Security

[Bee]

Hi,

I followed the security wizard and everything worked fine. However, when I move the database to another computer or another folder, it prints this message:

'You don't have the necessary permission to use (path)...'

Is there anyway to avoid this please?

Thanks,
B

 

[Len Boorman]

I have a couple of documents dealing with Security. They are too big to post here but if you PM me with an email address I will gladly send them.

If you have not read the security FAQ's then following the security wizard has probably not actually helped you a great deal. It is a bit of a minefield

Len

 

[Bee]

I have a couple of documents dealing with Security. They are too big to post here but if you PM me with an email address I will gladly send them.

If you have not read the security FAQ's then following the security wizard has probably not actually helped you a great deal. It is a bit of a minefield

Len

Cheers, you can send me them on this e-mail.
reda217@hotmail.com

 

[Bee]

Cheers, you can send me them on this e-mail.
reda217@hotmail.com

Hi Len Boorman,

Thank you for your security documents. While reading the "How I use Microsoft Access user-Level Security", I came across a few things that I did not understand. I wonder if you could possibly explain them to me please?

According to my understanding, it's important to create a workgroup(s); however, whenever MS Access is first run, it should log on using the default workgroup. Then, users should log onto the secured database using a diffrent shortcut that is linked to the workgroup(s) that was created.
Is that right?

Also, how about if somebody else got their hands on these shortcuts?

Thank you,
B

 

[Len Boorman]

Hi Len Boorman,
According to my understanding, it's important to create a workgroup(s); however, whenever MS Access is first run, it should log on using the default workgroup. Then, users should log onto the secured database using a diffrent shortcut that is linked to the workgroup(s) that was created.
Is that right?
B

Yup that's about right

Forgive me if I explain something you already know.

When you start an access database you actually always open it in secured mode. By default you log onto the application as Admin with a blank password. These settings are contained in system.mdw.

When you securte a database you create another mdw file (workgroup) that is linked to the application.

So the secured application will only open if you have joined the correct workgroup (mdw file) and supply the correct logon and password details.

No Access has this habit or remembering which workgroup you are in so if I join a workgroup called fred and open a secured database called fred then all is well.

I close that database and open another supposedly unsecured and I will be prompted for a logon and password...why...because I am still a member of the workgroup fred and have not rejoined the default system.

The documentation describes how you can add a modifier to the shortcut used to open the database to tell the shortcut which mdw file to use on that one occassion. It is only a location of the mdw file so if somebody nicks the shortcut then they will still have to supply a logon and passord to open the database.

If you add this modifier to the shortcut after exiting the secured application you can open another and now you are joined to system.mdw (the default) exactly as normal

You can appreciate why you never ever use the system.mdw file to secure a database.

That'sa bit of a waffle but hopefully you understand what I have been trying to say

Len

 

[Bee]

I understood everything, but i am still not sure about one thing though. When you first log onto the database, what gets displayed? Is it an empty database, a dummy one? because it won't open the secured one obviously.

 

[Bee]

Yup that's about right

Forgive me if I explain something you already know.

When you start an access database you actually always open it in secured mode. By default you log onto the application as Admin with a blank password. These settings are contained in system.mdw.

When you securte a database you create another mdw file (workgroup) that is linked to the application.

So the secured application will only open if you have joined the correct workgroup (mdw file) and supply the correct logon and password details.

No Access has this habit or remembering which workgroup you are in so if I join a workgroup called fred and open a secured database called fred then all is well.

I close that database and open another supposedly unsecured and I will be prompted for a logon and password...why...because I am still a member of the workgroup fred and have not rejoined the default system.

The documentation describes how you can add a modifier to the shortcut used to open the database to tell the shortcut which mdw file to use on that one occassion. It is only a location of the mdw file so if somebody nicks the shortcut then they will still have to supply a logon and passord to open the database.

If you add this modifier to the shortcut after exiting the secured application you can open another and now you are joined to system.mdw (the default) exactly as normal

You can appreciate why you never ever use the system.mdw file to secure a database.

That'sa bit of a waffle but hopefully you understand what I have been trying to say

Len

I understood everything, but i am still not sure about one thing though. When you first log onto the database, what gets displayed? Is it an empty database, a dummy one? because it won't open the secured one obviously.

 

[Bee]

Yup that's about right

Forgive me if I explain something you already know.

When you start an access database you actually always open it in secured mode. By default you log onto the application as Admin with a blank password. These settings are contained in system.mdw.

When you securte a database you create another mdw file (workgroup) that is linked to the application.

So the secured application will only open if you have joined the correct workgroup (mdw file) and supply the correct logon and password details.

No Access has this habit or remembering which workgroup you are in so if I join a workgroup called fred and open a secured database called fred then all is well.

I close that database and open another supposedly unsecured and I will be prompted for a logon and password...why...because I am still a member of the workgroup fred and have not rejoined the default system.

The documentation describes how you can add a modifier to the shortcut used to open the database to tell the shortcut which mdw file to use on that one occassion. It is only a location of the mdw file so if somebody nicks the shortcut then they will still have to supply a logon and passord to open the database.

If you add this modifier to the shortcut after exiting the secured application you can open another and now you are joined to system.mdw (the default) exactly as normal

You can appreciate why you never ever use the system.mdw file to secure a database.

That'sa bit of a waffle but hopefully you understand what I have been trying to say

Len

I understood everything, but i am still not sure about one thing though. When you first log onto the database, what gets displayed? Is it an empty database, a dummy one? because it won't open the secured one obviously.

 

[Bee]

sorry I did not mean to post it three times. Something wrong must have happend.

 

[Len Boorman]

That's quite a question really.
1) Secured database. In this circumstance you will be prompted for a logon and password provided that you have joined the correct work group (I think). What is displayed depends on startup properties and/or autoexec macro
2) Unsecured database but last workgroup was not system.mdw. Again prompted for logon and password and again what is displayed depends on startup properties and/or autoexec macro

3)Unsecured and workgroup system .mdw. Depends on startup properties, autoexec macro

The reason behind the I think earlier was that I am not sure myself.

If prompted for logon and password then failure to provide correct responses will create a failure and teh database will not open at all. All you get I believe is a failure notification.

Hope that helps

Len

 

[swilkie]

Same problems

Hello Bee and Len,

I am having similar problems with setting up security. I have set-up a workgroup and built in user/group persmissions. However, when I put the database on the server, my co-workers can open it with access to everything. They are not prompted to enter a user name and password. I am certain this has to do with how I set-up the workgroup.

I have gone pretty far into this - how do I recover?

Thanks in advance for your assistance!

-Sue

 

[NHC]

Security Docs

Any chance I could get a copy of those too, I'm having a similar problem. My e-mail is genealogy@norfolklore.com Thank a lot!!!

I have a couple of documents dealing with Security. They are too big to post here but if you PM me with an email address I will gladly send them.

If you have not read the security FAQ's then following the security wizard has probably not actually helped you a great deal. It is a bit of a minefield

Len

 

[swilkie]

Len,

I would like a copy as well - my email address is susan.wilkie@rtp.ppdi.com.

THANKS!

 

[Len Boorman]

Hello Bee and Len,

I am having similar problems with setting up security. I have set-up a workgroup and built in user/group persmissions. However, when I put the database on the server, my co-workers can open it with access to everything. They are not prompted to enter a user name and password. I am certain this has to do with how I set-up the workgroup.

I have gone pretty far into this - how do I recover?

Thanks in advance for your assistance!

-Sue

Give me an email address and the documents will be on their way

Len

 

[The_Doc_Man]

What is going on here is this:

1. When you install Office/Access, part of the process is to create a blank workgroup file and register it in your machine's registry. REMEMBER that when you say "in your registry" that it must be done on every machine because every machine has its own different registry file(s).

2. The blank workgroup created by installation contains default groups User and Admins ("s" on the end) and default user Admin (no "s" on the end.) There is a BLANK PASSWORD for user Admin, which is a member of both the Users and Admins groups. By default, the Admins group has every right in the book for every object in the MDB file. I don't recall off the top of my head what the Users group has, but at the very least they can read or see EVERYTHING.

3. If a database has not been properly secured, that means (among other things) that it uses the default WKG file created by the installation process. Which means, Admin user has no password and every right in the book. So if someone else installs Office/Access and connects to an incompletely secured MDB file, or an unsecured one, you are pointing to a copy of the same WKG file - the one that was loaded from the install kit. Which is why everyone and his/her brother-in-law can get into the unsecured database. Same WKG.

4. Securing the MDB file includes but is not limited to making a non-default WKG for it. This involves several steps. Like changing the file name, moving the file to the share location, adjust its permissions so it cannot be deleted by your average user... stuff like that.

The step that stops random browsers is this: Make another account that is also a member of the Admins group. Then REMOVE the Admin account from the Admins group. Leave it in Users group. Also assure that the Users group either has no permissions or read-only permissions. I'm not sure if this factor has changed, but it used to be that you could never remove a user from the Users group - but you CAN tailor permissions for the Users group.

I'm sure Len's document contains lots of other good ideas. But the step I described above is the one that makes the difference.

5. Once you have the MDB properly secured, your users will have to use the correct WKG file to get in. They can do this either by manually joining the correct workgroup OR if you use the command line option in the icon, YOU reference the correct workgroup for them.

The question about "what if someone gets into the icon?" is simple: If you are the administrator and don't allow blank passwords for logins, they will not get anywhere in accessing the MDB file without a valid username/password combo.

The other thing to remember is that a workgroup is in each machine's registry. If you have only one MDB that needs to be accessed, it does not really matter that much if the users manually connect to the WKG. But if they have many different MDBs and many different WKGs, you do them a big favor by using the icon and mucking about with the command line to make the icon connect for them.

 

[Len Boorman]

Your on the money again Doc_Man. the documents I have are not mine but are the security FAQ's etc and do deal with the whole security issue including the Admin with blank password issue. I cannot type as well as you so went for the short answer

Len

 

[swilkie]

Workgroup shortcut - do I delete?

Once I create the workgroup shortcut and my users have successfully joined the workgroup. Do I delete the shortcut?

I would think that I would have my users use this shortcut all of the time to access my database to ensure they are connecting to the correct workgroup file each time.....is this assumption correct?

 

[ghudson]

Once I create the workgroup shortcut and my users have successfully joined the workgroup. Do I delete the shortcut?

I would think that I would have my users use this shortcut all of the time to access my database to ensure they are connecting to the correct workgroup file each time.....is this assumption correct?

Why would you delete the shortcut? How else will they open your secured db? The shortcut does not join the computer to the workgroup...it opens the db with the correct workgroup.

 

[lilFlip]

I know that this thread is pretty old, but i have a question along this line.

I have inherited an Access application that has all the forms/macros/queries/tables in one mdb file. We added our own Login table which contains employee data in it. We added a splash screen which allows them to log into the application using our internal tables. I have implemented the Shift key block that ghudson showed in other threads. Now, what I would like to do is lock the db down further preventing those that have the ghudson tool to set/clear the lock property.

From what I have read it sounds like I need to implement the workgroup security level into the application/database. BUT from what I have read, it will implement the login/password for the workgroup thus making my users log in twice. Is that correct? Or, is there a way to implement the default Admin user with no password but no access to the structure of the database (mdb) file?

Does this make sense, or am I appearing to talk in circles that no one can follow?

Any help is greatly appreciated as I am new to Access...

 

[ghudson]

You can add workgroup security and not require a password [but they still need a user name for the workgroup security]. The user still needs to use a custom shortcut to open the secured db with the correct mdw file and you can simpify the login by putting the user name in the target value of the custom shortcut. That will still make the db custom secured but not require them to key in a user name and password to open the db. I have mentioned this before somewhere in this forum and there are other examples of how to format the target value of the custom shortcut. Then you can still use your custom login that you have added to your db.