Permission to Administer

[Adam]

Hi,

I'm trying to get a grip on how this security works, so I
am using several test dbs to learn it thorougly. I have a
problem with understanding something and you may be able
to help.

Using a test db, I've experimented with the various WIF,
User/Admin Groups, User/Admin users, passwords, etc.

I unchecked all users and all groups from permission, and
therfore open/read/modify/administer are all false whether
user or group. ie nobody has permission to do anything.
The particular object, a main form, is owned by Admin.

When I open the db and try to reinstate Admin with the
Administer permission, it comes up with this message:

"To change permissions for this object, you must have
Administer permission for it."

The question is, if all permissions for Admin (and other
users that belong to the Admins Group) have been removed,
who has the permission to change it at this point?

I did a similar thing with another db and it allowed me to
reinstate Admin with Adminster permissions.

I am absolutely perplexed here. Can you pleas help?

Thanks

Adam
Using Access 2000

 

[Joan Wild]

Hi Adam,

If you don't have it already, you should download, study, and follow *to the
letter* the steps outlined in the security FAQ
Security FAQ
http://support.microsoft.com/?id=207793

Other good reads are
http://www.ltcomputerdesigns.com/Security.htm
and
www.geocities.com/jacksonmacd

I unchecked all users and all groups from permission, and
therfore open/read/modify/administer are all false whether
user or group. ie nobody has permission to do anything.
The particular object, a main form, is owned by Admin.

When I open the db and try to reinstate Admin with the
Administer permission, it comes up with this message:

If 'nobody has permission to do anything', then how are you even able to
open the database?

"To change permissions for this object, you must have
Administer permission for it."

Admin owns it, and can reinstate administer permission; are you logging in
as Admin?

 

[paul]

you are the owner creater of the database. And you have
Administrator capabilites. But you do not have Admin.
That is entirely different. If i understand right - it
appears you have locked yourslef out because you
stripped your own privledges away. You should be able to
get around this by checking your work group and then
following that path and swapping the .secured file with
another secured file that is working and you have your
privleges in

 

[Adam]

Thanks Joan.

Further info in line.

If 'nobody has permission to do anything', then how are you even able to
open the database?

Sorry, I wasn't clear here. Only one object is being used
for the testing. ie a Main Form. Other forms are left
alone. So, the database can be opened, but a particular
test obect cannot be opened, changed, etc.

Admin owns it, and can reinstate administer permission; are you logging in
as Admin?

Steps I did.

In the User and Group Accounts dialog, Adam1 is a member
of Users and Admins groups.
In the User and Group Permissions dialog, Adam1 has
permissions to do everthing to Main Form. No other user
has permission to do anything to Main Form. No Group, ie
Users and Admins, has permission to do anything to Main
Form. So Adam1 is the only one with permission.
Main Form is owned by Admin.

1. Log on as Adam1
2. Current User = Adam1
3. Adam1 has permissions to Administer Main Form
4. Uncheck permissions everything including Administer for
Adam1 No one can modify, open, read, administer the Main
Form. Exit User & Group Permissions Dialog.
5. Test the Main Form for security. Main Form cannot be
opened, changed, copied, nothing.
6. Reopen User & Group Permissions Dialog
7. Current User is still = Adam1
8. Check Adam1 permissions to allow open,read,modify and
administer. Click apply and presto! Hey, wait at minuter
who had the administer permission to allow me to return
Adam1's permissions? Adam1 did not have it, yet it allowed
me to restore it.


Thanks

Adam

 

[Adam]

Thanks Paul.

I don't know if I'm locked out or what. I'm trying to
grasp what appears to be a complex issue. I'm not even
sure if it's possible to be locked out, or even if there
is some default 'User' who always has admnister rights
that can never be changed.

Steps I did.

In the User and Group Accounts dialog, Adam1 is a member
of Users and Admins groups.
In the User and Group Permissions dialog, Adam1 has
permissions to do everthing to Main Form. No other user
has permission to do anything to Main Form. No Group, ie
Users and Admins, has permission to do anything to Main
Form. So Adam1 is the only one with permission.

Main Form is owned by Admin.

1. Log on as Adam1
2. Current User = Adam1
3. Adam1 has permissions to Administer Main Form
4. Uncheck permissions everything including Administer for
Adam1 No one can modify, open, read, administer the Main
Form. Exit User & Group Permissions Dialog.
5. Test the Main Form for security. Main Form cannot be
opened, changed, copied, nothing.
6. Reopen User & Group Permissions Dialog
7. Current User is still = Adam1
8. Check Adam1 permissions to allow open,read,modify and
administer. Click apply and presto! Hey, wait a minute
who had the administer permission to allow me to return
Adam1's permissions? Adam1 did not have it, yet it allowed
me to restore it (under Adam1's login).

Thanks

Adam

 

[Joan Wild]

Steps I did.

In the User and Group Accounts dialog, Adam1 is a member
of Users and Admins groups.

8. Check Adam1 permissions to allow open,read,modify and
administer. Click apply and presto! Hey, wait at minuter
who had the administer permission to allow me to return
Adam1's permissions? Adam1 did not have it, yet it allowed
me to restore it.

Yes he did - Adam1 is a member of the Admins group. Members of that group
always have permission to administer objects.

 

[Adam]

Ummm...err...hmmm...yeah OK, I sorta...kinda understand
that.

So, I would need to make sure of who the members of the
Admins Group are when changing settings.

Yet, if I am visually observing permission boxes and the
administer box is unchecked for a user, my cognition would
tell me this person does not have permission (but by
virtue of being a member of the Admins Group that person
does have permission).

I would have thought that if a member of Admins logged on,
the administer box would be 'disabled' in a pale colour.

BTW what purpose does it serve anyway?


Thanks again

Adam

 

[Adam]

What about when the 'Owner' of the object is <Unknown> ?

How do I change settings back to one of the users?


Thanks

Adam

 

[Joan Wild]

You have to be careful when looking at the dialog. It only shows you
explicit permissions for a user. It will never show you the implicit
permission i.e. those they inherit from a group they are a member of.

Usually, you would never assign permissions to users. Rather set up the
groups you want and assign permissions only to groups. Then you can create
users and make them members of whatever group(s) you want. It's far easier
to manage/maintain security.

The Admins Group is special, as you've found out. It is the reason that it
is *critical* that you create a new workgroup as step 1 in securing a
database. Every mdw file has two things in common - the Users Group and the
Admin User. However, the Admins Group is different. If you don't create a
new workgroup file, then you are just modifying the standard system.mdw. It
will never be secure because every standard system.mdw has the common Admin
user, and that user is always a member of the Admins group. You would
create a new workgroup, and also a new user to be a member of the Admins
Group. You'd remove ALL permissions for the Users Group and the Admin User
(ensuring they don't own any objects).

If you haven't got it, you should download and study the security FAQ
http://support.microsoft.com/?id=207793

Follow every step outlined, in order, or your database won't be secure.

Another good background is the Security Whitepaper
http://support.microsoft.com/?id=148555

Some others
Lynn Trapp's
http://www.ltcomputerdesigns.com/Security.htm

Jack MacDonald's
www.geocities.com/jacksonmacd