kenferrell
asked on
Access 2003 appropriate for very simple (but secure) workflow system?
For SOX compliance I have been told that our method of registering prices in our purchasing database is insecure. Here's the current process, handled in Excel. We have about 5 Buyers, two managers, and one clerk, and this process is repeated at most 10 times in any given day. (and never simultaenously.)
1) Buyer creates a data-entry form in excel and includes as an OLE object a .pdf scan of the quote. Relevant data (price, part number, etc) is entered. Buyer types name as initiator and uses the "routing" function of Excel to send to Managment.
2) Management opens the pdf file and confirms that the quote data is accurate and approves. Manager types name as 'approval' and uses the routing function to send to clerk.
3) Clerk enters data from the form into the purchasing system. Clerk then types name and sends the file back to Buyer using routing.
4) Buyer compares the data on the request form to the data in the purchasing system for data-entry errors. Buyer types name on the form and routes back to clerk for filing.
5) Clerk files the digital copy in a shared folder, as well as a hard copy in file folder.
Only the clerk has access to the data entry screen in the main purchasing system, but we've been asked to avoid the possibility of the clerk completing the whole registration process by forging signatures. I would like to create a simple workflow system that assigns users a password and allows them to actually "approve" the form as it goes through the process. I don't need anything super-robust; we're talking more here about showing an ounce of protection in case the auditors notice the possibility of a clerk forging the whole process. Best would be the buyer enters the data into the form, chooses the apppropriate manager and clerk, and hits a button. Ideally, emails would be sent in tern to the user when their input is needed, and the application would allow the final process to be printed, searched and stored at a central location.
So the questions:
Is Access the best vehicle to develop this solution? Are there add-ons to simplify the development? Is a third-party solution a better choice? Note: we do not have access to any back-end server capabilities, so the solution must be able to run from each individual work station.
Thanks for any advice.
1) Buyer creates a data-entry form in excel and includes as an OLE object a .pdf scan of the quote. Relevant data (price, part number, etc) is entered. Buyer types name as initiator and uses the "routing" function of Excel to send to Managment.
2) Management opens the pdf file and confirms that the quote data is accurate and approves. Manager types name as 'approval' and uses the routing function to send to clerk.
3) Clerk enters data from the form into the purchasing system. Clerk then types name and sends the file back to Buyer using routing.
4) Buyer compares the data on the request form to the data in the purchasing system for data-entry errors. Buyer types name on the form and routes back to clerk for filing.
5) Clerk files the digital copy in a shared folder, as well as a hard copy in file folder.
Only the clerk has access to the data entry screen in the main purchasing system, but we've been asked to avoid the possibility of the clerk completing the whole registration process by forging signatures. I would like to create a simple workflow system that assigns users a password and allows them to actually "approve" the form as it goes through the process. I don't need anything super-robust; we're talking more here about showing an ounce of protection in case the auditors notice the possibility of a clerk forging the whole process. Best would be the buyer enters the data into the form, chooses the apppropriate manager and clerk, and hits a button. Ideally, emails would be sent in tern to the user when their input is needed, and the application would allow the final process to be printed, searched and stored at a central location.
So the questions:
Is Access the best vehicle to develop this solution? Are there add-ons to simplify the development? Is a third-party solution a better choice? Note: we do not have access to any back-end server capabilities, so the solution must be able to run from each individual work station.
Thanks for any advice.
ASKER
Thanks for the response. The network is a domain -- we're one small section in a huge organization. We don't have a stand-alone machine that could hoste a backend database, either... As for security, all I'm really looking to do is have a simple password process that 'verifies' the user. The security doesn't really need to be 'hack-proof' as the risk of that is small enough to be ignored. We just want to be able to say to the auditor that we require a password before a manager could approve the workflow process.
If its a small workgroup all that you need is a vacant workstation to host SQL Server Express, and it wouldn't have to be that powerful. XP pro and a couple of gigs of RAM and you're set. I think that you can have up to 10 connections to XP Pro.
You could use Access but it's not secure. So it fails the first criteria of the test...
Jim
You could use Access but it's not secure. So it fails the first criteria of the test...
Jim
ASKER
Thanks. We're a small group, but it's not a small workgroup. Adding another workstation is not in the scope of the project. When you say Access is not secure, are you saying that it would be impossible to design a simple "user log-in" system? "Secure" means different things to different people -- and I don't want to overplay the significance of my use of the word.
Secure means tamperproof. It's not difficult to design a simple login system in Access but you're already logged into a domain, the user is already identified. You have no real way to protect the table from a user. You might want check this question for discussion of a similar topic:
https://www.experts-exchange.com/questions/23765083/Converting-DB-from-Access-2003-to-2007-AND-adding-login-ability.html
Jim
https://www.experts-exchange.com/questions/23765083/Converting-DB-from-Access-2003-to-2007-AND-adding-login-ability.html
Jim
ASKER
Thanks Jim.
I definitely gave you the wrong impression if you're thinking tamperproof. I guess my goal here is not so much to completely lock the thing down (I know that there's always someone somewhere who'll be able to defeat what we come up with) as it is to excercise a reasonable amount of control over the process.
I really just want a way to be able to say to the auditors thaht we have exercised reasonable control to be sure that only the clerk was able to do the clerk portion of the workflow, and only the manager can approve the manager portion of the workflow.
That's where I was coming up with the basic ID/password - logging type 'security' function.
So my question is still this... is Access really the right tool for this job?
I definitely gave you the wrong impression if you're thinking tamperproof. I guess my goal here is not so much to completely lock the thing down (I know that there's always someone somewhere who'll be able to defeat what we come up with) as it is to excercise a reasonable amount of control over the process.
I really just want a way to be able to say to the auditors thaht we have exercised reasonable control to be sure that only the clerk was able to do the clerk portion of the workflow, and only the manager can approve the manager portion of the workflow.
That's where I was coming up with the basic ID/password - logging type 'security' function.
So my question is still this... is Access really the right tool for this job?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jim