Access 2003 appropriate for very simple (but secure) workflow system?

Posted on 2008-10-01
Last Modified: 2013-11-29
For SOX compliance I have been told that our method of registering prices in our purchasing database is insecure.  Here's the current process, handled in Excel.  We have about 5 Buyers, two managers, and one clerk, and this process is repeated at most 10 times in any given day. (and never simultaenously.)

1) Buyer creates a data-entry form in excel and includes as an OLE object a .pdf scan of the quote.  Relevant data (price, part number, etc) is entered.  Buyer types name as initiator and uses the "routing" function of Excel to send to Managment.

2) Management opens the pdf file and confirms that the quote data is accurate and approves. Manager types name as 'approval' and uses the routing function to send to clerk.

3) Clerk enters data from the form into the purchasing system.  Clerk then types name and sends the file back to Buyer using routing.

4) Buyer compares the data on the request form to the data in the purchasing system for data-entry errors.  Buyer types name on the form and routes back to clerk for filing.

5) Clerk files the digital copy in a shared folder, as well as a hard copy in file folder.

Only the clerk has access to the data entry screen in the main purchasing system, but we've been asked to avoid the possibility of the clerk completing the whole registration process by forging signatures.  I would like to create a simple workflow system that assigns users a password and allows them to actually "approve" the form as it goes through the process.  I don't need anything super-robust; we're talking more here about showing an ounce of protection in case the auditors notice the possibility of a clerk forging the whole process.  Best would be the buyer enters the data into the form, chooses the apppropriate manager and clerk, and hits a button.  Ideally, emails would be sent in tern to the user when their input is needed, and the application would allow the final process to be printed, searched and stored at a central location.

So the questions:
Is Access the best vehicle to develop this solution?  Are there add-ons to simplify the development? Is a third-party solution a better choice?  Note: we do not have access to any back-end server capabilities, so the solution must be able to run from each individual work station.

Thanks for any advice.
Question by:kenferrell
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 18

Expert Comment

ID: 22616925
If you require security, then you need another backend database. SQL Server or SQL Server Express (free) would be a good place to start. Is your network a workgroup or are you on a domain?


Author Comment

ID: 22617008
Thanks for the response.  The network is a domain -- we're one small section in a huge organization.  We don't have a stand-alone machine that could hoste a backend database, either...  As for security, all I'm really looking to do is have a simple password process that 'verifies' the user.  The security doesn't really need to be 'hack-proof' as the risk of that is small enough to be ignored.  We just want to be able to say to the auditor that we require a password before a manager could approve the workflow process.
LVL 18

Expert Comment

ID: 22617073
If its a small workgroup all that you need is a vacant workstation to host SQL Server Express, and it wouldn't have to be that powerful. XP pro and a couple of gigs of RAM and you're set. I think that you can have up to 10 connections to XP Pro.

You could use Access but it's not secure. So it fails the first criteria of the test...

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22617173
Thanks.  We're a small group, but it's not a small workgroup.  Adding another workstation is not in the scope of the project.  When you say Access is not secure, are you saying that it would be impossible to design a simple "user log-in" system?  "Secure" means different things to different people -- and I don't want to overplay the significance of my use of the word.
LVL 18

Expert Comment

ID: 22619924
Secure means tamperproof. It's not difficult to design a simple login system in Access but you're already logged into a domain, the user is already identified. You have no real way to protect the table from a user. You might want check this question for discussion of a similar topic:


Author Comment

ID: 22629369
Thanks Jim.
I definitely gave you the wrong impression if you're thinking tamperproof.  I guess my goal here is not so much to completely lock the thing down (I know that there's always someone somewhere who'll be able to defeat what we come up with) as it is to excercise a reasonable amount of control over the process.

I really just want a way to be able to say to the auditors thaht we have exercised reasonable control to be sure that only the clerk was able to do the clerk portion of the workflow, and only the manager can approve the manager portion of the workflow.  

That's where I was coming up with the basic ID/password - logging type 'security' function.

So my question is still this...  is Access really the right tool for this job?
LVL 18

Accepted Solution

jmoss111 earned 250 total points
ID: 22629725
If your SOX auditors can live with it and you can live with it then it's the right tool for you. I just wanted you to know all the ins and outs and that Access can't be locked down and you can say with 100% certainty that the system can't be compromised, like you could with other database products.

My main client is very sensitive in security matters; and it's forced me to become more conscious also.



Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Omit After Update event 5 46
Access Query function 4 51
Converting Access 2016 from 32-bit to 64-bit 8 62
What are the recommended security measures to put in place? 19 92
Describes a method of obtaining an object variable to an already running instance of Microsoft Access so that it can be controlled via automation.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In Microsoft Access, learn how to “cascade” or have the displayed data of one combo control depend upon what’s entered in another. Base the dependent combo on a query for its row source: Add a reference to the first combo on the form as criteria i…
In Microsoft Access, when working with VBA, learn some techniques for writing readable and easily maintained code.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question