ATTN: Jadedata.........Security Lite
Hey Jack!
I've seen the light and I have decided to remove the user/group level security from my DB. It's been such a pain in the a**(like you said). I wanted to see if you would be willing to give me some insite on your "Security Lite"?
Basically what I would still like to do is still have users logon (via my own login form or the access .mdw) so I can store their name and use it later to track who has made changes. Then, I would like to password protect certain forms and/or command buttons.
Would you suggest I:
a. store all the usernames and passwords in a module and use my own login form, or
b. go ahead and use the Access user accounts, make everyone a part of the users group and give the users group full permission?
If "b" is the answer, would I still be able to store the username that logged in for later use?
Thanks,
Jeremy
I've seen the light and I have decided to remove the user/group level security from my DB. It's been such a pain in the a**(like you said). I wanted to see if you would be willing to give me some insite on your "Security Lite"?
Basically what I would still like to do is still have users logon (via my own login form or the access .mdw) so I can store their name and use it later to track who has made changes. Then, I would like to password protect certain forms and/or command buttons.
Would you suggest I:
a. store all the usernames and passwords in a module and use my own login form, or
b. go ahead and use the Access user accounts, make everyone a part of the users group and give the users group full permission?
If "b" is the answer, would I still be able to store the username that logged in for later use?
Thanks,
Jeremy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
correct. But remember the sub that I gave you is just an example of ONE way that I test the user's GROUPS before taking an action.
Another example:
In my tzSwitchboardItems table I have a field called "AuthGroups"
If isnull("AuthGroups") then all groups are authorized to use/SEE the button on the switchboard.
If not isnull("AuthGroups"), ONLY the group(s) listed are authorized to use/SEE the button.
The switchboard has a function that fills the buttons (FillOptions). In this function as each button is evaluated I test the AuthGroups field against the users assigned groups. If they aren't on the list, they don't see a button for that option.
Another example:
In my tzSwitchboardItems table I have a field called "AuthGroups"
If isnull("AuthGroups") then all groups are authorized to use/SEE the button on the switchboard.
If not isnull("AuthGroups"), ONLY the group(s) listed are authorized to use/SEE the button.
The switchboard has a function that fills the buttons (FillOptions). In this function as each button is evaluated I test the AuthGroups field against the users assigned groups. If they aren't on the list, they don't see a button for that option.
ASKER
I like that too! :)
So is the "AuthGroups" field just a yes/no data type? If so, when it is not null, where does it pull the grouplist from?
Also, what permissions does your User group have? I take it that all your usernames are in the "users" group. Do you just give Administrator privledges to the users group?
So is the "AuthGroups" field just a yes/no data type? If so, when it is not null, where does it pull the grouplist from?
Also, what permissions does your User group have? I take it that all your usernames are in the "users" group. Do you just give Administrator privledges to the users group?
AuthGroups is a text/255 field.
If it is null, the presumption is that all users have access to that button.
Admin OWNS all objects in the database
Users GROUP is assigned to all Usernames
Admins GROUP is assigned to all Usernames
[AppGroup] is assigned to all usernames.
I use this app group for a process I call a "Clustered" Application. I have 4 Applications that all use, in whole or in part the same set of backend datafiles (about 85 of them) for various purposes. Let's call these AppOne, AppTwo, AppThree, AppFour...
If a user open's AppOne, the switchboard (firstform) has code on it to detect it's own identity (AppOne) and whether the currentuser is in the group appropriate to that application. If NOT, Application.Quit.
I use one MDW file for all four applications that way. Any number of the four apps may be installed on a desktop, in any combination, but the user must have authority (be in the group for) that application. The GROUPS in the mdw may be shared between one or more of the applications.
If it is null, the presumption is that all users have access to that button.
Admin OWNS all objects in the database
Users GROUP is assigned to all Usernames
Admins GROUP is assigned to all Usernames
[AppGroup] is assigned to all usernames.
I use this app group for a process I call a "Clustered" Application. I have 4 Applications that all use, in whole or in part the same set of backend datafiles (about 85 of them) for various purposes. Let's call these AppOne, AppTwo, AppThree, AppFour...
If a user open's AppOne, the switchboard (firstform) has code on it to detect it's own identity (AppOne) and whether the currentuser is in the group appropriate to that application. If NOT, Application.Quit.
I use one MDW file for all four applications that way. Any number of the four apps may be installed on a desktop, in any combination, but the user must have authority (be in the group for) that application. The GROUPS in the mdw may be shared between one or more of the applications.
ASKER
So the value you put in the AuthGroups field is actually the group name? Can you put multiple group names in the field?
Admin OWNS all objects in the database
Users GROUP is assigned to all Usernames
Admins GROUP is assigned to all Usernames
[AppGroup] is assigned to all usernames.
By default everyone is in the users group, so I will just add everyone to the Admins group as well. Then I'll setup my different department groups and assign certain users to their respective department. ie. Warehouse Manager BillC will be in "Users", "Admins" and "Warehouse Level1" groups.
My thinking is that I'll have a Warehouse Level1 group that can see all controls on the Warehouse form & Warehouse Level2 will only be able to see a few of the controls.
Does this sound right?
Jeremy
Admin OWNS all objects in the database
Users GROUP is assigned to all Usernames
Admins GROUP is assigned to all Usernames
[AppGroup] is assigned to all usernames.
By default everyone is in the users group, so I will just add everyone to the Admins group as well. Then I'll setup my different department groups and assign certain users to their respective department. ie. Warehouse Manager BillC will be in "Users", "Admins" and "Warehouse Level1" groups.
My thinking is that I'll have a Warehouse Level1 group that can see all controls on the Warehouse form & Warehouse Level2 will only be able to see a few of the controls.
Does this sound right?
Jeremy
ASKER
"Change the references to getappsetting() function to fixed values or other references."
What would the fixed values be? I don't quite get what it's trying to do there.
What would the fixed values be? I don't quite get what it's trying to do there.
Keep your names to 20 characters, no spaces, lower case. Set the PIDs for the groups to the name of the group to keep it simple.
I think you have the basic idea, yes...
For your form, write a Form_Config subroutine that will expose/hide controls appropriate to the group a user is in
This routine should be called by the form Open event.
I think you have the basic idea, yes...
For your form, write a Form_Config subroutine that will expose/hide controls appropriate to the group a user is in
This routine should be called by the form Open event.
ASKER
Ok. What about the getappsetting? I'm not sure what it's doing, or what the "fixed values" should be.
Jeremy
Jeremy
SecureUser = "Admin"
SecurePW = [admin password]
SecurePW = [admin password]
ASKER
Very, Very Cool!
I got it working!
Here is my code for the form open. Take a look and see my comments at the bottom.
Private Sub Form_Open(Cancel As Integer)
'restricted access to form open
If UserInGroup(CurrentUser(),
DoCmd.OpenForm "frmWarehouseDailyInventor
Else
If UserInGroup(CurrentUser(),
DoCmd.OpenForm "frmWarehouseDailyInventor
Else
If UserInGroup(CurrentUser(),
DoCmd.OpenForm "frmWarehouseDailyInventor
Else
MsgBox "You have violated your security privilege. Consider yourself fired!", vbOKOnly + vbExclamation, "Notice: Pink Slip Printing"
DoCmd.CancelEvent
End If
End If
End If
If UserInGroup(CurrentUser(),
Else
If UserInGroup(CurrentUser(),
cmdRunInvDaily.Visible = False
cmdTransferDIR.Visible = False
cmdImportInvDaily.Visible = False
cmdExportInvDaily.Visible = False
cmdUpdateBinLocations.Visi
cmdTransferBins.Visible = False
cmdImportBinLocations.Visi
cmdExportBins.Visible = False
cmdUnitPrice0.Visible = False
cmdNegatives.Visible = False
lblOpenARRptRunPRMSARRepor
lblTransferDIR.Visible = False
lblOpenARRptImportARReport
lblOpenARRptExport.Visible
lblUpdateBinLocations.Visi
lblTransferBins.Visible = False
lblImportBinLocations.Visi
lblExportBins.Visible = False
lblUnitPrice0.Visible = False
lblNegatives.Visible = False
lblDailyOperations.Visible
Else
If UserInGroup(CurrentUser(),
cmdRunInvDaily.Visible = False
cmdTransferDIR.Visible = False
cmdImportInvDaily.Visible = False
cmdExportInvDaily.Visible = False
cmdUpdateBinLocations.Visi
cmdTransferBins.Visible = False
cmdImportBinLocations.Visi
cmdExportBins.Visible = False
cmdUnitPrice0.Visible = False
cmdNegatives.Visible = False
lblOpenARRptRunPRMSARRepor
lblTransferDIR.Visible = False
lblOpenARRptImportARReport
lblOpenARRptExport.Visible
lblUpdateBinLocations.Visi
lblTransferBins.Visible = False
lblImportBinLocations.Visi
lblExportBins.Visible = False
lblUnitPrice0.Visible = False
lblNegatives.Visible = False
lblDailyOperations.Visible
End If
End If
End If
End Sub
In the line:
If UserInGroup(CurrentUser(),
Is it possible to put all groups that I want to have access to open this form in this line, or do I have to do the nested IF like I did above?
I got it working!
Here is my code for the form open. Take a look and see my comments at the bottom.
Private Sub Form_Open(Cancel As Integer)
'restricted access to form open
If UserInGroup(CurrentUser(),
DoCmd.OpenForm "frmWarehouseDailyInventor
Else
If UserInGroup(CurrentUser(),
DoCmd.OpenForm "frmWarehouseDailyInventor
Else
If UserInGroup(CurrentUser(),
DoCmd.OpenForm "frmWarehouseDailyInventor
Else
MsgBox "You have violated your security privilege. Consider yourself fired!", vbOKOnly + vbExclamation, "Notice: Pink Slip Printing"
DoCmd.CancelEvent
End If
End If
End If
If UserInGroup(CurrentUser(),
Else
If UserInGroup(CurrentUser(),
cmdRunInvDaily.Visible = False
cmdTransferDIR.Visible = False
cmdImportInvDaily.Visible = False
cmdExportInvDaily.Visible = False
cmdUpdateBinLocations.Visi
cmdTransferBins.Visible = False
cmdImportBinLocations.Visi
cmdExportBins.Visible = False
cmdUnitPrice0.Visible = False
cmdNegatives.Visible = False
lblOpenARRptRunPRMSARRepor
lblTransferDIR.Visible = False
lblOpenARRptImportARReport
lblOpenARRptExport.Visible
lblUpdateBinLocations.Visi
lblTransferBins.Visible = False
lblImportBinLocations.Visi
lblExportBins.Visible = False
lblUnitPrice0.Visible = False
lblNegatives.Visible = False
lblDailyOperations.Visible
Else
If UserInGroup(CurrentUser(),
cmdRunInvDaily.Visible = False
cmdTransferDIR.Visible = False
cmdImportInvDaily.Visible = False
cmdExportInvDaily.Visible = False
cmdUpdateBinLocations.Visi
cmdTransferBins.Visible = False
cmdImportBinLocations.Visi
cmdExportBins.Visible = False
cmdUnitPrice0.Visible = False
cmdNegatives.Visible = False
lblOpenARRptRunPRMSARRepor
lblTransferDIR.Visible = False
lblOpenARRptImportARReport
lblOpenARRptExport.Visible
lblUpdateBinLocations.Visi
lblTransferBins.Visible = False
lblImportBinLocations.Visi
lblExportBins.Visible = False
lblUnitPrice0.Visible = False
lblNegatives.Visible = False
lblDailyOperations.Visible
End If
End If
End If
End Sub
In the line:
If UserInGroup(CurrentUser(),
Is it possible to put all groups that I want to have access to open this form in this line, or do I have to do the nested IF like I did above?
You could set all the defaults to false and expose only those for that group,... but I do believe you have the hang of it!!
re: "Is it possible to put all groups ..."
Yes, but you want to do that call BEFORE you attempt opening the form, or you just have to cancel the Open Event.
If UserInGroupList(CurrentUse
docmd.openform.....
else
msgbox "Danger, Danger Will Robinson!!!"
endif
re: "Is it possible to put all groups ..."
Yes, but you want to do that call BEFORE you attempt opening the form, or you just have to cancel the Open Event.
If UserInGroupList(CurrentUse
docmd.openform.....
else
msgbox "Danger, Danger Will Robinson!!!"
endif
ASKER
Gotcha!
Thanks Jack. I think in the long run, this is going to be a lot easier to manage.
I'll close this Q and if I have any more, I'll post another for you ;)
Oh yeah, congrats on being the featured expert!
Jeremy
Thanks Jack. I think in the long run, this is going to be a lot easier to manage.
I'll close this Q and if I have any more, I'll post another for you ;)
Oh yeah, congrats on being the featured expert!
Jeremy
I'll be around. Thanx for the question!
ASKER
Private Sub OpenAnyForm
'restricted access to form open
if UserInGroup(CurrentUser(),
docmd.openform "ManagersForm"
else
msgbox "You have violated your security privilege. Consider yourself fired!",vbokonly+vbexclama
endif
to see if they are in a group to allow access to the form?