Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Mar 2004
    Location
    cleveland, Ohio, USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    a little help? (1.0)

    I have a database - built in Access 2000. The security and permissions is broken into three types:

    Admin - developer account
    metro_admin - full access to db forms, etc. - no access to design (back-end)
    supervisor - access to specific forms, reports, etc.

    My question is this....When a supervisor is logged in and he/she clicks on a form or section of the db that he/she does not have access to, is there a way to control the access message..."You don't have permissions to 'x'. To run this object you must have open/run permission for it. For more information on permissions, and who can set them, press help" - I would rather my users not have access to the help in this case. Is there a way to customize the message? Also, a majority of the navigation within the database is done via links to forms...so after a user without permissions to a specific form/report, etc. another message pops up saying "....can't follow the hyperlink to 'x' (form/report name) - Please verify the destination" Is there a way to trap this message or to at least modify it to be a little less descriptive...basically its saying that the link is broken and well that's not acceptable.

    Any ideas.

    Thanks for the help in advanced!

    BAF

  2. #2
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: a little help? (1.0)

    Hi BAF

    Welcome to Woody's Lounge - one of the friendliest places to get your Access (and other applications) questions answered. You have stumbled onto one of the less friendly parts of Access User Security - there isn't really a good way of modifying the existing messages from Security, since they don't really get handled as an error. I assume the accounts you listed are actual UserIDs, and not groups - in that case, what you can do is insert code on the button click that uses the CurrentUser() function to check and see whether a given person can open a specific form, and issue your own error message when they can't - a more sophisticated approach would be to make the command buttons invisible when the form is loaded if the user cannot open the form associated with the button. If those represent the UserGroup rather than the UserID, the code is more complex, but can still be done.

    On a more general note, your approach isn't very secure as long as the Admin account is the one that has full permissions to your database. The usual advice is to build the database with a UserID you create, so they are the owner of the database, and then remove all permissions from the Admin userID. Otherwise, anyone who is pointing to the default workgroup file can open your database and do anything they want. We have some basic information about User Security and list several references on User Security in a tutorial on our website under Support that might be useful to you. Feel free to post back with any questions or concerns you may have.
    Wendell

  3. #3
    Super Moderator
    Join Date
    Jun 2002
    Location
    Mt Macedon, Victoria, Australia
    Posts
    3,993
    Thanks
    1
    Thanked 45 Times in 44 Posts

    Re: a little help? (1.0)

    My approach to this is to hide everything a user doesn't have permission to use, so you don't have to worry aboyut error messages.

    Here is a function that will test whether a user is a member of a group (in this case the admins group.

    Public Function fnIsAdmin() As Boolean
    Dim wks As Workspace
    Dim grp As Group
    Dim usr As User
    Dim boolinGroup As Boolean
    boolinGroup = False
    Set wks = DBEngine.Workspaces(0)
    Set grp = wks.Groups("Admins")
    For Each usr In grp.Users
    If usr.Name = currentUser Then
    boolinGroup = True
    End If
    Next usr
    fnIsAdmin = boolinGroup
    End Function

    This function can be used in the onopen event for a from to show or hide appropriate items. In this case I have a form with tabbed pages, and one page contains a range of admin functions that i want to hide from other users.

    e.g.

    If fnIsAdmin Then
    Me!pageAdmin.Visible = True
    Else
    Me!pageAdmin.Visible = False
    End If
    Regards
    John



  4. #4
    New Lounger
    Join Date
    Mar 2004
    Location
    cleveland, Ohio, USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: a little help? (1.0)

    i created a new .mdw file and added my user groups: metro_admin and supervisor. I changed the ownership of everything (except the database, not sure if the ownership can be changed?) to a user called "developer". However, does this restrict my clients use of other access databases? For instance, right now i have the workgroup administrator pointed at the .mdw file i made (metro_park.mdw). And if i switch it back, it doesn't allow me into the database at all - which i believe is good-hence it restricts users from getting into the database through the system.mdw. However, i went to open another database and it seems that it is using the same .mdw (metro_park.mdw). But i checked and its using system.mdw...what am i doing wrong or am i just completely confused? Or both [img]/forums/images/smilies/smile.gif[/img]

  5. #5
    Super Moderator
    Join Date
    Jun 2002
    Location
    Mt Macedon, Victoria, Australia
    Posts
    3,993
    Thanks
    1
    Thanked 45 Times in 44 Posts

    Re: a little help? (1.0)

    Sorry for the slow reply, I haven't been back to the Lounge for a while.

    Once you join a workgroup, then you get login prompts for all databases. If you want the workgroup to only apply to one db, then don't join the workgroup. Instead create a shortcut to open the database using the workgroup.

    Here is an example of the command line from such a shortcut:

    "C:Program FilesMicrosoft Office97OfficeMSACCESS.EXE" C:databaseskinpath.mdb /wrkgrp c:databaseskinpath.mdw /user developer /pwd yourpassword
    /wrkgrp specifies the workgroup file to use. You can optionally add the user and password info into the shortcut if you wish, but obviously this can compromise security if others have access to the computer.

    To change the ownership you need to be logged in as developer, then make a new empty database, then import all object from the current db into the new one. The new one will be owned by developer.
    Regards
    John



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •