the only people who have any use
for the data are the users themselves, and most can barely type an email.

"Security by obfuscation" is often enough. If you're not worried about
sophisticated malicious users, you are probably just fine.

In my experience there are two main threats to protecting data: the
lesser threat is the malicious, sophisticated user who deliberately
sets out to crack security. The more common and greater threat is the
thoughtless user who HAS permission to change the data, and makes
undesired changes out of ignorance.

John W. Vinson[MVP]