AutomateMyOffice
asked on
How to perform record lookup in a secure/encrypted MS Access or SQL Server table, keeping full table hidden?
I have a large list of client companies whose names must be protected. Each company is associated with a unique numeric code. I need to be able to enter a single code and obtain the company name connected with it, without allowing the entire list to be accessible for viewing or copying -- even if the user had access to the back end database file.
That is, I might know that code 1357 is for company Acme Superior Industries, Inc., but I don't want to type in that long name, but rather just the four-digit code. Acme's long name will then populate a text box on my form, confirming that I used the right code, but I will only ever see the names of companies for which I have valid codes. The important thing is that the user have no way to obtain the full table of names. The front end will be MS Access, and the back end, with the company table, could be Access or SQL Server. Any ideas? Thanks.
That is, I might know that code 1357 is for company Acme Superior Industries, Inc., but I don't want to type in that long name, but rather just the four-digit code. Acme's long name will then populate a text box on my form, confirming that I used the right code, but I will only ever see the names of companies for which I have valid codes. The important thing is that the user have no way to obtain the full table of names. The front end will be MS Access, and the back end, with the company table, could be Access or SQL Server. Any ideas? Thanks.
If you're thinking that forcing people to type in a four digit number is sufficient protection, you are mistaken. The numbers would have to be much longer and randomly assigned so that simply typing in a number is unlikely to produce a valid hit. Even longer numbers won't work if they are sequentially assigned. People can just type in numbers near one that they know.
What determines if a person has access to a particular company record?
What determines if a person has access to a particular company record?
ASKER
Thank you for your replies. My concern is with one thing: Preventing a user from viewing or copying the entire table of client company names at once. I am not at all concerned with preventing individual names from being displayed or with someone guessing a few codes.
I could implement the lookup very easily in MS Access, but normally the linked table is fully exposed and can be displayed and copied out to, say, Excel, in its entirety. I am looking for a way to submit a single code and obtain a single name in return, but the table itself should be encrypted or protected in some way as to not allow the entire table to be accessible through an unfiltered SQL SELECT statement, browsing linked tables, or opening the back-end database.
Is there possibly a way to set up a view or stored procedure or something in SQL Server that would only return single records from an encrypted secure table?
I could implement the lookup very easily in MS Access, but normally the linked table is fully exposed and can be displayed and copied out to, say, Excel, in its entirety. I am looking for a way to submit a single code and obtain a single name in return, but the table itself should be encrypted or protected in some way as to not allow the entire table to be accessible through an unfiltered SQL SELECT statement, browsing linked tables, or opening the back-end database.
Is there possibly a way to set up a view or stored procedure or something in SQL Server that would only return single records from an encrypted secure table?
In Sql Server you can use different users, view procedures and functions to implement it.
For example, a user will able to execute the procedure and put a number as input parameter. The procedure will return the name.
But the user will have access to the table with clients and will not able to view or query it.
In MS Access as far as I remember there is no way to prevent access to particular data. All or nothing.
For example, a user will able to execute the procedure and put a number as input parameter. The procedure will return the name.
But the user will have access to the table with clients and will not able to view or query it.
In MS Access as far as I remember there is no way to prevent access to particular data. All or nothing.
<<Thank you for your replies. My concern is with one thing: Preventing a user from viewing or copying the entire table of client company names at once. I am not at all concerned with preventing individual names from being displayed or with someone guessing a few codes.>>
SQL would be the best choice, but you can protect an Access database with directory permissions. In doing so, no one can get to the data without going through your app (because they would not know the location). Admins could get to it though.
You'd distribute the app as an .accde (no source code), and put in a check that it is starting in run-time mode so no one can get to the tabledefs to get the location of the tables.
Jim.
SQL would be the best choice, but you can protect an Access database with directory permissions. In doing so, no one can get to the data without going through your app (because they would not know the location). Admins could get to it though.
You'd distribute the app as an .accde (no source code), and put in a check that it is starting in run-time mode so no one can get to the tabledefs to get the location of the tables.
Jim.
ASKER
I think I would like to try a SQL Server stored procedure, as recommended by Alexander and Jim -- but I will need a little assistance in how to go about it. Does anyone know of some sample code (or a description of the process) that might get me headed in the right direction? Thanks very much.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
They type in the code, and then you set the name control.
Jim.