Access security... i'm going nuts!

[fugifox]

I have secured my mdb following step by step the below guide
http://www.moretools.com/lessons/access_security.htm

I changed the owner of mdb from the default to one I created,
and also removed the default admin account.

I tested all the permissions and the seem to work.
Then just for testing purposes I deleted the workgroup file.
Magically the mdb opened without any login prompt
and I had full permissions!!

So, if I distribute my mdb file along with the workgroup file
and the user delete the workgroup file, means that I tried to secure it undeservedly.

Am I doing something wrong?

 

[gemma-the-husky]

first

dont change system.mdw, whatever you od

------
secondly, you must be going wrong somewhere or other - you need to secure the dbs against the new mdw file - in the new mdw file, make sure that you are careful with changing access requirements for both the admins group and the users group, as everyone is by default a user also.

 

[fugifox]

I think I spotted the problem.
Something goes wrong with step 8 in the tutorial I've posted at first post.

If I run the security wizard to the unsecured mdb and choose create a new workgroup file, db is properly secured.
If I do it as the tutorial describes, i.e. manually creating the mdw file and then associating it with the mdb, something goes wrong but i can't figure out what.

What do you use, the first or the second way for securing a db?

 

[Banana]

Never use wizard- all it does is obscure the steps that you were supposed to know. Best to do it manually.

You'll need to elaborate on "something goes wrong".. exactly what went wrong?

 

[fugifox]

I'm describing the situation and the problem I'm facing at first post.
As I'm writing there, the problem is that if I delete the mdw file
then the DB starts to the default state with full permissions.

I suppose I'm failing in binding the mdw file with the mdb.

 

[Banana]

Did you remember to deny permissions to Users group as well as the Admin user (whom shouldn't be in Admins group) and place all of your employees account in a custom group?

 

[fugifox]

Did you remember to deny permissions to Users group as well as the Admin user (whom shouldn't be in Admins group)

Did both

I changed the owner of mdb from the default to one I created,
and also removed the default admin account.

and place all of your employees account in a custom group?

This is what I didn't do. May this be the cause?
I'll give it a try and post back.

When you say all you mean also the custom Admin account I created?

 

[Banana]

Your custom Admin account should be in Admins group still. The default Admin shouldn't be in that group but should be in Users group.

One thing, though- if Users group has no permission, they shouldn't have been able to open database with default .mdw file at all, but you say it can be done, so I think you are missing something.

Did you make sure that database isn't owned by the default Admin user, and that all objects within it is owned by your custom Admin user?

 

[fugifox]

Your custom Admin account should be in Admins group still. The default Admin shouldn't be in that group but should be in Users group.

Already did that.

One thing, though- if Users group has no permission, they shouldn't have been able to open database with default .mdw file at all, but you say it can be done, so I think you are missing something.

Yes it can be done, but only after deleting the mdw file.

Did you make sure that database isn't owned by the default Admin user, and that all objects within it is owned by your custom Admin user?

I changed the owner of mdb from the default to one I created,
and also removed the default admin account.

 

[fugifox]

Do you find anything wrong to the following steps?

1. You may secure any database that has been created while joined to the System.Mdw.
2. Create a new workgroup file(*. MDW)
3. Open the unsecured database and create a password for the Admin user.
4. Create a new user account that will be the new workgroup administrator, like "PowerAdmin"
5. Modify the Admins group by adding the new administrator and removing the original Admin account.
6. Re-log into Access as the new workgroup administrator that you created previously.
7. Set up a password for the new workgroup administrator.
8. Run the Security wizard under Tools | Security | User - Level Security.
9. Create any additional group accounts.
10. Create any additional user accounts.
11. Set up the database object's permissions.
12. Any new databases that you create will already be secure.

 

[Banana]

Yes it can be done, but only after deleting the mdw file.

Actually, if it was properly secured (e.g. the default Admin and the default Users group had no permissions to anything at all), deleting the mdw would mean that database is unopenable at all and Access would just quit. I'd even bet that it has nothing to do with deleting mdw; just open it with the default system.mdw and you'd get the same thing.

Looking over your steps, only two things I can see is that 1) we don't want to use security wizard at all. It just confuses the matter and you can do everything on your own. 2) The list doesn't explicitly say to change the owner of the database. It may be because of security wizard, but I'd want to make sure that the database (not just the database objects, but the database itself) is in fact owned by your custom Admin account.

Perhaps it may be easier to go back to unsecured database and start all over.

 

[fugifox]

Perhaps it may be easier to go back to unsecured database and start all over.

Ok, start it all over and do it totally manually.
I am convinced that problem occurred due to the fact that on some step of the previous guide the security setting are actually applied to the system.mdw file instead of the custom one. That's the reason why removing the custom mdw the DB still opens. It's probably because the owner is wrongly declared to the system.mdw.

Anyway doing the whole process manually I resulted with a properly working security file.
Thanks for the tips!

 

[Banana]

Glad it worked out. Sometime a redo is faster & easier than trying to find what was wrong, which is a big part of why we shouldn't be using wizard- if something went wrong, we don't know exactly what wizard did and didn't.

 

[af4me]

Please help, ms access security

I was reading the thread and am wondering how do you manually create the mdw file and secure your database? Also, If I have the following questions:

1. For testing I created a new mdw file for my new database, now if I want to open other databases that are not secured, why access is asking for password (using my new workgrop file)?
2. How can I associate the newly created workgroup file to the new database only (other databases should use default system.mdw file)?

3. Also, I am copying my new secured database in the network folder for multi-user uses. I do not have back and front end part of the database (entire mdb file will be copied to network). Where should be the newly created mdw file copied?

I will appreciate if somebody can help me.

 

[Banana]

1. Manual simply means doing it without using Security Wizard. All steps can be done using Manage Users/Group and User/Groups Permission and Workgroup Administer.

2. You will definitely want to use a shortcut that has command line option telling Access to open a database using your workgroup mdw. Look in Access help for command line option to see how to write it out in your shortcut file.

3. You simply must split the database or you will have a corrupt database pretty fast on top of other problems such as users unable to open database because it's in use, etc. etc.

 

[af4me]

Reply to Banana from af4me

I thank you for your quick response. If you do not mind, could you please explain how I can run the commandline commands withour user intervention? I am explaining what will happen to my database:

1) Network administrators will create a application launcher file using NOVEL application launcher. This application laucher executes everytime the users log into their computer. The users click on a name of the application that is displayed after the user successfully logs into the network. I guess this is a short to the application file.

Example: Database: mydb.mdb
1. mydb.mdb is copied to network folder for multi-user access
2. Network administrator creates shortcut (application launcher) for the users. This shortcut points to mydb.mdb file
3. When user logs into network, a shortcut with the name of the application is displayed under windows programs folder
4. User clicks on the application name under programs folder of Windows, this opens the database application for mydb.mdb

I am wondering, if I write commandline commands for each user, they have to execute the commandline command before opening the application. I will use a commandline similar to the following:

"C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE" /wrkgrp "d:\networkdrive\myworkgroupfile.mdw"

I will appreciate it highly if you give me some guidance how I can automate the process of opening the application and also link the workgroup file to the database. Thanks

 

[Banana]

In Windows, you simply point to your database, right-click then select "Create Shortcut.."

Then right-click on newly created shortcut then choose "Properties". There, you will see a line for Command. Replace that command with your commandline options, then instruct your users to use that shortcut (and perhaps superficially hide the database so they dont' get confused and try to open the database itself directly).