Use of MS Access back end with VB.NET front end
From: Alan Cossey (alanXYXYXY_at_cossey58.freeserve.co.uk.XYXYZYZY)
Date: 04/21/04
- Next message: JKnight: "Giving windows-based app execute permission"
- Previous message: karendavis_at_optonline.net: "My new nipple and vagina piercings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Apr 2004 10:33:02 +0100
I am looking at using an Access database on a PC to hold data which will be
handled via a VB.NET front end and I am not sure about some of the security
aspects.
With an Access front end it is possible to use so-called "Run With Owner
Permission" queries which have run permissions that are based on those of
the owner/creator of that query, rather than having to use the user's own
permissions on the underlying table. Within a pure Access application, it is
also possible to stop users running these queries except when they have been
called from an Access form. This is done by putting a VBA function in the
query which checks where it is being called from (using CurrentObjectType).
I am looking for something similar to use with VB.NET. However, as far as I
can see, if the VB.NET app calls the RWOP query in the Access database,
there is not much you can do to stop them calling the RWOP query themselves,
e.g. from their own Access front end. My question is:
How to I stop users from running queries or accessing tables in the Access
back end while still giving my VB.NET "front end" sufficient access, please?
When I do Access apps that require reasonable security I develop using one
MDW file, but do not allow users to use this. Instead they use the default
system.mdw file. Users, therefore, enter the app as the Admin user from
system.mdw and the app then checks their Windows ID or prompts for an
ID/password to be used by code to specify which parts of the app they can
access.
The problem seems to be that if I am using user-level security for the
Access database, VB.NET requires a user ID and password for this that also
requires the existence of - and physical access to - an MDW file with those
details in. This is where the security hole appears to be. As many Access
developers know, if a user has physical access to a .mdw file, there are
tools around that will let them see all groups, ID's and passwords in that
.mdw file. (I also know that it is possible for some people to break into a
.mdb file even without the developer's .mdw file, but if people are that
desperate to get into my app, well, they need to get a life.) The level of
sensitivity of the
data is such that I need "only" to stop people running RWOP queries that
they shouldn't be running or accessing tables directly.
The best I can think of is to give users access to the developer's .mdw
file, but give it a non-standard name, e.g. MyPretendName.dll, and try and
hide it somewhere on the user's PC other than in the application's own
folder, in which case I then need to find a way of deploying it there and I
haven't got that far in my understanding of .NET application deployment to
be able to do that. It doesn't appear a very robust way to do it either.
Any help would be much appreciated.
Alan Cossey
PS Using SQL Server or the like on the PC is not an option.
- Next message: JKnight: "Giving windows-based app execute permission"
- Previous message: karendavis_at_optonline.net: "My new nipple and vagina piercings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
