Linked Tables Security Problem

[Reader1]

Hello

I'm involved with a project at work where we are using two different
databases.

The project is split into two areas.

I manage one and another colleague manages the other.

I'm quite new at this stuff so I posted in here and there and read the
articles regarding securing the database when I created it.

My colleague (who's a know it all) went right ahead and created his database
telling me how I should secure mine by doing this and that and he even went
to far to encypt his also.

I'm still learning, so I took my time and followed the advice from here and
on the net articles including the Microsoft one.

We are supposedly both Administrators of our own databases and read only
users of the other.

We're using Access 97

When I set my database up I secured it manually using the help from here and
the net.

My colleague used the Wizard and went on to encrypt his also (why - I'm not
sure)

OK - Thats the intro

Now the question

I thought it might be useful to share information between the two databases
by use of linked tables.

I tried to access his database which it let me do and it also let me link
the table.
Fine so far but I thought I was a read only user in his database.
Surprisingly it also lets me edit his data and delete it as well.

So I tried it the other way around - linking one of my tables from within
his database.
Rightly, it denied the request citing security and access privileges.

So as it would seem his database is not actually secure but mine is.

My question finally is why ?

What is different in the set up to let me see his data AND edit it but he
can't see my data because it fails to link the table.

 

[Keith Wilby]

I tried to access his database which it let me do and it also let me link
the table.
Fine so far but I thought I was a read only user in his database.
Surprisingly it also lets me edit his data and delete it as well.

So I tried it the other way around - linking one of my tables from within
his database.
Rightly, it denied the request citing security and access privileges.

So as it would seem his database is not actually secure but mine is.

My question finally is why ?

From what you have stated your colleague is indeed a "know it all" and you
know far more than he because you have (a) read up on the subject and (b)
did *not* use the wizard to set up your security. If you can edit his data
then he has missed one or more steps in the securing process. The problem
with the wizard is that it does stuff but doesn't tell you and you learn
nothing about the process.

Your colleague needs to read the FAQ from MS (link on my web site) to fully
understand what's going on, although how you convince him on that is another
topic ;-) If you haven't read it (it sounds like you have) then I can't
stress enough how important it is that you do if you too want a full
understanding.

Regards,
Keith.
www.keithwilby.com

 

[Chris Mills]

From what you have stated your colleague is indeed a "know it all" and you

know far more than he because you have (a) read up on the subject and (b)
did *not* use the wizard to set up your security.

Your colleague needs to read the FAQ from MS (link on my web site) to fully
understand what's going on, although how you convince him on that is another
topic ;-)

Unfortunately, one of the limitations of the FAQ is that one of the steps
is....THE WIZARD.
(Step 7, have you read it Keith?)

For the record, I also disagree with using Wizards. Therefore, I disagree with
the FAQ.

Regards
Chris

 

[Chris Mills]

The problem, is not really understanding the FAQ or anything else, it's that
Reader1 actually tested it and Colleague didn't.

By Testing, I mean attempting to get in by "disallowed means".

If you could access "Colleague" database, when he thought he disallowed it,
then it's VERY VERY simple. Either your Username, or a Group you are joined
to, has access permissions to his database and/or his objects. There is no
other reason. Find which permission(s) is allowing you access.
(There's a squillion permissions for sure, but this is the reason)

Once you have setup Security (and the SecFAQ certainly helps), there are only
two ways to subsequently check your security permissions:
1) The Access User Interface (Tools, Security...)
2) http://www.grahamwideman.com/gw/tech/access/permexpl/index.htm

encrypt his also (why - I'm not sure)

otherwise you could use any system dump utility to read text out of the
database file. It is said that encryption is pointless-given that Access ULS
can be so easily broken-nevertheless it prevents THAT type of file dumping.
One *stupid* objection is that you can easily decrypt, which is true if you
can break ULS, but in that case you wouldn't be needing to use dump utilities,
because you're in anyway! All my files are encrypted, and I never need to
decrypt them to get into them within Access. It is said that Encryption
imposes a 10% performance penalty, which may well be true, and you may well
think to be pointless overhead. Nevertheless, it does what it claims to do
(and nothing more).

Chris

 

[Keith Wilby]

Unfortunately, one of the limitations of the FAQ is that one of the steps
is....THE WIZARD.
(Step 7, have you read it Keith?)

Step 1.7, yes. It does puzzle me that para 1 states "You may elect not to
use the Security Wizard and to secure the database manually by following
these steps." and then goes on to tell you to open the wizard, but I think
the document as a whole still has value.

Keith.

 

[Chris Mills]

I think the SecFAQ (in step 7) gives a little bit of explanation BEYOND just
saying use the Wizard (it explains briefly what it does). If one reads it that
way<g>.

It is not my intention to say that the SecFAQ is ANY OTHER THAN the best
document we have.

But it's also dangerous to treat it mantra-like, because it certainly has
limitations. (not many, but I have at least one other). The danger is that,
treating the SecFAQ as Gospel could cause newbies not to question it, which is
unscientific/or just plain Bad.

e.g. The Bible. It's Crap. It says the Sun revolves around the Earth (Bruno
died at the stake <became steaks>), and that The Earth is only so many years
old. The SecFAQ is not untrue in the same way, but it DOES say use the Wizard,
which is neither true nor untrue.

Keep recommending it! Whilst always maintaining the ability to question...
Cheers
Chris