Re-linking tables

[Keith Wilby]

I'm having a few thoughts about re-linking tables at startup in one of my
apps but I was wondering how ULS would affect the process. If my app is set
up to run around RWOP queries and users don't have any permissions to any
tables, how would that affect the re-linking process - wouldn't they get a
"no permissions" error?

Many thanks.
Keith.

 

[Keith Wilby]

I'm having a few thoughts about re-linking tables at startup

*using code* (sorry)

 

[Joan Wild]

The security FAQ covers this I believe. You can give them full permissions
on the table links in the FE, with no permissions on the BE tables. That
still restricts their permissions to the tables, but they have the
permissions on the links and so can refresh them. Read through sections
14-16.

 

[Keith Wilby]

The security FAQ covers this I believe. You can give them full
permissions on the table links in the FE, with no permissions on the BE
tables. That still restricts their permissions to the tables, but they
have the permissions on the links and so can refresh them. Read through
sections 14-16.

Thanks Joan. I'm always banging on about people reading the FAQ, I suppose
it's time I read them myself ;-)

Regards,
Keith.

 

[Joan Wild]

Thanks Joan. I'm always banging on about people reading the FAQ, I
suppose it's time I read them myself ;-)

You did have me wondering if we had a second Keith Wilby in our midst.

 

[Keith Wilby]

You did have me wondering if we had a second Keith Wilby in our midst.

I've always skipped that section because I've never had the need to re-link
via code, now I do. Seems pretty straightforward though.

Regards,
Keith.

 

[Keith Wilby]

Seems pretty straightforward though.

Oooooo, famous last words!

On the faq_ConnectLink function, the FAQ states:

"This function can be run by any user who has OpenRun permission on the
source database."

The code works fine when I execute it under an Admin user, but under a
restricted access user account the code fails, the error being "no read
permissions on tbl ..." - what have I missed? I have granted OpenRun
permission on the source database for this user account. I thought the
whole point of this function was that you didn't have to grant any further
permissions.

Thanks.

Keith.

 

[Keith Wilby]

Ah, never mind.

" as long as the user has full permissions in the destination database"

I think I need to read some more ;-)

 

[Keith Wilby]

The security FAQ covers this I believe. You can give them full
permissions on the table links in the FE, with no permissions on the BE
tables. That still restricts their permissions to the tables, but they
have the permissions on the links and so can refresh them. Read through
sections 14-16.

Hi again Joan ... I'm confuzzled!

I have "faq_ConnectLink" working but I'm not sure why. My ordinary user
account is a member of my Guests (read only) group and my Assessors
(read-write but no admin) group. The user account name is "User". The code
runs for this account and I've noticed that:

"User" is the linked table owner (logical)
"User" has full permissions to the linked tables ... but
"User"'s parent groups Guest and Assessors have *no* permissions to the
linked tables.
"User" cannot open the tables from the db window, the "no permissions" error
is generated.

I should know this but the truth is that I've never encountered this
scenario - do the group permissions override account permissions, and if
that is true, why does the code run for "User"?

Many thanks.
Keith.

 

[jacksonmacd]

IIRC, the FAQ has some information about the difference between using
the RefreshLink method versus the TransferDatabase method, and the
various backend permissions required for each one. I mention it on P14
of my security document.

 

[Joan Wild]

"User" is the linked table owner (logical)
"User" has full permissions to the linked tables ... but
"User"'s parent groups Guest and Assessors have *no* permissions to the
linked tables.
"User" cannot open the tables from the db window, the "no permissions"
error is generated.

I should know this but the truth is that I've never encountered this
scenario - do the group permissions override account permissions, and if
that is true, why does the code run for "User"?

The "User" user owns the links; that overrides anything. They still get 'no
permissions' because they don't have any permissions on the tables in the
backend, just the links in the frontend. If they attempted to link to the
those tables via the LTM, it wouldn't work because they have no permissions
on the backend tables. However using the Connect property in code, the
error is ignored.

You can grant full permissions on the <tables/queries> in the front end for
all Groups and they'll still be restricted based on their permissions on the
tables in the backend. You need to separate permissions on the tables in
the backend and the links in the frontend.

Having permissions on the links allows them to read the link and make the
connection, however their permissions on the table in the backend doesn't
allow them to actually open the table and read the data.

 

[Keith Wilby]

The "User" user owns the links; that overrides anything. They still get
'no permissions' because they don't have any permissions on the tables in
the backend, just the links in the frontend. If they attempted to link to
the those tables via the LTM, it wouldn't work because they have no
permissions on the backend tables. However using the Connect property in
code, the error is ignored.

You can grant full permissions on the <tables/queries> in the front end
for all Groups and they'll still be restricted based on their permissions
on the tables in the backend. You need to separate permissions on the
tables in the backend and the links in the frontend.

Having permissions on the links allows them to read the link and make the
connection, however their permissions on the table in the backend doesn't
allow them to actually open the table and read the data.

That makes perfect sense, thanks very much Joan.

Regards,
Keith.