creating "semi-admin" user group

[Joan Wild]

This dual workgroup file is still a bit confusing to me...but just
because a user is part of Admins in the production.mdw, that doesn't
mean he actually have admin rights over the database, right?

Right (the way you mean it).

But he

just has admin rights to add/remove users? So that would also
mean...the only reason why anyone would be on Admins would be that
the user just needs to add/remove users...and nothing else..?

Yes. But presumeable you have some user that would do these activities as
well as use the database

This is because I don't want to use the User and Group Accounts
options by MS Access. I created a form for it already and I have more
control over it...

What do you mean by 'more control'. The user in the Admins group wouldn't
be able to change permissions, or seize ownership. What's wrong with the
available dialog?

If I want to make a group thats actually like the Admins in
develop.mdw, I would have to create a new group, and grant most of
the permissions to them, right?

If you want a user to act like the Admins group in the development mdw, you
could give that user the development mdw. I am wondering why you want a
user to have so much control. I thought you only wanted someone to be able
to create/delete users and reset passwords?

PS: how do quote from a previous post? like...

You use a real newsreader like Outlook Express, Agent, Gravity, etc.

 

[Jeff Conrad]

Yeah, I'm sure it's ok but, like I said to Joan, I try to avoid doing
pointless but harmless things because you never know when they will jump up
and haunt you. <g>

Very true.
I have already made the necessary change for the next release.

I spent weeks writing some code here at work last spring
that, as it turns out, may contain one of those "harmless" things in it.
Well, now that we are about to move to a new database version, we are
finding out that it's not so "harmless" after all...LOL

Job security Lynn, job security.
"You can't fire me, I have to fix all my mistakes."
<vbg>

 

[Jeff Conrad]

That's fine Jeff, but I just don't understand why you are now recommending
it, knowing that it's pointless?

Well to be completely fair I did not 'recommend' it, I simply told Justin
what I had done:

But, yes, I can certainly see where the confusion would come from.
I should have been more clear in my post. My apologies for the oversight.

 

[Lynn Trapp]

Job security Lynn, job security.

"You can't fire me, I have to fix all my mistakes."
<vbg>

ROFL... using that strategy you have to keep making your mistakes worse and
worse.

 

[Jeff Conrad]

Hi Justin,

This dual workgroup file is still a bit confusing to me...but just because
a user is part of Admins in the production.mdw, that doesn't mean he
actually have admin rights over the database, right?

For the most part that is correct.

But he just has admin rights to add/remove users? So that would also mean...
the only reason why anyone would be on Admins would be that the user
just needs to add/remove users...and nothing else..?

In the production MDW file, yes.

This is because I don't want to use the User and Group Accounts options by
MS Access. I created a form for it already and I have more control over it...
Bingo....

If I want to make a group thats actually like the Admins in develop.mdw, I
would have to create a new group, and grant most of the permissions to
them, right? So for a Department Director, he would be in the Admins group,
and a....SuperAdmins group?

You mentioned develop.mdw, but I wonder if you actually meant to say
production.mdw? You really only need your SuperAdmin in the develop.mdw
and no one else (except the default Admin user which you cannot remove).
And to correct any previous miscommunication on my part, you really only
need the Admins, Users, and whatever other custom groups you create in the
develop.mdw and production mdw files. You do not *have* to have a SuperAdmins
group.

I knew this was coming. I was just waiting for you to bring this up!! In my previous
post I composed some thoughts about this, but I decided to remove it at the last
moment. I wanted to first see if this was going to be an issue and sure enough you
brought it up. Of course I clearly remember that we helped you create custom forms
for replacing the functions and now you are wondering why you cannot use them!

OK, here are some things that you (and your boss) will need to think about. I will
try and be as clear as I can and explain what I did and why. Joan and Lynn, please
correct me if I am mistaken any where in here.

I created a development.mdw and production.mdw file. I have one SemiAdmin person
in the production.mdw file and that is the only person in the Admins group. I created
custom forms for adding/editing/deleting users (and assigning to groups) for four reasons:

- I work with very low tech users and there is no telling what they could screw up.
Exposing the Security dialog boxes to users is way too dangerous in my opinion.
Granted what they could screw up would be quite limited in the production.mdw,
but I wanted to minimize the potential problems as best I could. It is too long
of a story to put here, but I HAD to minimize the number of support calls.

- The SemiAdmin person could add and delete custom groups which is something
I most certainly did not want to have happen! Yes, they would not be able to assign
object permissions to new groups they created, but again I just didn't want them
adding unneccessary stuff and then call me with questions about it.

- The SemiAdmin person can turn off the Shift key bypass since they are a member
of the Admins group! I did not want to have this happen. Period.

- There was the possibility (and still is) that this application may at some time become
a Runtime application. Well, you cannot access the Security menus in a Runtime
application so I really was left with no choice but to create custom forms.

So what I did was make the SemiAdmin person "invisible." I shipped the application
with the production.mdw file. Included in the production.mdw were the following:
1. My SemiAdmin user in the Admins Group
2. One default person in a group like AppAdmins called Administrator
3. One default person in a group like AppUsers. (Just there for demonstration purposes)

When they first open the program I instruct them to log in as Administrator and give them
the password. I then show them how to create new users and assign them to either of
the two groups. We then delete the two 'default' users that came shipped with the
production.mdw file. They are then ready to go. I do not tell them about the SemiAdmin
user because there is no need. My custom security forms do all their functions in
a temporary workspace of the SemiAdmin's specs (which we have already discussed
at length).

The SemiAdmin user is NEVER presented on my custom security forms. Any combo
boxes that have a list of users do not have the SemiAdmin listed. Out of sight, out
of mind. No questions asked if they never know about it.

Will this setup work in ALL situations? Certainly not! It worked in my situation but
that does not mean it will work in your enviroment. My setup was single workstation
(no network issues) with only a tiny handful of users. You might be asking, "What
happens if a disgruntled person deletes everyone in the production.mdw before
leaving? How will they get back in?" That's easy. Pop in the CD, copy over a
backup copy of the production.mdw and start over. Recreate the users again.
This works for ME becuase we're talking about 5 or less users. This would of
course not be very feasible on a network with lots of users!

So you and your boss now are presented with a choice. Do you want the SemiAdmin
person to see the built-in security menu forms and have that person's log-on specs
be known to other people beside yourself and maybe the boss? If not, then you
will have to use the temporary workspace procedure that we already set up. You will
of course then have to hard code in the SemiAdmin's log-on specs into the code
and try to hide it as best as possible. Your boss has already said they do not like
this approach, but at this point you need to present your boss with all the information
and let them decide what they want to do. Both have advantages and disadvantages
so weigh them carefully. I am not tying to persuade you to one side or the other. I
am only trying to give you as much information as possible so you and the boss can
make an informed decision.

One last thought. There are utilities out there (some even free) that can read the
UserName/Password information from MDW files. So even with all of my trouble,
yes, my application could be hacked. But, that is the limitation of a Jet database
since it is a file-based system. NO amount of effort spent securing a Jet database
will keep out a determined hacker with access to the file itself. Period. You
just have to live with it or switch to another platform. I do not have any issues
with hackers so my setup works in my situation.

Man, this seems to get more confusing as I get closer to solving the
problem. Thanks in advance!

Access security *is* confusing the first few times around.
Don't feel bad, we've all been there before (except maybe Joan and Lynn)

PS: how do quote from a previous post? like...

I do not know how AccessMonster works, but it is probably a limitation
of that newsreader. I use Outlook Express and it is a piece of cake to
copy/paste text from previous messages.

 

[Justin To via AccessMonster.com]

I agree completely with Jeff's first reason. The reason why I have a custom
form setup handling users and such is because there are too many
information displayed on the Access's one that is irrelevant to what the
semiAdmin has to do, namely add/remove/modify users, and change/reset
passwords.

Now, temporarily creating an admin workspace to do these things are out of
the question, lol, boss said no hardcoding password. Period. Another
requirement from my boss is that he wants a custom group called security
admin (I guess that's the semi-admin), and whoever joins this security
admin group, can add/remove/modify users, change/reset passwords. BUT do
not have any admin rights to modify the objects/data of the DB.

The way I have it set up is the 2 .mdw approach...
in developer.mdw there's just the default Admin, and the superAdmin and all
the custom groups
and in production.mdw, just the regular users...and the exact same custom
groups

now...the "Admins" group in production can't do anything except for the
user management stuff...so I decided to make a "security admin" and "app
admin" group...and if people are in these groups, they are in "Admins"
group as well...and basically...people in security admin just add new users
and so on...people in app admin are like my boss, and well..the "real
adminstrators" I suppose...that's what I meant by having users that have
admin rights in the developer.mdw....getting more and more confusing...lol

"more control" means I can choose what kind of groups show up in the
Available list, and what kind of groups I can restrict on removing from the
Member of list. Guess I'm a bit defensive there...but just in case..never
hurts lol

Everything seems to work fine...I just need to re-assign all the
permissions to the various groups since the last developer didn't write
down any of those ID's...>.< DOH

But yup, I think I'm all done! Thanks for all the help and the different
opinions and viewpoints as well =), learned quite a lot about Access *odd*
Security this week. Thanks once again!!!

Justin

PS: actually...if I post through accessmonster...I can just go >"text" and
it'll show up grayed and quote-like odd...but yah...this is my first
time using a forum/newsgroup, didn't realize that it was this useful, and
so many technical and experienced experts would help

 

[Joan Wild]

. Joan and
Lynn, please correct me if I am mistaken any where in here.

I created a development.mdw and production.mdw file. I have one
SemiAdmin person
in the production.mdw file and that is the only person in the Admins
group. I created custom forms for adding/editing/deleting users (and
assigning to groups) for four reasons:

All good reasons Jeff, but

- The SemiAdmin person can turn off the Shift key bypass since they
are a member
of the Admins group! I did not want to have this happen. Period.

No. You would disable the shiftkey bypass while logged into the development
mdw. If done securely, a member of the Admins group in the production mdw
would not be able to change this.

So what I did was make the SemiAdmin person "invisible." I shipped
the application

So what you (and it turns out Justin) want is another group that has
permission to open the database and do administrative things, but more than
just manage users. I think I got confused with 'adminiter the database' and
what was really meant. I too include a group like this to manage users,
manage picklists, compact, and backup. All these are done via forms in the
database, but only this group has permission to use them.

One last thought. There are utilities out there (some even free) that
can read the UserName/Password information from MDW files.

Actually there are some that don't need the mdw to do this.

Access security *is* confusing the first few times around.
Don't feel bad, we've all been there before (except maybe Joan and
Lynn) <g>

Nope - been there, done that, but nobody gave me a t-shirt <g>

 

[Jeff Conrad]

Hi Justin,

I agree completely with Jeff's first reason. The reason why I have a custom
form setup handling users and such is because there are too many
information displayed on the Access's one that is irrelevant to what the
semiAdmin has to do, namely add/remove/modify users, and change/reset
passwords.

My feelings exactly.

Now, temporarily creating an admin workspace to do these things are out of
the question, lol, boss said no hardcoding password. Period. Another
requirement from my boss is that he wants a custom group called security
admin (I guess that's the semi-admin), and whoever joins this security
admin group, can add/remove/modify users, change/reset passwords. BUT do
not have any admin rights to modify the objects/data of the DB.

I just realized that in my last post that I said you only had two choices, but
actually there was a third and you already caught onto that I assume. You
can use your custom forms for adding/editing/deleting users without hard-coding
in a password IF you person who uses the form is a member of the Admins
group AND you have granted permission for that person (by group affliation)
to use those forms.

The way I have it set up is the 2 .mdw approach...
in developer.mdw there's just the default Admin, and the superAdmin and all
the custom groups
and in production.mdw, just the regular users...and the exact same custom
groups

Sounds good.

now...the "Admins" group in production can't do anything except for the
user management stuff...so I decided to make a "security admin" and "app
admin" group...and if people are in these groups, they are in "Admins"
group as well...and basically...people in security admin just add new users
and so on...people in app admin are like my boss, and well..the "real
adminstrators" I suppose...that's what I meant by having users that have
admin rights in the developer.mdw....getting more and more confusing...lol

Yes, if you want people in the "app admin" group to be able to change
user information they will also need to be in the Admins group.

"more control" means I can choose what kind of groups show up in the
Available list, and what kind of groups I can restrict on removing from the
Member of list. Guess I'm a bit defensive there...but just in case..never
hurts lol

My thoughts as well. Less confusion for my low-tech users the better.

Everything seems to work fine...I just need to re-assign all the
permissions to the various groups since the last developer didn't write
down any of those ID's...>.< DOH


But yup, I think I'm all done! Thanks for all the help and the different
opinions and viewpoints as well =), learned quite a lot about Access *odd*
Security this week. Thanks once again!!!

You're very welcome, glad to help.
Ready for RWOP queries now?
;-)

PS: actually...if I post through accessmonster...I can just go >"text" and
it'll show up grayed and quote-like odd...but yah...this is my first
time using a forum/newsgroup, didn't realize that it was this useful, and
so many technical and experienced experts would help

You have NO idea how incredibily useful these Access newsgroups
can be! You can learn something new every single day. It is absolutely
amazing that people will devote their own personal time to help people
around the world.

You WILL come back Justin.....
Resistance is Futile.....

He....he....he....my work is done.

 

[Jeff Conrad]

No. You would disable the shiftkey bypass while logged into the development
mdw. If done securely, a member of the Admins group in the production mdw
would not be able to change this.

Ohhh, you're right! I should have thought about that much more carefully!
Yes, I did secure with the DDL argument in the development.mdw file.
Cool, thanks for the correction Joan; I can rest a bit easier now.

So what you (and it turns out Justin) want is another group that has
permission to open the database and do administrative things, but more than
just manage users. I think I got confused with 'administer the database' and
what was really meant. I too include a group like this to manage users,
manage picklists, compact, and backup. All these are done via forms in the
database, but only this group has permission to use them.

Yep, yep, yep.

Actually there are some that don't need the mdw to do this.

Yep, scary. There is no shortage of low-lifes in the world.

Nope - been there, done that, but nobody gave me a t-shirt <g>

"Junkies Gone Wild"
<g, d, & rrrr>

 

[Lynn Trapp]

Hah...been there, done that...more than once...and they took my t-shirt
away...LOL

 

[Jeff Conrad]

<T-shirt comment snipped>

Joan, I've just realized the comment also has a possible negative connotation!
That was not my intent; it was simply a play on words with
your last name. I hope no offense was taken and my sincere
apologies if there was. Bad Jeff. :-(

 

[Joan Wild]

<T-shirt comment snipped>

Joan, I've just realized the comment also has a possible negative
connotation! That was not my intent; it was simply a play on words
with
your last name. I hope no offense was taken and my sincere
apologies if there was. Bad Jeff. :-(

Huh? I hadn't taken it any other way, so don't sweat it.