I'm trying to secure an MS Access 2003 mdb using the workgroup security. I've got most of it set up (using a new MDW etc), but I can't stop people creating new tables in the database, if they've got access to open it. Am I missing something?
None of the accounts have any permissions allowed, I'm doing it all through groups.
Users only have Open\Run access to the database, no access to <New Tables/Queries> and only "Read Data" access on all the other tables, including the MSys* tables.
Any thoughts or am I trying to do the impossible?
--Update--
I've tried using the wizard as suggested, but that still leaves me with the same problem. I created a blank database & ran the wizard on it. Assigned 2 users, Me & User, and removed all access to the standard groups. I added Me into the Admin group & User to the Read Only group.
Not using the MDW denies access, as expected. Logging in as Me allows full access (Design things, add data, delete data, etc), logging in as User will allow read data inexisting tables, but not add data or design them (as expected), but it will still allow creation of a new table, which User will then have full access to add, delete etc.
So, over a year after posting this question, I have another go at solving it, but his time with success!
I came across the Microsoft Accesss Permissions Explorer and this showed that the standard ways of securing the database, both manually and using the wizard still give the Users group explicit Create permsissions on the Tabes Container. This same software also allows the revoking of said permissions, so now I can have a fully secured database, where any user can access the mdb without using a special MDB, but they are only able to access and edit the data I want them to.
Can your users use the runtime version of msAccess? They will not have the ability to create any new Access object, such as table, query, form, etc.
And runtime version is free, so you'll also spare on licences!
Related
This question is regarding authorization, not authentication which i will be managing with passportjs. How do i restrict access for data that's bound to specific users without spreading user_id's all over every table in the database?
Should i create a new database user for each new user of my app and restrict access that way? Or is the "user id in every table" approach actually a good way to go?
I'm working on a project right now where someone else wrote the authorization logic and it works using a kind of authorization path in the code so it can find which user a resource belongs to using some breadcrumb logic.
But I'm really at a loss here and I'm having a hard time finding any information regarding this since almost all articles that I find are about authentication rather than authorization. And I do not mean access to a resource, but rather the filtration of data returned from a resource that the user has access to.
If you want to restrict access of users to certain objects, you either have to store that information with the user or with the object.
The latter is the preferred way because it makes permissions disappear with the object. That's the way PostgreSQL does it – it stores an access control list (ACL) with every object.
So you can either use PostgreSQL to implement privileges (then every application user or at least every group with equal privileges has to have a database user, and you can use permissions on tables and columns and row level security), or you implement it in your application and have some sort of ACL with every row in the database.
So I am very interested in using Cloudkit but the documentation on anything over the basic features is horrible. I am looking to establish two basic user types: standard user (someone that can read records only) and an Admin user (can create and modify records). I setup security roles to reflect this and changed the access modifiers on each of the record types to include these roles. However, I cannot find anywhere how to change a user from one role to the other. I have implemented an Admin login of sorts in the app. Once they enter in the appropriate credentials, I want to allow that user to start editing records.
Does anyone know how to do this?
Thanks
I think it's still not possible to assign a security role to a user using code. Then this answer is still valid: How do I access security role in cloudkit
I came across a fun problem today. Basically, we have thousands of subscriptions setup under a few users to dump a report into a directory on a monthly basis. One of these users was moved to a different role/department, and her credentials no longer have access to the folder where they were being dumped. So, I think the easiest solution would be to switch all of her subscriptions over to one of the other users who still has access to the folders.
I already know how to update the Owner. What I need to know is how to change the credential username. It is one of the pieces of the ExtensionSettings in the Subscription table, but it appears to be encrypted. I already have a script that will update the credential password based on the credential username, so I would think there would be a way to update the credential username based on the owner.
I was able to get this taken care of by writing a powershell script that works with the actual ExtensionSettings objects. It's ugly, so I'm not going to post it in fear that someone would inadvertently crash their BI in using it.
Using a strongly typed dataset and its related table Adapters, normally when I want the changes to pass back, just pass it the table and let it do all the work.
What are some easy ways to enforce security roles on the application user as to which fields they can insert/update/delete when the database is using an application ID instead of user level security?
Do I have to go row by row and check each row against what this particular user is allowed to do (by checking the current version of every field against it's proposed version against their role's permissions?
I believe the first level of security would be locking down the columns on the UI a particular user is not supposed to modify, but what about at the data level? Is there a nice way to do this?
Is this easier in linq-to-sql?
First, are you asking about actual security or just control/saftey/fool-proofing (ie stopping users from doing something dumb)?
If you are trying to enforce security try to answer some questions like who is allowed to connect to the database? where is the actual enforcement (eg, application vs connection to the database)?
For example if your application is where enforcement is placed then what if your application is compromised? Can it then connect to the database and do whatever?
For role separation I would suggest different application that are running/assigned different roles. Each role has to authenticate against the database in some way and only have access to necessary data.
In summary, ask who is doing what to whom and what if they were compromised.
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value