Security

[mafhobb]

Hi all,

I posted this a while ago, but I was not successful at understanding what was going on. I hope that maybe somebody has a better explanation now.

I created a simple database (Airplane.mdb) with a security file (Airplane.mdw) to secure it. A little later, my database got cloned and then heavily modified to be used by another group. The db got renamed as did the security file (car.mdb and car.mdw)

There are some common users in both databases (same username and possibly password), but they have different permissions.

The problems comes in when one user logs onto one database using the shortcut provided (calling for the mdb and mdw files) and then opens the 2nd database through the Access menu bar ("File", then "Open", then chooses the name of the other database)

If this is done, that second database will be opened without going through its login screen and the user will get the permissions granted by the 1st database that was opened, granting the wrong access.

What is happening? Why is it that the mdw file for the 2nd db does not get loaded?

Thanks

mafhobb

 

[Len Boorman]

send me a PM with an email address and I will send a couple of documents that discuss access security in depth. They may help. I cannot post them here because they are too large

Len

P.S. Personal message. Click on my name on post header

 

[kurtwjohn]

I am searching this exact same issue. I have a db on the network with the mdw file in the same network folder. As long as the user uses the icon I provide with the db and mdw locations configured everything works well. But if they open Access first and then navigate to the data base it opens using their local mdw file ... which has Admin user (with Admin and User groups assigned). This bypasses the network mdw file which has only the User group (which has no permissions) assigned the the Admin user.

I've read all the security documentation out there and I can't find anything that addresses this issue. I'm waiting to hear back from Microsoft technical support (at a hefty cost). I will post their response when receive it.

 

[The_Doc_Man]

This occurs because the default MDW file has Admin with no password, which means when you connect, you are in.

The right way to secure a database can be found by searching this forum for the topics "Securing a Database" and "Workgroup Security."

Hint: It is not enough to copy a workgroup file to clone it. That does nothing useful by itself.

Hint #2: Workgroup security involves the registry, which remembers the last workgroup you joined. Changing databases doesn't change workgroups.

The iconic method of doing this usually involves adding a command-line option to force use of a particular workgroup file. But if that file wasn't secured properly, you have closed the barn door after all the horses left already.

 

[kurtwjohn]

Thanks for your feedback. I do use the command line within a desktop icon to point to the custom.mdw file, which resides in the same network folder as the customer.mdb data base. I don't know if I was pointing to the default system.mdw file at the time when I setup the security or not. It's not consistent with each user, so I'm guessing more than one MDW file is being used.

The real question I have is what do I do now to this data base to set it up with a single custom.mdw file pointed to the custom.mdb so that no matter how anyone opens the data base (directly or with the command line provided in the desktop icon) they follow the single user level security I defined. Any thoughts would be appreciated.

Thanks,

Kurt

 

[mafhobb]

kurtwjohn,

Yes, we both have the exact same problem. I have done quite a bit of research, including reading docs sent by Len Boorman to try to figure it out.

While I understand the basics of what is being discussed, implementing a solution is a bit above my Access level. If anyone or if you can figure out a solution, post it so we can all benefit.

BTW, kurtwjohn, do you want me to send you a PM with the documents Len sent me to see if you can understand them better?

mafhobb

 

[kurtwjohn]

mafhobb,

Yes. Please send it to me. I'll take a look at it. If it's from this forum, I may have already read it. But you never know. I did speak with the Microsoft support person today. He said that I needed to use the wizard to setup the security. I tried it, but it didn't solve my problem. Users could still launch Access and then open the file directly without using the icon shortcut I provided (which contains the path to the custom.mdw file). I got the sense that he was just running through the reponses provided to him by his KM. I'll be talking with him again tomorrow to look at other options. I'll post again, when I've found a solution.

Kurt

 

[kurtwjohn]

I also found this link with pretty good documentation, which appears to address what I think is going to be the solution (towards the end of the document). I think the problem is that I was logged in as the "generic" Admin owner when I created the database instead of following the instructions outlined in the link below. And according to the link you can't every delete the original owner (who is Admin by default). So, link describes how to create a "custom" owner and then copy the data base into a new file owned by this "custom" owner. Thereby getting rid of the default Admin owner. I'll try it out tomorrow.


http://www.grahamwideman.com/gw/tech/access/accesssec/index.htm

 

[mafhobb]

Can you send me an e-mail other than the forum's so I can attach the files?

mafhobb

 

[kurtwjohn]

I was finally able to secure the data base. I used a combination of the paper referenced above regarding creating a new owner and using the security wizard as Microsoft had suggested. I tried one solution then the other, but neither one alone locked out a user accessing the db directly (not going through the shortcut). The only thing that finally worked was doing both. My approach is described below. Their may be a step or two that really don't impact security, but it was such a guessing game (even for the Microsoft support person I spoke with) with lots of trial and error that I would recommend follow it closely. I was so frustrated that if one of the steps had me jumping up and down three times facing North I would have gladly done it.

1) Open access and create a new workgroup file (something.mdw) with a name other than system.mdw. Don't create or open a database yet - just stay in the main Access window. Use Tools>Security>Workgroup Administrator to create the new workgroup file (something.mdw) and put this file in the network folder where you'll be placing your database.

2) Check to see if you're joined to the new workgroup by going to Tools>Security>Workgroup Adminisistrator. If you are not joined to the new workgroup file (mdw), then close Access and launch again. Join the new workgroup you just created by going to Tools>Security>Workgroup Administrator and press the "join" button and navigate the folder the new one is in and select it.

3) Then add a new user ... something like "SuperAdmin" and give them Admin group and User Group rights. Leave the Admin user with both Admin group and User group rights for now.

4) Logout as Admin and login as "SuperAdmin." This was difficult to make happen. There's not an intuitive way to make Access prompt you for a login. It seemed to occur for me when I closed out of Access, came back in, and then went to Tools>Security>User and Group Accounts. At the prompt enter user id "SuperAdmin" with password of blank. Once in change your password by going to Tools>Security>User and Group Accounts and select the Change Login Tab. Leave "old password" blank and enter a password in the "new password" and "verify" fields. Hit OK, then close Access.

5) Open Access and go to Tools>Security>User and Groups. It should prompt you to login. Enter "SuperAdmin" and the new password you entered before. You should be at Tools>Security>User and Groups. Select the user "Admin" and revoke their Admin group rights. They should only have User group rights.

6) Now create a new database while you're still logged in as SuperAdmin pointing to the new workgroup file (something.mdw). By doing this you are defining the SuperAdmin as the orginal owner of the data base instead of the generic, default "Admin" user. Put it in the same network folder. The next step will create a "2nd" new workgroup file in this same folder. And this is the mdw file you will want to use.

7) While in the new data base, logged in as "SuperAdmin" and pointing to the 1st, new workgroup file (something.mdw) launch the security wizard by going to Tools>Security>User-level Security Wizard. Select the "Create new Workgroup Information File" radio button. On the next page make sure the "file name" field at top is pointing to the network folder where the final data base will go (use the browse button). Eventhough it's greyed out, you can scroll to see that the path is pointing to your "something.mdw" file. Make sure you either use the WID provided or enter your own. Either way it's a good idea to copy it down somewhere (you won't need it for this, though). Finally, on this page make sure the "I want to create a shortcut to open my security enhanced database" radio button is selected. Select next, and you'll see all the tables, forms, etc. They will be blank because you don't have anything in this data base yet. Select next again and you'll see a list of pre-formatted user groups. You can add these later. Select next again and select "no, the Users group should not have any permissions." Select next again ...

8) This next step is important. You'll see a listbox with just one userid below a function to "Add New User". Access considers the one User as you and you can't delete it here. You want to add the "SuperAdmin" user here and give them a password. You'll need this new user id and password to get back in to this database. You now have two users. Select next ...

9) The page will default to that original User ID on the previous page with "Admin" group rights check. Uncheck this. Then select the "SuperAdmin" from the dropdown list and give them the "Admin" rights. Select next.

10) The next step is going to back up the database as unsecured in the same folder location you placed the new data base in. It will also put a shortcut on your desktop with the appropriate configuration that contains 3 pieces of information: 1st the location of the Access.exe, 2nd the location of the database, and 3rd the location of the mdw file. This process will create the 2nd workgroup file and call it Security.mdw. It will be located in the same folder as your data base. Finally, it will provide a report of the configuration for you to print, but it will force you to create a png file and store it in the same folder with your data base.

11) now you'll need to import all the objects from the old database with the lousy security. First you need to go into that database and grant the User Group with all the rights. Open the lousy data base and go to Tools>Security>User Group and Permissions. Select the "Groups" radio button and then select the User Group. Then using the drop down to the right go through all the objects (data base, table, forms, etc.) and highlight every thing and check every permission checkbox bellow and apply. Do this for every single object in the data base. By doing this you are opening this data base wide open so that you can copy it into the new data base you created. If you don't you won't be able to import it into the new data base.

12) Close Access, then using your desktop icon, launch the new data base and go to File>Get External Data>Import. And import everything. I noticed that some of my forms didn't work when I didn a mass import. I had to try to try to open all of them in design mode to see if they opened. If they didn't I just re-imported them one by one. I made sure I imported any child forms before the parent forms (not sure if this made a difference or not, but I didn't want to take any chances).

13) Once everything is imported you'll have to go back into Tools>Startup to point to the correct form to launch and the other configurations selections you may have made in your old data base.

14) You will need to recreate your user groups and user id's now. I used the manual method to create them at this point rather than use the wizard again. Go to Tools>Security>User and Group Accounts to create your custome user groups and user ids. Go to Tools>Security>Use and Group Permissions to create your permissions.

15) Finally, I deleted that original user ID I saw when I went through the Security Wizard in step 8. You also want to make sure your Admin user (that you can't delete in Access 2003 now) only has the User Group rights.

I was able to rename the Security.mdw file created by the wizard without it impacting security. But you need to update the file name on the shortcut, too.

That's it. Good luck.

Kurt

 

[Len Boorman]

Kurt

Although I do not have the problem I must admire the degree of effort and detail of your post.

You appear to have resolved your problem and probably greatly assisted another forum member.

Your post will also assist many others in the future who "lose their way with security" to return to the true path.


Len

 

[kurtwjohn]

Len,

Thank you. I have gained so much help from this forum that I was glad to offer something in return.

Kurt

 

[brickelldb]

HELPED ME OUT TREMENDOUSLY IN UNDERSTANDING MDW. THANK YOU.

ON A SIDE NOTE...

I dont understand why Access doesn't have a more straightforward and secure "security" principle.

*Why there is no option to prompt for credentials if someone wants to link to the tables of your access db or even deny this from happening period.

*Why there is no easy way to specify what mdw file you want to use.

etc.