12-20-11, 14:45 #1Registered User
- Join Date
- Oct 2011
Unanswered: Multi-user, Tiered Security, History Tracking, Date Stamping, help please?
So I have looked through google for about two days now and I am not sure how else to try and find this information (my head keeps going around in circles).
I am attempting to design a Multi-User, Multi-Priveleged environment, where users will be able to logon, the program will check their password, check their security and then display their special version of the program. Boy it sounds fairly easy.
Anyways, I have the username and password it automatically checks failed attempts and will lock the username out after X attempts. I also have an okay idea of how to start most of this with a single user. Drop the username into a table, linking it to all changes. However, the multi-user thing is throwing my brain into a spin dive.
My main concerns are dealing with the multi-user functionality and dynically change the forms(this one worries me). In any case if anyone can link me to some information that can help me get started I would greatly appreciate it. This is a very big leap in knowledge I'm taking so any help would be most appreciated.
12-20-11, 15:46 #2Jaded Developer
Provided Answers: 59
- Join Date
- Nov 2004
- out on a limb
before rolling your own security why not take advantage of the network logon to handle security
then query the workgroup file to find out what usergroups a specified user is assigned to.
make certain that the user cannot write tto the workgroup file, and always deploy the app with a specified workgroup file. granted this approach (using workgroup files will not work in A2007 and more recent.
before displaying anything forms, reports etc request the user's security clearance and take appropriate action.
eg if you want a group of users to view but not change set the allow edits propoerty of the form on startup
if you want to restrict forms to specific groups *remmeber its always better to assignb security to groups and users to groups so that you don't have specific user permissions but group permissions.
don't allow your users to have access to the MDB, always deploy as an encrypted dbm, AND alwasy keep backups of the MDB as without the MDB you cannot make changes to the application
consider using Access runtime to deploy the app. the less freedom the user has to modify things the fewer security holes there are to exploit. but bear in mind to really tie down an Access application talking to an Access DB you need to also work on netwrok permisssions on the OS. Its virtually impossible to fully tie down an Access application from within Access. if this application has sensitive information then you probably shouldn't use Access as a datastore (user interface [reports,forms etc] fine, but not the data. do a google splitting Access pplicaitons inot a front end and back end
if you think there are going to be more than, say 15..30 concurrent users then consodere using a server backend, but design the application accordingly using disconnected recordsets, unbound controls and so on. the access developers 'Enterprise' handbook will point you in the right direction
audit logs can be written, I think (Steve) LeBan has a very good audit model.
bear in mind recording a user ID isn't necessarily definitive, especially if you need to keep data secure. logging on through an Access application, especially where you have written some or all of the security code yourself is prone to problems. relying on the network logon and ensuring your network trolls ONLY allow one log on per user account at any one time and no sharing of userid's. using Dev Ashish's API calls (do a google) will tell you which userid did what on what computer at what time. its a bit like playing Cluedo with all the cards stacked in your favour.I'd rather be riding on the Tiger 800 or the Norton
12-21-11, 10:06 #3Registered User
- Join Date
- Oct 2011
healdem, as always, I appreciate your input and wisdom in Access. You have given a lot of good advice. If you will bear with me for a moment I'll explain a little bit about my environment.
I am currently devloping in Access 2010.
The first thing I did with the database was split it to a FE/BE database.
I am the only person in our department that can work on Access (and thats being very generous to myself, since I know very little about it).
All the users that will be accessing this database reside in the exact same security group on the network and this cannot be changed.
As far as the network is concerned users can be logged into multiple machines and the same time, this cannot be changed.
All computers have access 2010 installed, all users have access to access 2010, this cannot be changed. (see a reoccurint theme yet )
My IT department has, literally, no ability to alter any network paramaters at all. We are a subset of a much larger division which houses, maintains and controls all network capabilities.
The only "network" aspect I have in my favor is I have control of assigning permissions to the folder where the database is housed. However my permission assigning is literraly just that, Read Only|Read/Write|No access
I am currently pleading to get a dedicated SQL server or at the very least beable to put it on sharepoint. However, neither of those have happened yet.
So as my wonderful life stands right now, I have to do most of the securing/priveleges directly from access.
12-22-11, 16:06 #4Registered User
- Join Date
- Oct 2011
I've been rolling some ideas in my head and would like some advice on how to proceed with them. When I can get my hands untied (probably when pigs fly) I'll try to implement a lot of healdem's suggestions until then I need to work on some form manipulation with group priveleges.
As far as the front end is concerned I have it locked down as well as I know how.
All tool bars are disabled, except a custom one in print preview.
I've disabled the cutomization abilities on right click for the ribbon. I have disabled everything in file menu other than print.
I have disabled all Fkey functions outside of alt-F4.
Implemented a lock out user name and password, with each user having a security group they reside in.
Disabled right-click onthe entire database. Forced all screens to be maximized.
The only thing that I know I can lock down and haven't yet, is starting up Access with the shift key held down. I have the function for it, I just have not enabled it yet.
So what I am now trying to move on to is what each security group sees. I have attempted to program some things in using VBA on a single user approach. Biggest problem I have run into is keeping the forms looking nice and neat. When I make a control box non-visible its just a big whole in the form.
I assume there is probably a way to programatically make a control smaller, then for the other controls to realine.?
The other options I have though of is creating a different form for each security group, though this idea seems like a lot of wasted work to me.