Results 1 to 4 of 4
  1. #1
    2 Star Lounger
    Join Date
    Apr 2002
    Location
    Arkansas, USA
    Posts
    163
    Thanks
    0
    Thanked 0 Times in 0 Posts

    denying access using API call (Access 2000)

    I just started working on a new project and it is still in the planning stages. I want to be able to limit access for a group of employees to a single form, where others would have access to the entire set of forms in the database. This project will be in the form of a Replicated Access Database (potentially Partial Replica) with a main screen. I want to set up the command buttons on the main form to check the Windows Logon of the user's computer during the on click event of the command button before using this command button to open a form that would only be viewed by certain users. I would store the user's IDs in a table in the database and would therefore be able to grant access to these users by adding their Windows Logon to that table.

    I know that Access Security is the better way to perform what I am asking, but this will be distributed to numerous users across the network, and I just don't know how to handle this with regard to the security database that is created and I think has to be on all of the user's computers. I will not have admin access to the network so therefore think I have to avoid using the built in Security feature of Access.

    Any thoughts would be appreciated. I have also considered a form based user ID and password that would segregate the users into two groups, one with access and one without. This may even be an easier option, as I could direct the group without access directly to the only form they would be able to utilize.

    Thanks in advance for any assistance.

  2. #2
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: denying access using API call (Access 2000)

    If you really secure the database, which I would recommend, then you can't open the database at all unless you have the correct workgroup set. The easiest way to do that is to deploy it to eacy users workstation hard drive and then include it in the shortcut they use to start the application. And if you don't need to track who is changing what data (or they can't change or add data), then you can use one login for all users in the restricted group.

    It is possible to do what you describe using Windows API calls, but it is lots of work, and then you have to keep track of all the users - a major administrative task. In any event you will want to bulletproof the app so users cannot get to tables and so on. Just out of curiosity, what is it that is driving you to use replication? (It can be a real challenge to administer as well.)
    Wendell

  3. #3
    2 Star Lounger
    Join Date
    Apr 2002
    Location
    Arkansas, USA
    Posts
    163
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: denying access using API call (Access 2000)

    I have had success using replication before and I don't know that I really have any other alternatives. It is easy for me to deploy updates through replication and the users will span most of the Midwest, and possibly more. There will also be offline uses for the daatabase as well. This is primarily why I am choosing to use replication, and will likely utilize partial replication to keep each state's users from accessing the other's data.

    I thinking about this further, I have the code to retrieve the user's Windows logon, and am planning on adding a control to the main form, which will show the user's logon when they start the app. I then will need to just use this value to check against a table of authorized users which with some VBA code will allow certain users to access certain forms based on whether or not they are listed in a table.

    of course, I am just assuming this will work, and will not have an opportunity to work with it until tomorrow.

  4. #4
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: denying access using API call (Access 2000)

    My experience suggests it will be lots of work to create a system that works and is reliable - you are essentially replicating the Access User Security feature. All someone has to do to defeat a basic model of what you propose is to hold down the SHIFT key when they start Access and then add their Windows login to the table with whatever permissions they want. Even if you secure it to the point where they can't use the SHIFT key, they could simply import all the objects into a new database and do whatever they want. Properly done, User Security will prevent these kind of exploits and make your system reasonably secure. BTW, using a database password with a replicated database doesn't work - see the Microsoft document ReplFAQ2K.doc.

    I also surmise from your comments that you are replicating design changes to your users, and that you are working on a WAN, or in some cases with users who casually connect to the WAN. What mechanism are you planning to use to invoke syncronization? In general we avoid replicating design objects and prefer to drop an entirely new front-end database onto the workstation when we develop an application in such an environment. Thus we only replicate data, not designs - except for table structure changes, and we try to avoid those if at all possible. There are a couple of companies that offer products that will make your life easier if you have a large number of users - FMS is one, and we also have one. Hope this stimulates further thought on your design and the issues you face.
    Wendell

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •