Access/Jet Backend Share Permissions

[JMongi]

I assume that all database users will need full permissions to the local network share that contains the backend, else Access couldn't write to the database.
Split Database; Backend on network share; Fronend on local computers

Is this correct?

 

[theDBguy]

They need, at least, "modify" (read/edit/delete).

 

[JMongi]

Which is enough permissions to do anything really. But, thanks for clarifying for me.

 

[theDBguy]

Which is enough permissions to do anything really. But, thanks for clarifying for me.

Yes, enough for Access users; but hopefully not enough for doing a huge damage like changing permissions or something.

 

[JMongi]

I'll keep that in mind. Just trying to firm up all the various locations, permissions, etc.

 

[theDBguy]

I'll keep that in mind. Just trying to firm up all the various locations, permissions, etc.

Good luck!

 

[Pat Hartman]

They need Add/Modify/Delete permissions on the files or they won't be able to share the BE.

When the first user opens the application, Access has to create a lock file for the BE. That means that the user needs to be able to create files in the folder that holds the BE. When the last person closes the application, Access has to delete the Lock file. That means that the user needs to be able to delete files in that folder. When the user makes any data changes, Access makes notes in the lock file to keep track of what is going on and so the user needs Change permissions.

If Access cannot create the lock file on the BE, It opens the database in exclusive mode and that prevents any other user from doing anything except read the data. If the last user does not have permission to delete the lock file, it remains abandoned. This will eventually cause a problem if no one can delete the lock file because it bloats.

 

[The_Doc_Man]

As the others have stated, you need the generic MODIFY permission on the database itself AND on the folder where it is located. You also need AT LEAST PassThru (an advanced permission) on all parent folders of the folder holding the database. You do NOT need generic FULL CONTROL because you don't need to change permissions or ownership of the files.

 

[JMongi]

Thanks for the info @Pat Hartman and @The_Doc_Man.

Right now, a user would have to know how to browse to the server domain and find the share the BE would be stored in. Currently, I'm the only employee that knows how to do that. That could change in the future (we're a small company). We don't need to sweat unauthorized access too much. I just need to prevent accidental and casual mucking about. I think adding the "$" to the share to make it hidden should be sufficient to prevent unintentional access and prove intentional access if it occurs.

This is just the basics of our DB infrastructure. It's good to get a firm grasp on what is required. Thanks!

 

[Pat Hartman]

Making the share hidden is a good option. YOU link the BE before you place it in the distribution folder and the user NEVER has to deal with linking.

 

[JMongi]

@Pat Hartman - Yes, that makes sense.
That is what I intend. I realize my first sentence in #9 was phrased ambiguously.

I didn't mean I expected users to browse the network to search for a BE. I meant, IF a user already knew how to browse server shares that could potentially be an issue given their need for permissions so that they could use the database BE. As you stated much more clearly than I, hiding the network share used to contain the BE and FE source files and managing the linking before distribution is good security practice to mitigate unwanted intrusion.

 

[gemma-the-husky]

If you give the actual back end folder a less than obvious name, then it wouldn't be apparent.

However note that if a user can get to the database window/navigation pane then hovering over a table will show the correction string. Also if the user can write code he might be able to find data that is otherwise hidden.

If security is such an issue, an access back end is not really the best solution, I think.

 

[JMongi]

Security is not that much of an issue. However, this seems like a simple thing that doesn't make my life much more difficult but adds another layer of knowledge on the end users part to mess something up intentionally or otherwise. And, yes, I do plan on managing the navigation pane visibility as well. Thanks for the input!