database split before or after security?

[Charlie via AccessMonster.com]

Hi Access Heros,
I created a new database in Access 2003. I created a new workgroup file as
owner. As owner, I created a new database and imported tables from original
db for my backend. Then I created another database, as workgroup owner and
imported queries, forms and reports, as frontend. Does it make sense to do
it this way? Doesn't this set security on both the backend and frontend?

I guess I am asking this question because when reading other threads, people
ask whether to set security on backend or frontend. This confuses me. Isn't
security on both?

Thank you
Charlie

 

[Joan Wild]

Hi Access Heros,
I created a new database in Access 2003. I created a new workgroup
file as owner. As owner, I created a new database and imported
tables from original db for my backend. Then I created another
database, as workgroup owner and imported queries, forms and reports,
as frontend. Does it make sense to do it this way? Doesn't this set
security on both the backend and frontend?

That alone does not. When you import objects, their permissions don't come
with them, so you have to set them again.

I guess I am asking this question because when reading other threads,
people ask whether to set security on backend or frontend. This
confuses me. Isn't security on both?

Usually you would want to secure both mdb files, yes. If you start with a
single mdb file, you can secure it and then split it manually. This means
create a copy of the database. Open the copy and delete all the objects
except the tables (this will be the backend). Open the original and delete
the tables; then use File-Get External Data-Link and link to the tables in
the copy.

By copying the files, rather than importing to new, the permissions are not
lost on the objects.

By the way, there is nothing wrong with the approach you took. You just
need to proceed with creating groups and assigning the permissions to those
groups for each database.

 

[hireagenius via AccessMonster.com]

Joan,
Many thanks for your response, once again.

As I go through the user and group permissions, I may have made an error.

The owner is "Developer" and is a member of Admins Group and Developer Group,
both groups have identical security permissions.

The user "Developer" has Open/Run permissions on the database (and forms) but
not the tables or queries. Additionally, the Admins Group nor the Developer
Group has Open/Run permissions on the tables or queries. It appears that no
one has Open/Run permissions on the tables or queries.

However, as Developer, I ran the queries and they worked fine. Is there
something I am missing regarding Open/Run permissions? I did not knowingly
revoke these permissions.

Second question - Should I change the owner of objects from the Developer
User to the Developer Group?

Thank you
Charlie

Hi Access Heros,
I created a new database in Access 2003. I created a new workgroup

[quoted text clipped - 3 lines]

as frontend. Does it make sense to do it this way? Doesn't this set
security on both the backend and frontend?

That alone does not. When you import objects, their permissions don't come
with them, so you have to set them again.

I guess I am asking this question because when reading other threads,
people ask whether to set security on backend or frontend. This
confuses me. Isn't security on both?

Usually you would want to secure both mdb files, yes. If you start with a
single mdb file, you can secure it and then split it manually. This means
create a copy of the database. Open the copy and delete all the objects
except the tables (this will be the backend). Open the original and delete
the tables; then use File-Get External Data-Link and link to the tables in
the copy.

By copying the files, rather than importing to new, the permissions are not
lost on the objects.

By the way, there is nothing wrong with the approach you took. You just
need to proceed with creating groups and assigning the permissions to those
groups for each database.

 

[hireagenius via AccessMonster.com]

Joan,
Many thanks for your response, once again.

As I go through the user and group permissions, I may have made an error.

The owner is "Developer" and is a member of Admins Group and Developer Group,
both groups have identical security permissions.

The user "Developer" has Open/Run permissions on the database (and forms) but
not the tables or queries. Additionally, the Admins Group nor the Developer
Group has Open/Run permissions on the tables or queries. It appears that no
one has Open/Run permissions on the tables or queries.

However, as Developer, I ran the queries and they worked fine. Is there
something I am missing regarding Open/Run permissions? I did not knowingly
revoke these permissions.

Second question - Should I change the owner of objects from the Developer
User to the Developer Group?

Thank you
Charlie

Whoops Joan - I asked a question I could have answered easily by looking in
the Help file. Open/Run permissions doesn't apply to tables and queries.

However - if anyone would like to address the 2nd question regarding granting
ownership to the Developer Group rather than the Developer User, I would be
much obliged.

As always,
Thank you kindly.
Charlie

[quoted text clipped - 22 lines]

need to proceed with creating groups and assigning the permissions to those
groups for each database.

 

[Joan Wild]

I always have a user as owner, not a group. I'm not sure the value in
having a group as owner.

--
Joan Wild
Microsoft Access MVP

Joan,
Many thanks for your response, once again.

As I go through the user and group permissions, I may have made an
error.

The owner is "Developer" and is a member of Admins Group and
Developer Group, both groups have identical security permissions.

The user "Developer" has Open/Run permissions on the database (and
forms) but not the tables or queries. Additionally, the Admins
Group nor the Developer Group has Open/Run permissions on the tables
or queries. It appears that no one has Open/Run permissions on the
tables or queries.

However, as Developer, I ran the queries and they worked fine. Is
there something I am missing regarding Open/Run permissions? I did
not knowingly revoke these permissions.

Second question - Should I change the owner of objects from the
Developer User to the Developer Group?

Thank you
Charlie

Whoops Joan - I asked a question I could have answered easily by
looking in the Help file. Open/Run permissions doesn't apply to
tables and queries.

However - if anyone would like to address the 2nd question regarding
granting ownership to the Developer Group rather than the Developer
User, I would be much obliged.

As always,
Thank you kindly.
Charlie

Hi Access Heros,
I created a new database in Access 2003. I created a new workgroup

[quoted text clipped - 22 lines]

need to proceed with creating groups and assigning the permissions
to those groups for each database.

 

[jacksonmacd]

That alone does not. When you import objects, their permissions don't come
with them, so you have to set them again.

Joan

I didn't know that -- actually I thought you were wrong, but
experimentation proved to me that you were right.

For example, I logged onto a secure workgroup as a user who has
ReadData/Write on many tables, ReadData on a few tables, and
ModifyDesign permission on no tables. Imported some tables into a
brand-new database created by that user. I was able to
read/write/design all the tables, just as you suggested.

This means that a knowledgeable, motivated, and perhaps malicious user
could simple create a new database from one for which s/he had
ReadDesign permission, copy all the objects into a new database, and
replace the official database with this new, compromised database. The
user would be able to modify data in any table for which s/he had
previously been denied Write permission.

No need for a password cracking program!

If the user does not have ReadDesign permission on the table, the s/he
is denied permission to import the table into the new database. RWOP
queries take on a new significance.
**********************[email protected]
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

 

[Rick Brandt]

That alone does not. When you import objects, their permissions don't come
with them, so you have to set them again.

Joan

I didn't know that -- actually I thought you were wrong, but
experimentation proved to me that you were right.

For example, I logged onto a secure workgroup as a user who has
ReadData/Write on many tables, ReadData on a few tables, and
ModifyDesign permission on no tables. Imported some tables into a
brand-new database created by that user. I was able to
read/write/design all the tables, just as you suggested.

This means that a knowledgeable, motivated, and perhaps malicious user
could simple create a new database from one for which s/he had
ReadDesign permission, copy all the objects into a new database, and
replace the official database with this new, compromised database. The
user would be able to modify data in any table for which s/he had
previously been denied Write permission.

No need for a password cracking program! [snip]

As stated often...If you need to protect the data from non-users use network
security. If you need to protect data from *users* then don't put it in an MDB
file.