"Rick Brandt" wrote:

> BPH wrote:
> > I would like to rollout a basic application (1 form, 2 tables) to
> > many users, but I don't want the users to have to logon to the
> > database with an ID and Password.  However, I want to ensure they are
> > only able to enter data in the form and nothing else.  Of course, I
> > would liike the administrator to have full access.  What is the best
> > way to do this?   Thanks
>
> Normally when applying Access User Level Security a primary requirement is
> to remove all permissions and ownership from the group "Users" and the user
> "Admin".  That is what forces users to use your mdw file and a login.
>
> You can however, give limited permissions to the Users group.  Then any user
> (using any mdw file) can open your file, but they are still limited to the
> permissions that you granted to the Users group.  There is no need in this
> setup to distribute an mdw file.  Anyone who needs to log in with higher
> permissions though still needs to use your mdw file so they can log in as a
> user with higher authority.
>
> --
> I don't check the Email account attached
> to this message.     Send instead to...
> RBrandt    at       Hunter      dot      com
>
>
>

"Rick Brandt" wrote:

> BPH wrote:
> > Thank you Rick,  That works except that when trying to limit users
> > from being able to link to the tables in my database, the users are
> > not restricted.  I have not split my database (FE/BE) and at this
> > point would prefer not to.  I have set up the form to run off a RWOP
> > query, and I have removed all access to the tables from the Users
> > Group.  I have put the database on a network drive and have not put
> > the security.mdw file with it, thus users are not prompted for a
> > password.  I would expect that any user linking to the database from
> > another database would be stopped by not having sufficient rights
> > inherited from the Users group (I have removed the Admin user from
> > the Admins group).  But users are able to link to the table with full
> > rights. Any thoughts???
>
> Does the default user "Admin" own the database ir any of the objects within?
> Owners have rights above and beyond those that are explicitly granted to
> them.
>
> --
> I don't check the Email account attached
> to this message.     Send instead to...
> RBrandt    at       Hunter      dot      com
>
>
>

> OK, I have changed the owner of the database and the tables to a user
> (my user id).  As an added precaution, I created a new (non-default)
> admin group called SBAdmin and assigned full rights to the tables to
> this group and removed all table rights from the default Admins group.
>
> However, users are still able to link to the tables with full rights.
> Further, if they open the database (I temporarily allowed
> Shiftkeybypass for testing purposes) they have full rights to the
> tables as well.  The user is using their default security.mdw file
> but seems to gain access to the tables via the Admins group (all
> rights are checked for this group, but not checked for the user Admin
> or for the group Users), despite the fact that I have explicitly
> removed table access from the Admins group.  Is there something I
> have to do to ensure my access changes take effect?
>
> Thanks for your continued help.
>
> "Rick Brandt" wrote:
>
>> BPH wrote:
>>> Thank you Rick,  That works except that when trying to limit users
>>> from being able to link to the tables in my database, the users are
>>> not restricted.  I have not split my database (FE/BE) and at this
>>> point would prefer not to.  I have set up the form to run off a RWOP
>>> query, and I have removed all access to the tables from the Users
>>> Group.  I have put the database on a network drive and have not put
>>> the security.mdw file with it, thus users are not prompted for a
>>> password.  I would expect that any user linking to the database from
>>> another database would be stopped by not having sufficient rights
>>> inherited from the Users group (I have removed the Admin user from
>>> the Admins group).  But users are able to link to the table with
>>> full rights. Any thoughts???
>>
>> Does the default user "Admin" own the database ir any of the objects
>> within? Owners have rights above and beyond those that are
>> explicitly granted to them.
>>
>> --
>> I don't check the Email account attached
>> to this message.     Send instead to...
>> RBrandt    at       Hunter      dot      com

>Thank you Rick,  That works except that when trying to limit users from being
>able to link to the tables in my database, the users are not restricted.  I
>have not split my database (FE/BE) and at this point would prefer not to.  I
>have set up the form to run off a RWOP query, and I have removed all access
>to the tables from the Users Group.  I have put the database on a network
>drive and have not put the security.mdw file with it, thus users are not
>prompted for a password.  I would expect that any user linking to the
>database from another database would be stopped by not having sufficient
>rights inherited from the Users group (I have removed the Admin user from the
>Admins group).  But users are able to link to the table with full rights. 
>Any thoughts???
>
>"Rick Brandt" wrote:
>
>> BPH wrote:
>> > I would like to rollout a basic application (1 form, 2 tables) to
>> > many users, but I don't want the users to have to logon to the
>> > database with an ID and Password.  However, I want to ensure they are
>> > only able to enter data in the form and nothing else.  Of course, I
>> > would liike the administrator to have full access.  What is the best
>> > way to do this?   Thanks
>>
>> Normally when applying Access User Level Security a primary requirement is
>> to remove all permissions and ownership from the group "Users" and the user
>> "Admin".  That is what forces users to use your mdw file and a login.
>>
>> You can however, give limited permissions to the Users group.  Then any user
>> (using any mdw file) can open your file, but they are still limited to the
>> permissions that you granted to the Users group.  There is no need in this
>> setup to distribute an mdw file.  Anyone who needs to log in with higher
>> permissions though still needs to use your mdw file so they can log in as a
>> user with higher authority.
>>
>> --
>> I don't check the Email account attached
>> to this message.     Send instead to...
>> RBrandt    at       Hunter      dot      com
>>
>>
>>

On 29 Nov 2005 20:11:57 -0800, "TC" <aatcbbtcc***@yahoo.com> wrote:

>
>jacksonmacd wrote:
>
>> AFAIK, the
>> owner of the RWOP query must exist *in* the workgroup file that is in
>> effect during the Access session.
>
>True.
>
>> In other words, the users must log
>> onto a special workgroup file that contains the query owner.
>
>That doesn't follow imho. He only has to log on if the Admin user has a
>password (as you know). If he used a shortcut with the /wrkgrp switch,
>but the Admin user of that workgroup file did not have a password, he'd
>be seeing the right user(s), but he would not have to log on.

"TC" wrote:

>
> jacksonmacd wrote:
>
> > AFAIK, the
> > owner of the RWOP query must exist *in* the workgroup file that is in
> > effect during the Access session.
>
> True.
>
> > In other words, the users must log
> > onto a special workgroup file that contains the query owner.
>
> That doesn't follow imho. He only has to log on if the Admin user has a
> password (as you know). If he used a shortcut with the /wrkgrp switch,
> but the Admin user of that workgroup file did not have a password, he'd
> be seeing the right user(s), but he would not have to log on.
>
> HTH,
> TC
>
>

>So if I understand both of you correctly, despite the fact that I have set up
>a RWOP query, the fact that the user was not using the Security.mdw file
>where I established secuirty makes the RWOP setting mute as the user was not
>using this, rather the form worked because they had underlying access to the
>table.  I understand this, and it seems then that my requirements conflict.
>
>However, I still don't understand why my security settings for the tables
>haven't taken effect for users logging onto the DB without access to my
>security.mdw file.  Remember, I removed all access to the tables from
>everyone but members of SBAdmins group, but users can link to the table. 
>Coincidentally, when I try to test the access by changing the name of the
>security.mdw so I effectively simulate a user, then I am restricted from
>linking the tables and it seems to work as I would like it (I use a default
>security.mdw file and am on as admin, not the owner - this is strange and
>frustrating). 
>
>Even though once I understand this, it seems my design is still flawed
>because of the points above.
>
>Thanks
>"TC" wrote:
>
>>
>> jacksonmacd wrote:
>>
>> > AFAIK, the
>> > owner of the RWOP query must exist *in* the workgroup file that is in
>> > effect during the Access session.
>>
>> True.
>>
>> > In other words, the users must log
>> > onto a special workgroup file that contains the query owner.
>>
>> That doesn't follow imho. He only has to log on if the Admin user has a
>> password (as you know). If he used a shortcut with the /wrkgrp switch,
>> but the Admin user of that workgroup file did not have a password, he'd
>> be seeing the right user(s), but he would not have to log on.
>>
>> HTH,
>> TC
>>
>>

"Joan Wild" wrote:

> jacksonmacd wrote:
> > I think that your requirements are mutually exclusive. AFAIK, the
> > owner of the RWOP query must exist *in* the workgroup file that is in
> > effect during the Access session. In other words, the users must log
> > onto a special workgroup file that contains the query owner.
>
> That is not true.  The production workgroup file does not need to have the
> owner in it for a RWOP query to work.
>
> --
> Joan Wild
> Microsoft Access MVP
>
>
>

> Joan, that is good news for me, but then takes me back to my original
> question.  Do you know why the security I have applied to the tables
> in my database does not seem to restrict users from linking to the
> table when they access the database via their default security.mdw?
>
> "Joan Wild" wrote:
>
>> jacksonmacd wrote:
>>> I think that your requirements are mutually exclusive. AFAIK, the
>>> owner of the RWOP query must exist *in* the workgroup file that is
>>> in effect during the Access session. In other words, the users must
>>> log onto a special workgroup file that contains the query owner.
>>
>> That is not true.  The production workgroup file does not need to
>> have the owner in it for a RWOP query to work.
>>
>> --
>> Joan Wild
>> Microsoft Access MVP

>
> Joan Wild wrote:
> > jacksonmacd wrote:
> > > I think that your requirements are mutually exclusive. AFAIK, the
> > > owner of the RWOP query must exist *in* the workgroup file that is in
> > > effect during the Access session. In other words, the users must log
> > > onto a special workgroup file that contains the query owner.
> >
> > That is not true.  The production workgroup file does not need to have the
> > owner in it for a RWOP query to work.
>
>
> Um, are you sure? An RWOP query is executed with the permissions of the
> user who owns the query. If that user does not exist in the current
> workgroup file, those permisions will be "nil", AFAIK.

> If you can contradict this, I'd be interested in a small example db &
> mdw (preferably in A97 format) that I could take a look at with my
> various tools.
>
> Cheers,
> TC
>
>

> Could you post a small example mdb & mdw where I can get at them?
>
> TC

> Could you post a small example mdb & mdw where I can get at them?
>
> TC

> Sorry to post so long after the fact, but I just came upon this very
> interesting discussion while researching my own related problem with RWOP
> queries.
>
> After seeing Joan state so unequivocally that RWOP queries will work even if
> the owner is not in the production mdw, I decided to investigate further why
> this was not my experience.  Turns out that she is right, of course, but I'll
> share with you why it wasn't working for me.
>
> The owner of all of the objects in my front-end mdb, including the queries,
> was an individual "super user" (i.e., not a group).  When I secured the
> back-end mdb, I gave table permissions to the administrator group (not
> Admins) that this user was a member of and gave no table permissions
> explicitly to the individual "super user", assuming that permissions would
> flow through to the "super user" by virtue of membership in the administrator
> group.
>
> Well, with one important 'Gotcha', it appears as if the permissions do flow
> through as you would normally expect, as the "Super User" was able to access
> the tables as per usual.  However, anyone using the default System mdw would
> get error 3112 (no read permission) even though the default Admin user had
> appropriate permissions on the queries in the secured front-end.  When I
> changed security in the back-end so that the "Super User" was explicitly
> granted permissions on the tables, then everything worked for users with the
> default System mdw just as Joan suggested it would.
>
> So the 'Gotcha' is that, with RWOP queries, permissions do not flow-through
> from a Group to a user.  If an individual user is specified as the owner of
> the query, then for that query to work as a RWOP query, that individual owner
> must have explicit permissions on the back-end table, not permissions that
> are inherited by virtue of group membership.
>
> It will also work if the owner of the query is a group and the group has
> permissions on the back-end table.  You can change the ownership of the query
> to a group if you want.  The important point is that the names must
> match--the owner of the query must also have explicit permissions on the
> back-end table, whether that be a group or an individual user.

"Joan Wild" wrote:

> Not my experience.  I have never had to give the query owner explicit
> permissions on the tables (shouldn't need to since the query owner is
> the owner of the tables as well).
>
> Your super user should not need to inherit any permissions from any
> group, as the owner trumps all.
>
> Your explanation makes sense to me, but only if Super User did not own
> the tables.
>
> Joan
>
> Zardoz wrote:
> > Sorry to post so long after the fact, but I just came upon this very
> > interesting discussion while researching my own related problem with RWOP
> > queries.
> >
> > After seeing Joan state so unequivocally that RWOP queries will work even if
> > the owner is not in the production mdw, I decided to investigate further why
> > this was not my experience.  Turns out that she is right, of course, but I'll
> > share with you why it wasn't working for me.
> >
> > The owner of all of the objects in my front-end mdb, including the queries,
> > was an individual "super user" (i.e., not a group).  When I secured the
> > back-end mdb, I gave table permissions to the administrator group (not
> > Admins) that this user was a member of and gave no table permissions
> > explicitly to the individual "super user", assuming that permissions would
> > flow through to the "super user" by virtue of membership in the administrator
> > group.
> >
> > Well, with one important 'Gotcha', it appears as if the permissions do flow
> > through as you would normally expect, as the "Super User" was able to access
> > the tables as per usual.  However, anyone using the default System mdw would
> > get error 3112 (no read permission) even though the default Admin user had
> > appropriate permissions on the queries in the secured front-end.  When I
> > changed security in the back-end so that the "Super User" was explicitly
> > granted permissions on the tables, then everything worked for users with the
> > default System mdw just as Joan suggested it would.
> >
> > So the 'Gotcha' is that, with RWOP queries, permissions do not flow-through
> > from a Group to a user.  If an individual user is specified as the owner of
> > the query, then for that query to work as a RWOP query, that individual owner
> > must have explicit permissions on the back-end table, not permissions that
> > are inherited by virtue of group membership.
> >
> > It will also work if the owner of the query is a group and the group has
> > permissions on the back-end table.  You can change the ownership of the query
> > to a group if you want.  The important point is that the names must
> > match--the owner of the query must also have explicit permissions on the
> > back-end table, whether that be a group or an individual user.
>

"David W. Fenton" wrote:

> =?Utf-8?B?WmFyZG96?= <Zar***@discussions.microsoft.com> wrote in
> news:254F0D98-752F-43B4-9D11-D9076E432BF0@microsoft.com:
>
> > I double- and triple-checked, and the superuser is the owner of
> > the tables in the backend database.
>
> What about the table links in the front end? Permissions on those
> are completely independent of the back-end table permissions.
>
> --
> David W. Fenton                  http://www.dfenton.com/
> usenet at dfenton dot com    http://www.dfenton.com/DFA/
>

> Thanks for the suggestion, David.  I rechecked the ownership of the front-end
> table objects (which as you state are just links to the back-end) and the
> owner of these objects is my SuperUser, so I don't think that's it.  But
> please keep the ideas coming.
>
> One thing I noticed is that, when a query is set as RWOP (in the
> RunPermissions property of the query), I cannot change the owner of the
> query, even when I am logged in as the owner of the query (i.e., as the
> SuperUser).  I would get the message "You don't have permission to change the
> owner of <Name of query>.  To change the owner of a database object, you must
> have Administer permission for it...."  My SuperUser does have Administer
> permission for all queries.  This had me wondering whether somehow my
> SuperUser was not actually being recognized as the owner of the query.  But
> when I researched this, I found that this behaviour is actually by design, at
> least in MS Access 2000 (see http://support.microsoft.com/kb/208929) and
> earlier versions (see http://support.microsoft.com/kb/120885).  I am using MS
> Access 2003, and I could not find a similar article for my version,, but
> presumably this behaviour continues to be by design.
>
> So my situation continues to be that, using RWOP queries, I can achieve what
> the title of this thread refers to as 'security without signon' only if the
> owner of the RWOP query is given explicit permissions on the back-end tables
> rather than inherited permissions by virtue of group membership.  This is
> fine for my purposes, but given Joan's statements above, it sounds as if this
> should work with inherited permissions as well, in which case I would like to
> understand why this isn't working for me in case there is an underlying
> problem with my security implementation.
>
> Actually, the more I think about this, the more I am convinced that my
> findings make sense, which leads me to wonder whether my scenario is somehow
> different from the one implied by Joan.  It is the different experiences of
> the default Admin user in my scenario that might be the key to understanding
> what is going on here.
>
> As we know, the default Admin user is the same across all mdw files.  There
> are two mdw files at play in my scenario:  the one that I created to secure
> my database (SecureMDW), and the default one that comes with Access
> (SystemMDW).  SystemMDW contains the default Admin user account plus the two
> default group accounts (Admins, Users).  SecureMDW contains these default
> accounts plus the account for my SuperUser and the account for my SuperGroup,
> and SuperUser is a member of SuperGroup.
>
> If I log in as the Admin user through SecureMDW, inherited permissions
> (through SuperUser's membership in SuperGroup) work; if I log in as the Admin
> user through SystemMDW, inherited permissions do not work.
>
> What I suspect is happening is that the Admin user (or any user) connecting
> through SecureMDW can see that SuperUser is a member of SuperGroup because
> these accounts and this membership is defined within SecureMDW.  The Admin
> user connecting through SystemMDW knows nothing about the existence of
> accounts for SuperUser or SuperGroup (and certainly does not know that
> SuperUser is a member of SuperGroup) because these accounts and membership do
> not exist in SystemMDW.
>
> Both Admin users will see that someone named SuperUser is the owner of the
> objects in the database (such as queries, etc.) because object ownership is
> part of the permissions that reside with the database file.  When SuperUser's
> back-end table permssions are inherited through SuperGroup, the SecureMDW
> Admin user will recognize SuperGroup is (because SuperGroup is also a member
> of SecureMDW) and will be able to trace this inheritance back to recognize
> that the owner of the query also has permissions on the back-end table;
> however, SystemMDW Admin user will have no idea who this SuperGroup is
> (because SuperGroup is not defined in SystemMDW) and, since SuperGroup is
> different from the name of the owner of the query (SuperUser), this Admin
> user will conclude that the query owner (SuperUser) does not have any
> permissions on the back-end table.
>
> My only hesitation in thinking that this is reasonably correct is that Joan
> has asserted above that inherited permissions should work in this context and
> that her users use the production mdw (which I assume is SystemMDW) and she
> has never had to give explicit back-end table permissions to the query owner.
>  So I am hoping that her scenario is somehow different from mine; otherwise,
> I will still have some work to do to understand why inherited permissions are
> not working for me.  
>
> "David W. Fenton" wrote:
>
>> =?Utf-8?B?WmFyZG96?= <Zar***@discussions.microsoft.com> wrote in
>> news:254F0D98-752F-43B4-9D11-D9076E432BF0@microsoft.com:
>>
>>> I double- and triple-checked, and the superuser is the owner of
>>> the tables in the backend database.
>> What about the table links in the front end? Permissions on those
>> are completely independent of the back-end table permissions.
>>
>> --
>> David W. Fenton                  http://www.dfenton.com/
>> usenet at dfenton dot com    http://www.dfenton.com/DFA/
>>

"Joan Wild" wrote:

> The only thing I see different, is that I use the Admins Group in
> securemdw, whereas you created a separate SuperGroup.
>
> Joan Wild
> MS Access MVP
>
> Zardoz wrote:
> > Thanks for the suggestion, David.  I rechecked the ownership of the front-end
> > table objects (which as you state are just links to the back-end) and the
> > owner of these objects is my SuperUser, so I don't think that's it.  But
> > please keep the ideas coming.
> >
> > One thing I noticed is that, when a query is set as RWOP (in the
> > RunPermissions property of the query), I cannot change the owner of the
> > query, even when I am logged in as the owner of the query (i.e., as the
> > SuperUser).  I would get the message "You don't have permission to change the
> > owner of <Name of query>.  To change the owner of a database object, you must
> > have Administer permission for it...."  My SuperUser does have Administer
> > permission for all queries.  This had me wondering whether somehow my
> > SuperUser was not actually being recognized as the owner of the query.  But
> > when I researched this, I found that this behaviour is actually by design, at
> > least in MS Access 2000 (see http://support.microsoft.com/kb/208929) and
> > earlier versions (see http://support.microsoft.com/kb/120885).  I am using MS
> > Access 2003, and I could not find a similar article for my version,, but
> > presumably this behaviour continues to be by design.
> >
> > So my situation continues to be that, using RWOP queries, I can achieve what
> > the title of this thread refers to as 'security without signon' only if the
> > owner of the RWOP query is given explicit permissions on the back-end tables
> > rather than inherited permissions by virtue of group membership.  This is
> > fine for my purposes, but given Joan's statements above, it sounds as if this
> > should work with inherited permissions as well, in which case I would like to
> > understand why this isn't working for me in case there is an underlying
> > problem with my security implementation.
> >
> > Actually, the more I think about this, the more I am convinced that my
> > findings make sense, which leads me to wonder whether my scenario is somehow
> > different from the one implied by Joan.  It is the different experiences of
> > the default Admin user in my scenario that might be the key to understanding
> > what is going on here.
> >
> > As we know, the default Admin user is the same across all mdw files.  There
> > are two mdw files at play in my scenario:  the one that I created to secure
> > my database (SecureMDW), and the default one that comes with Access
> > (SystemMDW).  SystemMDW contains the default Admin user account plus the two
> > default group accounts (Admins, Users).  SecureMDW contains these default
> > accounts plus the account for my SuperUser and the account for my SuperGroup,
> > and SuperUser is a member of SuperGroup.
> >
> > If I log in as the Admin user through SecureMDW, inherited permissions
> > (through SuperUser's membership in SuperGroup) work; if I log in as the Admin
> > user through SystemMDW, inherited permissions do not work.
> >
> > What I suspect is happening is that the Admin user (or any user) connecting
> > through SecureMDW can see that SuperUser is a member of SuperGroup because
> > these accounts and this membership is defined within SecureMDW.  The Admin
> > user connecting through SystemMDW knows nothing about the existence of
> > accounts for SuperUser or SuperGroup (and certainly does not know that
> > SuperUser is a member of SuperGroup) because these accounts and membership do
> > not exist in SystemMDW.
> >
> > Both Admin users will see that someone named SuperUser is the owner of the
> > objects in the database (such as queries, etc.) because object ownership is
> > part of the permissions that reside with the database file.  When SuperUser's
> > back-end table permssions are inherited through SuperGroup, the SecureMDW
> > Admin user will recognize SuperGroup is (because SuperGroup is also a member
> > of SecureMDW) and will be able to trace this inheritance back to recognize
> > that the owner of the query also has permissions on the back-end table;
> > however, SystemMDW Admin user will have no idea who this SuperGroup is
> > (because SuperGroup is not defined in SystemMDW) and, since SuperGroup is
> > different from the name of the owner of the query (SuperUser), this Admin
> > user will conclude that the query owner (SuperUser) does not have any
> > permissions on the back-end table.
> >
> > My only hesitation in thinking that this is reasonably correct is that Joan
> > has asserted above that inherited permissions should work in this context and
> > that her users use the production mdw (which I assume is SystemMDW) and she
> > has never had to give explicit back-end table permissions to the query owner.
> >  So I am hoping that her scenario is somehow different from mine; otherwise,
> > I will still have some work to do to understand why inherited permissions are
> > not working for me.  
> >
> > "David W. Fenton" wrote:
> >
> >> =?Utf-8?B?WmFyZG96?= <Zar***@discussions.microsoft.com> wrote in
> >> news:254F0D98-752F-43B4-9D11-D9076E432BF0@microsoft.com:
> >>
> >>> I double- and triple-checked, and the superuser is the owner of
> >>> the tables in the backend database.
> >> What about the table links in the front end? Permissions on those
> >> are completely independent of the back-end table permissions.
> >>
> >> --
> >> David W. Fenton                  http://www.dfenton.com/
> >> usenet at dfenton dot com    http://www.dfenton.com/DFA/
> >>
>