- Local time
- Today, 13:36
- Joined
- Oct 29, 2018
- Messages
- 22,511
If that's the case, I would strongly suggest you abandon using Access and use a more secured platform instead. Just my 2 cents...
Spllited Database risk over LAN Network challenge ,please how to Secure?
- Thread starter kokowawa
- Start date
thank you @The_Doc_Man , you always explain things in details and easy way that make me understand most of it and surf the internet to know more about what i didnt understood .
i will read more about ACL and will consult an I.T. friend .
replying the part of "nobody except the group members and system staff will touch those files." all staff are the same for me , everybody who access or can reach these file are a thread for me , i have to treat everyone as untrusted , so i have to secure it from all sides .
i want to reach to the point that no one whatever he try he will not have any chance but the FE to deal with
in your post below , i was asking if you would kindly make a video on youtube or so to do an example so i can try it out by myself and dont miss any step.
https://www.access-programmers.co.u...ith-traverse-permissions.312264/#post-1702051
thank you
unfortunately Access is what i know to do it with , i didnt study any other programming language .
- Local time
- Today, 13:36
- Joined
- Oct 29, 2018
- Messages
- 22,511
Then, I would also caution you to not expect Access to prevent all the things you're trying to avoid. It just can't do all that. You can only go so far with Access; but hopefully, it would be enough for you. Good luck!
isladogs
MVP / VIP
- Local time
- Today, 21:36
- Joined
- Jan 14, 2017
- Messages
- 18,799
For your description, I would strongly recommend you learn how to move your data to SQL Server Express and use that for the BE
No matter what security you add, Access is file based and it will still be theoretically possible for someone to steal your files.
Even if you follow all the steps I outlined in my articles and encrypt your data as well, anyone with authorised access to your file will be able to retrieve the data, even if it is taken directly from the screen one record at a time.
Last edited:
- Local time
- Today, 21:36
- Joined
- Feb 19, 2013
- Messages
- 17,422
I would also add, if you are effectively trying to protect the data from your users stealing it, you need to make sure users cannot run a report that lists all customers, forms that do not list all customers and perhaps even disable the ability for a user to copy/paste or take screenshots - although they could always use a camera to take a picture of the screen, or use pen/paper.
isladogs
MVP / VIP
- Local time
- Today, 21:36
- Joined
- Jan 14, 2017
- Messages
- 18,799
@CJ_London
Good point about reports / forms showing all records.
I will add that comment to my website article when I update it in the near future
Good point about reports / forms showing all records.
I will add that comment to my website article when I update it in the near future
i already started learning SQL , and have even tried to upload data to SQL server but not SQL Server Express , it was SQL 2014 /2019 but i faced errors uploading the data , and learning now how connect it , i am just collecting all my questions and will make a thread about it asking for help.
i believe following your security points will maximize the protection to the top level can access reach .
i already have a permission level for every single form , report , function , button in the FE using VBA that prevent the user from opening anything he is not authorized to use.
below is some screens from the security i did .
isladogs
MVP / VIP
- Local time
- Today, 21:36
- Joined
- Jan 14, 2017
- Messages
- 18,799
My apps use a menu system where users only see those forms/reports they have permission to access.
Similarly, many forms will show different functionality depending on users' security levels.
A quick way to manage the visibility of a group of controls in one line of code is using the tag property.
Thanks for your comments about Access security based on my articles.
I doubt you can make them more secure by methods I haven't covered in one or more articles / example apps.
However, SQL Server (Express or paid versions) can be made far more secure
Similarly, many forms will show different functionality depending on users' security levels.
A quick way to manage the visibility of a group of controls in one line of code is using the tag property.
Thanks for your comments about Access security based on my articles.
I doubt you can make them more secure by methods I haven't covered in one or more articles / example apps.
However, SQL Server (Express or paid versions) can be made far more secure
- Local time
- Today, 21:36
- Joined
- Feb 19, 2013
- Messages
- 17,422
Not quite what I was saying - if someone is authorised to view the entire list of customers - you are happy with that?
Since you are going 'full belt' security, another element you perhaps need to concern yourself with is sql injection. If you do not handle manual user input correctly, someone who knows what they are doing could potentially login as someone else, even list tables and contents of tables.
Some references
W3Schools.com
W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering popular subjects like HTML, CSS, JavaScript, Python, SQL, Java, and many, many more.
SQL injection - Wikipedia
i have learned a lot from you and this respectful forum and keep learning everyday something new . the thanks is to you and all helped me that i didn't mention here .
my permissions are based on VBA code that will trigger the action after checking the permit table belong to this user on the click or form open or after update. this allow me to customize permission per user , not like other methods which create profiles and make the user follow this profile
Isaac
Lifelong Learner
- Local time
- Today, 13:36
- Joined
- Mar 14, 2017
- Messages
- 11,053
+1
If my company needed a system where the everyday end-users of this system were truly hungry to steal its valuable data, I would not use Microsoft Access, at least not if I wanted a reference for my next job
What would you use?
Isaac
Lifelong Learner
- Local time
- Today, 13:36
- Joined
- Mar 14, 2017
- Messages
- 11,053
Come to think of it a bit more, I'd question creating the system at all.
Give end-users access to pull up records, which they are known to want to steal the information from? Doesn't make sense.
- Local time
- Today, 21:36
- Joined
- Feb 19, 2013
- Messages
- 17,422
To protect your data from being stolen by someone copying the file use sql server/mysql back end. Otherwise protect it further with a password and perhaps encrypting critical fields. But the access vba front end will contain the password and/or encryption process - so save front end as .accde. Even then for someone who knows how, the password can be recovered and even possibly the decryption algorithm. With a web based solution, that is all server side (backend) - so you need to encrypt/decrypt the password with your client based solution
with regards the front end - access is client based otherwise you are talking web based. web based products are more exposed to hacking, client based less so (much smaller pool of potential hackers). Also a lot more maintenance work as the web is a volatile place.
but data is exposed in the front end, and that comes down to front end design (access/web/whatever) to provide minimal exposure of data to users.
So best solution is probably to use something like a (truly) compiled client based solution (using something like C# or .net perhaps) which generates a .exe file in combination with sql server/mysql - and still minimise data exposure with front end design. But reckon on development time being 10 times longer or more since access is a rapid application development tool .i.e. you can develop apps quickly, it is not a full application development suite - try visual studio. And before you ask, no, you can't upsize access to visual studio.
The point is anything that comes on the screen, can be theft in a way or another. As somebody explained above, one record at a time, taking photos, taking screen captures, etc etc. No matter which software is in use.
I'm still a student and very new to databases to give any opinion on this. I can only talk about our system here and how the organizations and offices try to keep personal data not to be sold.
Our system here, doesn't show any personal data on the screen. Even the staff that we are talking to, don't know anything about our personal info. Imagine I go to a travel agency and book a flight. The lady only knows my ID. This is the ID I've been given the first time I used that store. She know nothing about my name, my mobile No, or even my mail address. Her screen only shows my ID and the details about my flight. The only thing she know about me is the young kid sitting in front of her, my ID and the info about my travel.
If I call them later and ask for a change in my plan, they don't ask for my name. They ask for my ID, then for my password to be sure I'm me and not someone else. The password process is safe. They put the telephone on hold, a message tells me to push my password using my mobile push keys and add a # at the end to show I'm done. And even during this process I can here a noise. This noise is to prevent the staff to listen to the sound of my pushes and guess what my password maybe. The staff just waits until the system checks my password against my ID.
If the staff receives a message on her screen that my password is passed, she can continue with the changes that I want. The changes in my purchase is mailed to me after it's done. It's another automatic procedure behind the curtain. No body knows my actual name, address, mail, TL No or anything else.
The point is don't show personal data on screen. As I said in my first post above, using sql server as the backend and password protecting the server is the first factor to think about. Confidential data is encrypted and is separated in numinous tables in sql server. Front end contains nothing except forms to show only a part of data. One should be smart enough to write a solution to prevent data theft. I accept that using an stand alone program written in #C or other languages is a better choice. But even Access as a Front End can be used in a way to prevent data theft if the program is written in a way to give no clues on what's happening behind the curtain. (nothing is %100 secure).
PS: Once during one of our classes, I had a chance to check an actual database that has been used about 10 years ago as a BE of a mobile shop. The tables were emptied and was field with several unreal data.
There was 24 tables for saving customers' postal address. Even having the database we had no clue to pull out a customer's full name and his postal address.
Once again, Not that I'm trying to tell any idea above is wrong. I'm still a student and do know nothing about the depth of this world.
I'm still a student and very new to databases to give any opinion on this. I can only talk about our system here and how the organizations and offices try to keep personal data not to be sold.
Our system here, doesn't show any personal data on the screen. Even the staff that we are talking to, don't know anything about our personal info. Imagine I go to a travel agency and book a flight. The lady only knows my ID. This is the ID I've been given the first time I used that store. She know nothing about my name, my mobile No, or even my mail address. Her screen only shows my ID and the details about my flight. The only thing she know about me is the young kid sitting in front of her, my ID and the info about my travel.
If I call them later and ask for a change in my plan, they don't ask for my name. They ask for my ID, then for my password to be sure I'm me and not someone else. The password process is safe. They put the telephone on hold, a message tells me to push my password using my mobile push keys and add a # at the end to show I'm done. And even during this process I can here a noise. This noise is to prevent the staff to listen to the sound of my pushes and guess what my password maybe. The staff just waits until the system checks my password against my ID.
If the staff receives a message on her screen that my password is passed, she can continue with the changes that I want. The changes in my purchase is mailed to me after it's done. It's another automatic procedure behind the curtain. No body knows my actual name, address, mail, TL No or anything else.
The point is don't show personal data on screen. As I said in my first post above, using sql server as the backend and password protecting the server is the first factor to think about. Confidential data is encrypted and is separated in numinous tables in sql server. Front end contains nothing except forms to show only a part of data. One should be smart enough to write a solution to prevent data theft. I accept that using an stand alone program written in #C or other languages is a better choice. But even Access as a Front End can be used in a way to prevent data theft if the program is written in a way to give no clues on what's happening behind the curtain. (nothing is %100 secure).
PS: Once during one of our classes, I had a chance to check an actual database that has been used about 10 years ago as a BE of a mobile shop. The tables were emptied and was field with several unreal data.
There was 24 tables for saving customers' postal address. Even having the database we had no clue to pull out a customer's full name and his postal address.
Once again, Not that I'm trying to tell any idea above is wrong. I'm still a student and do know nothing about the depth of this world.
Last edited:
this will lead to another security measure , can we via VBA prevent Printscreen from keyboard hardware or softeware , @isladogs is there any VBA for this?
You're not paying attention. Even if you find a way to disable print screen keyboard, users can use 3d party applications or even windows' snipping tool.
If you disable them too, you can't use vba to prevent them to take a photo of the screen with their phones.
Try to work with customer's ID and don't show their names or other confidential info on the screen.
