Opening a form with a password? (1 Viewer)

[jojo]

I have a form that accepts credit card information. The user wants this to open with a button that asks for a password so that only those with the correct password can use the form. I am sure this is something pretty simple, but is eluding me. Access 2010, windows 7
Thakns for any help, and for all your help in the past! This forum has helped me very much!
Jojo

 

[Galaxiom]

There are very strict rules about storing credit card information at all. You need to start by getting familiar with them and design the secure storage before you contemplate how to give access to users.

I very much doubt that Access could meet the criteria for secure storage and you should be looking at a database server for the data.

 

[jojo]

thank you for your timely reply. Yes, our organization is rethinking its plan and our project manager is researching the options.
I guess it would be useful in general to require that some forms are not available to all users, and should require a password to open. is that possible.? Access 2010, windows 7
thank you

 

[Galaxiom]

With Access backends the file is available to be taken away and hacked to get at the sensitive data.

Sensitive data should be held on a server where the data file itself is not available to the end user and the data itself presented to them by the database server based on strict security assignments.

In database servers such as MS SQL Server the security to read or write can be set for individual fields in each table. Security supports user groups and can be based on the Windows login of the machine accessing the data.

You can still have Access as the front end.

 

[jojo]

thank you again for taking the time to reply!
In our setup, the BackEnd is always on a secure server and the front end on each user's local drive. Would that be secure enough?
They could give the one or 2 people that handle credit cards the form on the front end, and keep it off the other users' front ends.
I'm not sure what they are planning at this point.
Jojo

 

[Galaxiom]

With an Access backend the user must have rights to the file itself so it is easy for them to take a copy of the file. Once they have that they can brute force the password at their leisure.

You could put the credit card information in an entirely separate database with limited permissions and visibility.

However with something you are just starting out on the way to go is a database server backend. It isn't really that much harder than using Access as a back end.

Microsoft's SQL Server Express is free with the limitation of databases not exceeding 10GB while using 1GB of RAM and one processor.

Access is limited to 2GB per database so you are ahead already with the server before you consider the security and potential performance benefits of using the server.

There are also other free database engines without the limits such as MySQL and Postgre.

 

[Galaxiom]

Payment Card Industry Security Standards Council is the organisation that sets the standards for working with credit card information.

https://www.pcisecuritystandards.org/

A thorough understanding of the standard is important when doing any work with credit cards.

 

[DavidAtWork]

Putting the security issues to one side for a minute, it would be possible to operate the form with password entry. Create a small form with a single text box, the user enters the password and using the strComp function you can verify the password is correct, if correct then this form closes and the credit card info form opens. If all required CC info fields are completed, then this data can be passed to the dedicated secure CC info back end server. Connection to this server is only made at the point of passing the data and then closed again. Permissions to this secure back end will typically be datawriter only

David

 

[jojo]

Thank you so much, DavidAtWork for your reply about strComp. That is a good strategy to keep in mind for other, less sensitive information needed on forms. Does that mean that if you're getting the string from the user, you have to hard code the correct string? Is there any other way?

 

[DavidAtWork]

Jojo, no it doesn't have to be hard coded, you can have a back-end table that stores the password(s) allowing it to be changed on a regular basis. Once again connection to this table would only be at the point of password entry, once verified the connection can be broken and your CC info form can be opened.

David