secured db, yet insecure with alternate worgroup file..

[Guest]

I'm testing setting up user-level security on an a2002 mdb...i set-up new
workgroup, made new user in admin group, moved 'admin' user out of admin
group, removed permissions for 'user" group, set-up custom groups...all seems
good signing in and out with superadmin and other r/w groups i created...but,
when i re-join default workgroup system.mdw, i can get right into database
and edit away..with full admin privy..

not sure why thats happening..

(i went thru secfaq steps here a few times, looked thru some other
posted/linked Security docs..hoping i missed something..)

am i right in my still growing understanding here, that the workgroup file
has no connection to a specific mdb? if that is case, then whatever
workgroup one is connected/joined to, will set their parameters for login to
any mdb? hoping thats not the case..

thanks in advance for any feedback
don

 

[Rick Brandt]

I'm testing setting up user-level security on an a2002 mdb...i set-up new
workgroup, made new user in admin group, moved 'admin' user out of admin
group, removed permissions for 'user" group, set-up custom groups...all seems
good signing in and out with superadmin and other r/w groups i created...but,
when i re-join default workgroup system.mdw, i can get right into database
and edit away..with full admin privy..

not sure why thats happening..

(i went thru secfaq steps here a few times, looked thru some other
posted/linked Security docs..hoping i missed something..)

am i right in my still growing understanding here, that the workgroup file
has no connection to a specific mdb? if that is case, then whatever
workgroup one is connected/joined to, will set their parameters for login to
any mdb? hoping thats not the case..

You likely left "Admin" as owner of the database. Ownership grants permissions
even if the permissions check-boxes have all been unchecked.

When everything is done correctly the file cannot be opened except with an
appropriate mdw file.

 

[Guest]

I thought that as well. I used the wiz, and looks like it changed all objects
including dataabse owner to new sole Admin group user (Donadmin) i had
set-up as per Secfaq..

slightly baffled..

 

[Guest]

After further toying, Security works if I open with Access 2002, but if open
with A2003, it lets me right in with free rein...shouldn't the security stick
regardless of version opening with??

 

[Guest]

Also..it's actually an A2000 mdb i set-up security with using A2002, but did
not convert to a2002.

 

[TC]

A quick check of your original post suggests that you may have omitted
a critical step: namely, changing the /ownership/ of the objects in the
database.

In order to get this right, it is really necessary to follow a written
list of explicit instructions - adding & omitting nothing. It's too
hard to get it right, in any other way.

I suggest you start again, and follow the Access Security FAQ (often
referenced in this newsgroup), or, the instructions on any of the
regular posters' excellent websites!

HTH,
TC

 

[Guest]

I did check that wizard converted all objects' ownerships. That was what
boggled me..everything looked fine, after going thru steps several times.

I did have a system4.mdw, that when i would join that, it would let me go in
to this Secured mdb w/o security. It seemed to keep re-appearing when I would
test opening with different Access versions. I'd delete and then would come
back..was strange and frustrating..

anyways, thanks

 

[Rick Brandt]

I did check that wizard converted all objects' ownerships.[snip]

Did you check ownership of the "Database" object? That is usually what will be
left as "Admin" by people setting up security who don't know what they're doing.

If a user account "owns" the database then they can open the file regardless of
any other permission settings.

 

[Guest]

Yes, the wizard had changed ownership of all objects, inc. database...thats
what puzzled me. And it would only happen with this system4.mdw, which seemed
like a system created back-up, perhaps after i would delete a test version of
an mdw..

i removed this and mdw1,2,3..and now seems fine, can't get in with other
mdw's, etc, but that was very weird..

i

I did check that wizard converted all objects' ownerships.[snip]

Did you check ownership of the "Database" object? That is usually what will be
left as "Admin" by people setting up security who don't know what they're doing.

If a user account "owns" the database then they can open the file regardless of
any other permission settings.

 

[Guest]

It actually hapened again right now after start-up..I opened Access 2002
(without shortcut to secure workgroup, then selected secured db from recent
list, and let me right in..when i look at workgroup file i was joined to, it
says system1.mdw, which it created again, as i had removed these yesterday..

not sure why its creating these system.mdw1,2, instead of using the
system.mdw, which is there and works fine when i connect to manually..

I did check that wizard converted all objects' ownerships.[snip]

Did you check ownership of the "Database" object? That is usually what will be
left as "Admin" by people setting up security who don't know what they're doing.

If a user account "owns" the database then they can open the file regardless of
any other permission settings.

 

[Rick Brandt]

It actually hapened again right now after start-up..I opened Access
2002 (without shortcut to secure workgroup, then selected secured db
from recent list, and let me right in..when i look at workgroup file
i was joined to, it says system1.mdw, which it created again, as i
had removed these yesterday..

not sure why its creating these system.mdw1,2, instead of using the
system.mdw, which is there and works fine when i connect to manually..

Indisputable fact 1)
If you open Access without a custom shortcut that supplies a username and
without being prompted to login then you are being logged in as the user
"Admin".

Indisputable fact 2)
If doing the above allows you to open a "secured" database then the database is
not secured correctly.

The exception to (fact 2) would be in cases where you set up your security with
the specific goal of allowing the user "Admin" and the group "Users" to have
permissions to open the file. Normally the goal is to specifically NOT allow
this.

If the default workgroup file cannot be located when Access is opened by itself
(no file specified), then it will create a new one. This could be why you are
seeing deleted MDW files reappear.

 

[Graham Wideman [Visio MVP]]

nycdon:

Others have given some suggestions in helpful directions, here's my 2 cents:

All of this:

I'm testing setting up user-level security on an a2002 mdb...i set-up new
workgroup, made new user in admin group, moved 'admin' user out of admin
group, removed permissions for 'user" group, set-up custom groups...

.... did virtually no good, because you are only shuffling things around in
the workgroup file you have, while in any other workgroup file there will be
a default admin user who is member of Users group and they have SIDs that
are same as in the original workgroup file.

In addition, if you then proceed using an mdw that has these default things
changed it makes it hard to remove permissions on the database objects
(tables etc) already accorded to these default user/group.

So, unfortunately, you may have to learn the full details in order to
troubleshoot your way out of this.

You might like the alternative explanations of Access Security at my site,
and the PermExpl tool that's useful for seeing the current state of your
security settings. In particular, you'll benefit from viewing those
settings while using you special mdw, and then switch to using one of the
default mdws like the one Access is recreating for you.

grahamwideman.com

See Microsoft Access Security and also PermExpl.

I think you'll find there are a bunch of permissions that you though you
disabled when you shuffled the users/groups around that are still accorded
to the default user/group when using a vanilla mdw.

Hope that helps,

Graham


all seems