 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
MS Access Forum / Security / May 2004group vs individual user security
I have 3 secure A 2002 dbases in a Windows 2000 network environment. 1. Staff Back has all staffing information - StaffFront is the frontend for this database with some users having RO and others having Data entry priviliges. 2. Nursing is Frontend is connected to StaffBack with some users having limited RO and data entry priviliges (for their department only) 3. TrainingFront have RO priviliges to staff demographic info, and data entry and read permissions to own backend (TrainingBack) Here is my first questions: I have set up User groups Full Priviliges (me and one other person), Data entry with appropriate priviliges, and RO with appropriate priviliges. However, I don't want the Nursing or Training staff to be able to open the Staffing database (confidentiality issue), but since they have group priviliges, they can open the switchboard of all 3 databases. At this point, I password protected each database on top of the securities (a lot of logging in). I also attempted to give group priviliges, but then remove Switchboard Form and Switchboard Items privileges in the respective database. However, when I do this (and the user has the password for some reason or another), they get an error message that they don't have rights to the Switchboard, but the whole database window opens for them, and they can get to the tables which they must have rights for read and respectively write purposes. For some reason, it bypasses the startup option, which I have set right (unchecked all, and set the switchboard as opening form). I have code to allow me to get in. Is there any way I can use group accounts vs. individual accounts and still customize each database. In my A97 version, I had set individual rights, and this worked fine, but all my readings in A2002 suggest to use group settings. What do I miss? Second question: It doesn't allow me to delete the Admin user (acts like I want to delete the Admins group, but I highlighted the Admin user). Thanks for your help. With your help, I'm getting my conversions done. Brigitte What about splitting each group into three? Nurse Jones could be a member of the NursingDataEntry group, but not of the StaffingDataEntry group, or the TrainingDataEntry group, & so on. As for deleting the Admin user, I don't think you can do that from the Access user interface (but I don't have Access here to check). HTH, TC (off for the day) > I have 3 secure A 2002 dbases in a Windows 2000 network environment. > 1. Staff Back has all staffing information - StaffFront is the frontend for [quoted text clipped - 31 lines] > Thanks for your help. With your help, I'm getting my conversions done. > Brigitte Thanks, good idea!! even though I still would like to know whether you can mix and match group and individual settings and have the individual settings override the group settings (which was probably my original question). As to deleting the Admin user, I'll add that account to the user group only and give no rights to Users, which should solve that issue (hopefully). Brigitte > What about splitting each group into three? Nurse Jones could be a member of > the NursingDataEntry group, but not of the StaffingDataEntry group, or the [quoted text clipped - 50 lines] > > Thanks for your help. With your help, I'm getting my conversions done. > > Brigitte > Thanks, good idea!! even though I still would like to know whether > you can mix and match group and individual settings and have the > individual settings override the group settings (which was probably > my original question). Yes you can, but it's a maintenance nightmare. You'd be better off creating separate groups. Then your only maintenance is creating new users and assign to groups, or deleting users. If you assign permissions to users, then you have a lot of work every time someone leaves or someone is hired. It would be easy to miss some permission. > As to deleting the Admin user, I'll add that > account to the user group only and give no rights to Users, which > should solve that issue (hopefully). Brigitte You can't delete it, so you can't 'add' it either. Every user is always a member of Users Group, so your approach to deny this group permissions is correct.  SignatureJoan Wild Microsoft Access MVP THANKS to all of you. The approach worked fine even though I have only 9 users and 5 groups. But the group thing is much more transparent since it requires some planning and is a long-term solution. One pearl of wisdom I have gained in converting secure dbases from 97 to 2002 is that it is best to to most of the work in the native database vs. in the converted version. I read this someplace but thought I could take shortcuts with the first conversion (they weren't short). In my later databases I cleaned my originial permission, compiled, repaired, compacted. Then I created a new database (with me logged in), and all ownership and permission issues were resolved. I just converted (first to 2000 then to 2002 using the wizzard), used your or Lynn's advise and clicked the DAO 3.6, compiled, compacted/repaired, set up the appropriate group permission, added the toolbar and set up the start-up menue. This was maybe one to two hours work and no extra gray hair. The shortcut with the wrkgrp thing for users is also great and makes our IT people happy since they hated when I locked Access for unsecure databases by joining the workgroup. Thanks for patiently guiding me through -- all of you wonderful people. Brigitte > > Thanks, good idea!! even though I still would like to know whether > > you can mix and match group and individual settings and have the [quoted text clipped - 14 lines] > member of Users Group, so your approach to deny this group permissions is > correct. (snip) > Every user is always a member of Users Group Only when done from the UI, tho :-) As I'm sure you know (but the OP may not), users created thru code are not a member of any group until you make them so. Cheers, TC >> Every user is always a member of Users Group > > Only when done from the UI, tho :-) > > As I'm sure you know (but the OP may not), users created thru code > are not a member of any group until you make them so. But you must do so. SignatureJoan Wild Microsoft Access MVP > >> Every user is always a member of Users Group > > [quoted text clipped - 4 lines] > > But you must do so. Why? (seriously) If you create a user & grant him permissions, I don't see why he couldn't use the things that you had granted him permission to use; even if he was not a member of any groups. (Haven't explicitly tested this, but!) Cheers, TC >> But you must do so. > [quoted text clipped - 4 lines] > even if he was not a member of any groups. (Haven't explicitly tested > this, but!) In order to work with the systems tables, all users must be a member of the Users Group SignatureJoan Wild Microsoft Access MVP |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.