First, I'm not a MS Access developer. However I've got a new job and have to do some MS Access development. I'll be working with another developer who has experience at this; at least more than I have.
One thing he showed me is that users will get into this MS Access application, which goes into the forms, do whatever it is they do there and then bang out of the forms application to get direct access to the tables of the database. (The Access application is a front end to a SQL Server 2005 database.) Since the end users have direct access to the SQL tables, well you can just imagine what sort of mischief they can get into. (The Access application was written by a contractor who left with the application unfinished.)
So my question is this: how can we prevent end users from getting out of the Access application to directly interact with the SQL tables? I would think this is possible, but like I said I'm not an Office developer so I've no idea how it would be done, nor even what sort of things I'd look for.
The Access application is written in MS Access 2007.
#rod
Generally the level of security MS Access is providing is not very impressive. But it gives you some sort of security preventing novice users accessing unwanted information.
look for:
Compiling the database to ACCDE, MDE
provide custom ribbon with your own buttons
Disable the "Navigation" pane : http://www.access-programmers.co.uk/forums/showthread.php?t=187697
Disable the settings via right click.
Use AutoExe function to check if NavigationPAne is deactivated, and reboot database if necessary
Disable the "bypass startup option" key: http://www.access-programmers.co.uk/forums/showthread.php?t=91984
prevent database to load if the DB is not in .accde or .mde format. Again this is within the AutoEXE function to check.
Some useful research/investment would be.
Custom ribbon creator for MS access which will help you to provide your own buttons/ribbons (I used ribboncreator)
Providing membership/user account. since you already have dedicated SQL server you can save user credentials in the back-end tables hiding from front-end. Check user has access by writing stored procedures/functions.
Write function to gather errors, activities and uploads to a LOG table and monitor activities. use web-services + MSXML2.XMLHTTP + async for this task.}
Create a UI for the users to navigate your application. The most basic thing is just a form that has buttons to open all other forms the users need to access in your application.
Then use the ribbon to navigate to "File" -> "Options" -> "Current Database".
Select the form from the step above as "Display form" for the application and then uncheck all the following options "Use Access Special Keys", "Display Navigation Pane", "Allow Full Menus", "Allow Default Shortcut Menus".
This will start you Access application and show the selected form without any of the standard UI for working with tables or the design of other objects in your application.
But please be aware that this is just protection against normal users making accidental mistakes by changing stuff they are not supposed to change. This will not deter a malicious and knowledgeable attacker.
If you want open your application for development, hold down the SHIFT-Key while opening the file.
Another option outside of Access is to deny an AD group with read/write access to your SQL tables the DELETE permission. I was able to do this successfully using Access 2013 and Microsoft SQL Server Management Studio 2012. This post discusses the command.
DENY DELETE ON tablename to [DOMAIN\groupname];
Users in the AD group are able to modify and delete data through the UI we have created, but unable to open the table, select a line, and hit the delete key. They receive the following error: "ODBC--delete on a linked table 'tablename' failed....The DELETE permission was denied on the object ...."
Related
I am considering to create an app for the first time and I am not sure I understand google‘s terms and conditions well. According to what I read, if I give access to some users, I will not be able to get it back and besides, google will get the right to distribute it further. Is this right?
Creating a WebApp with limited access
When you deploy a WebApp you can choose how to execute the WebApp and who has access to it:
You execute either as
You
The user accessing the App
And the App can be accessed by either
Only you
Anyone in your domain
Anyone
You are not able to select only specific users to have access.
However, obviously only the users with whom you will share the WebApp URL will have access to it.
Also, you can use within the WebApp the method getActiveUser() to retrieve the identity of the user and implement a conditional statement that runs the rest of the script only if the active user is one of the "allowed" ones.
Very important: After deploying the WebApp for the first time, you can deploy it as a new version as often as desired and change thereby the execution and access permissions which makes it easy to revoke access
I have a problem with SSRS 2014. I am trying to browse to a data source on my server see pic0. I then get the error in pic1. I cannot browse to it in IE either pic2. Pic3 is from the site settings page of the SSRS and the 3rd user is me with the roles of System Admin, System User.
Could anyone tell me the setting I am missing to grant me access to this?
Thanks
Take a look at the pre-defined security roles for SSRS 2014. The permission you need to work through report builder is the "Report Builder" role. You should probably also get the publisher role so you can manage deployments and such.
I have created an SSRS report which I am using in Asp.net website. Reports accepts server, database,user and password to create connection string dynamically. Dynamic connection string is required because user can select a database at the time of log-in and that database need to be used for SSRS.
One requirement is such that user should be able to create SSRS report himself. For the purpose I provided guideline that how to create parameters that are require data-source's dynamic connection string.
One possible problem I thought is if user do not make parameters as hidden, he will have database credential in clear text.
I thought of adding encryption at asp.net website and decryption in SSRS report but decryption function/code will be easily accessible at the time of designing.
Any idea how to overcome the situation?
I suggested that the OP should read the following documentation:
Specify Credential and Connection Information for Report Data Sources
This were the remarks made by the OP:
Prompt the user for credentials :Not possible because some users can view report with provided website user/password. He will have no idea about DB.
Store credentials: Not possible because user will see data in website as well as in report by database selected at the time of log-in. Database selection option is given at the time of log-in in website because there would be more than one database. so one report will show different data based on selected DB by the user.
Use Windows integrated security : Not possible because most of our client are not allowing use to use integrated security for database access. we need to use their provided credentials for all database access.
Use no credentials : we need to use client provided credentials for all database access. Correct me if i missed something from that article
This is my response and answer to the presented problem:
You require a user to login to your website, as soon as the user is logged in you should be able to know who this user is. This also means that you can give a user specific rights/access to your application.
So you can use the Stored Credentials and more specifically use the Integrated Security.
Type | Context for network connection | Data Source
-------------------- | -------------------------------- | -----------------
Integrated security | Impersonate the current user | For all data source types, connect using the current user account
I believe the following documentation might be exactly what you're looking for.
How to: Secure Connection Strings When Using Data Source Controls
I would strongly recommend creating a new table containing data that specifies the different access levels to then have a junction table with the user table. This will make it easy to determine which user has access to which report and allow for an easy implementatuon of the Integraded Security.
How can I implement security accounts in an Employee Database in Microsoft Access 2010 which allows for different users to login with different permission sets. e.g:-
I have a database which has Managers, Supervisors, and clerks or assistants, and only 1 full administrator.
I have already set a table: tblAccount, tblEmployee
**EmployeeIDP**
Name
Surname
StartedOn
FinishedOn
EmployeedType - Look up:- Admin/Manager/Supervisor/Clerk/Temporary
**AccountIDP**
Username
Password
**EmployeeIDF**
LastLogin
Permissions - look up:- Full Access/Manage accounts/Read accounts only/No access
Without trying to give you the whole specification of the database how can I prevent certain users from accessing the accounts table or form?
I have already implemented a login form and each user is logged using VBA but this was easier than trying to implement permissions to tables/fields etc...
I want to prevent clerks from seeing other accounts, and prevent supervisors from adding/deleting, Managers can add new users an do anything other than delete tables or change the structure of the database.
Obviously the administrator can do anything.
Is this even possibly without advanced VBA.
Depends on the access you give the users. You said you already have a login form that tracks access.
Are all your forms controlled from a startup dashboard page?
Are the users viewing only authorized buttons/links on the dashboard based on their log in?
You could hide all objects (queries, tables forms, reports), give access only through the dashboard, create a .mde or a accde front end where you distribute an encrypted frontend to users. You can then control who can open which data sets, through the forms. This won’t stop a determined programmer but for your usual users, it will work as you get a more robust system.
I have a hidden form that opens after user logs on. The form has field that can be referenced by any process.
DoCmd.OpenForm "frm_global_variables", acNormal, "", "", , acHidden
I answered this in past how to implement user level security in MS Access 2007
There was once workgroup security feature from Microsoft, but it is no more there, was discontinued. But now we will have build our logic & coding for the roles & security feature.
I created a privilege table along with log-in table. Each screen in the database will have Read-only or Read-write privilege to each user. I inserted all the screen names into privilege table. Another table UserPrivilege will have users and their privileges. Assigning privilege to an user will be done only by Admin user.
A function at start of each form check swhether a specified user is allowed to view or edit form. If he/she is given read-only, we will lock all controls looping thr' controls on the form. Else, nothing to do. OR keep all the controls read-only at design them and unlock them thr' code for write privilege.
The database window is kept hidden when a version to end user is delivered. This prevents usual , simple view to tables in the database, opening forms , reports object in database window. After making mde/accde few more tweaks can be done so that user is not easily able to view tables directly. by-passing startup, special keys etc.
I am not able to create subscriptions for SSRS reports as it gives the following error:
Subscriptions cannot be created because the credentials used to run
the report are not stored, or if a linked report, the link is no
longer valid.
My set up is as following:
ServerA - Database Server
ServerB - Report Server
MachineC - Internet explorer to view the reports
So I am viewing reports on Machine C, IE, and ServerB connects to ServerA for Datasource.
The problem sounds like the report expects the user to provide credentials when it is viewed. When you create a subscription, it does not have the credentials to execute the report.
Go to the report, click the properties tab, then choose Data Sources in the left pane.
Are you using a shared data source? Is it using Windows integrated security? If so, can you change it to use a service account made just to run these reports? You may need to view these properties by viewing the data source itself.
If it is a custom data source is the option "Credentials supplied by the user running the report" selected? If so, can you change it to "Credentials stored securely in the report server"?
Either way, if you want to set up a subscription, I have made it work by providing credentials in the data source rather than have the user input them.
If you are worried about security, I would suggest managing that on the report level rather than the data source level.
What the error does not make clear is, in order to be able to subscribe to a report not only must the data source be set to "Credentials stored securely in the report server" you must also not select the option "Impersonate the authenticated user after a connection has been made to the data source".
The way I did was to create a new data source in the report builder and explicitly provided the username and password there to be used.
Then, used that username password with the new data source with the report and voila it worked.
I faced same issue as you, and i found its solution, as #richard said already that it is related to credential of data source you use for your deployed report.
To resolve it Follow these steps:
1. Right click on your shared Data source which you use in your deployed report.
2. Click On Edit Button.
3. a new window will open click on Credential from left pane, Select Use this user name and password then click ok.
4. Check on Save these credential option you get on to previous screen.
5. Test connection and if succeed click ok and deploy your project on report server.
For reference plese look at screen shot given below:
Thanks.