Protecting the Back End via Windows Folder Permissions (1 Viewer)

GSTEEL320

New member
Local time
Today, 03:51
Joined
Nov 11, 2018
Messages
10
Hello All,

I've taken a look at similar threads, but I'm not sure I've found the right answer.

I have a DB, split, with the front and Backend within the same (Shared) network Folder.

Can I use any of the settings on the network folder to continue to let users read and write to the DB, without having the ability to "open" the folder in the File explorer and delete either the Front or Back end ? Would setting the folder permission to "read" only still allow the database be updated with records ?:

Many thanks in advance.

1621932057595.png

Full control: Allows users to read, write, change, and delete files and subfolders. In addition, users can change permissions settings for all files and subdirectories.
Modify: Allows users to read and write of files and subfolders; also allows deletion of the folder.
Read & execute: Allows users to view and run executable files, including scripts.
List folder contents: Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only.
Read: Allows users to view the folder and subfolder contents.
Write: Allows users to add files and subfolders, allows you to write to a file.
 

gemma-the-husky

Super Moderator
Staff member
Local time
Today, 10:51
Joined
Sep 12, 2006
Messages
15,613
As I understand it, access needs full permission on both the front end and backend folders, in order to be able to manage the laccdb/ldb locking file.

You might be able to hide the true backend from users by having the database link to a different hidden folder at startup, and then delete those links at closedown.- that might hide the true nature of things.

If security is so important, you really are better using sql server or similar.
 

arnelgp

..forever waiting... waiting for jellybean!
Local time
Today, 18:51
Joined
May 7, 2009
Messages
19,169
name your shared folder and add "$" suffix (without quote).
this will make your folder "invisible" to the naked eye.
 

NauticalGent

Ignore List Poster Boy
Local time
Today, 06:51
Joined
Apr 27, 2015
Messages
6,280
name your shared folder and add "$" suffix (without quote).
this will make your folder "invisible" to the naked eye.
That is interesting...going to have to give it a look. Good tip
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 05:51
Joined
Feb 28, 2001
Messages
26,996
From the strict viewpoint of permissions, users MUST have MODIFY (high-level designation) rights both to the BE file and the folder in which it appears. This is because whoever is the first user of the day to open the BE file is also the person who creates the lock (.LDB) file. Further, whoever is the last user of the day to close the BE file is also the person who deletes the lock file. If that can't happen, the person either will open the file in Exclusive mode - or will open the file in Read-Only mode. But in either case, there will be a problem.

The reason I said MODIFY is that using the broad-brush categories, MODIFY conveys a collection of fine-detail permissions that you really need.

HOWEVER, if you want to protect the folder from the general public and IF you have a domain environment, one strategy is to create a group identifier and assign MODIFY permissions to it. Then make your users members of that group. Make the folder and contents have the GROUP permissions but then for folks who DON'T have the group membership, make it READ ONLY. (This approach was approved by the U.S. Navy and you KNOW they are security-minded.)
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 06:51
Joined
Feb 19, 2002
Messages
42,970
arnel's solution is what I use. It keeps people from navigating to the folder.

But, I don't keep the master copy of the FE in the same folder as the BE. The user needs full access to the BE folder. The batch file I use would have a reference to the folder for the master FE and I don't want the user to see it because I think he may be able to navigate to the BE folder if he knows its name.

And JIK, each user needs his own copy of the FE. They should NOT be using a shared copy on the server.
 

Galaxiom

Super Moderator
Staff member
Local time
Today, 21:51
Joined
Jan 20, 2009
Messages
12,849
Users need modify on the folder but definitely not Full Control.

I have used the $ hidden shares for years.
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 06:51
Joined
Feb 19, 2002
Messages
42,970
Users need add/change/delete on the folder holding the BE. If they don't have create/delete and they are the first user, Access will open the app in exclusive mode because it cannot create the lock file and if they are the last user to exit, Access cannot delete the lock file and so will leave it.
 

GSTEEL320

New member
Local time
Today, 03:51
Joined
Nov 11, 2018
Messages
10
Many thanks for all the replies, I've never come across the "$" approach before, which I'll definitely look into. many thanks again.
 

Users who are viewing this thread

Top Bottom