Results 1 to 7 of 7

Bypass (Shift) key not disabled

  1. #1
    skydivetom is offline Advanced Beginner
    Windows 8 Access 2010 64bit
    Join Date
    Feb 2019
    Posts
    77

    Bypass (Shift) key not disabled

    Experts:



    Attached is a database with a login form. It goes w/o saying, until user enters valid credentials, no other Access objects (i.e., tables, queries, forms, etc.) should be accessed.

    For demo purposes, please use the following login credentials for the attached demo db:
    Username: John
    Password: password

    Once entered, the login form disappears and the user can proceed to access all Access objects... this works great!

    HOWEVER, if any user presses/holds the SHIFT key prior to opening the db, the login form is bypassed and anyone could, e.g., enter the table object and then change the password. Naturally, this needs to be prevented!

    Now, I have come across multiple postings that refer to "disabling the shift key" via adding a module that overwrites the "AllowBypassKey" property. In the attached example, I added a module as illustrated by the Microsoft support site (https://support.microsoft.com/en-us/...ss-database-pr). Still, when I press/hold the Shift key prior to opening the database, I still can get to the tables objects where anyone, again, could change the passwords.

    What am I missing? How can I enforce this security level so that no one can get to the Access objects unless they enter a proper username/password (with or without holding down the Shift key)?

    Thank you,
    EEH
    Attached Files Attached Files

  2. #2
    Ajax is offline VIP
    Windows 10 Access 2010 32bit
    Join Date
    Mar 2015
    Posts
    7,082
    your code is there - but have you run it? go to the module, select a line of code and hit F5, then close your app and reopen it to test

    Not sure what the benefit is if users are still allowed to access all objects

    Note that there are plenty of ways to get round the disabled bypass key - including just setting the property to true again

  3. #3
    skydivetom is offline Advanced Beginner
    Windows 8 Access 2010 64bit
    Join Date
    Feb 2019
    Posts
    77
    Ajax:

    Great... no, I didn't run it. It appears that's working now.

    And, yes, users can have access to the objects. However, if you have a recommendation for "admin access" vs. "user access" (e.g., small sample db), I am totally open to your recommendations.

    Thanks,
    EEH

  4. #4
    skydivetom is offline Advanced Beginner
    Windows 8 Access 2010 64bit
    Join Date
    Feb 2019
    Posts
    77
    Ajax:

    Great... no, I didn't run it. It appears that's working now.

    And, yes, users can have access to the objects. However, if you have a recommendation for "admin access" vs. "user access" (e.g., small sample db), I am totally open to your recommendations.

    Thanks,
    EEH

  5. #5
    Ajax is offline VIP
    Windows 10 Access 2010 32bit
    Join Date
    Mar 2015
    Posts
    7,082
    no - don't have an example because it is a wide ranging subject. But recommend before you get in too deep you need to develop a security policy to ensure you don't have major rewrites later on. A security policy basically identifies what you want to protect, from who, from doing what. Then identify and implement by what means you plan to prevent this from happening

    this might incorporate a backup strategy, user access and usability among other things.

    for example GDPR - in the UK there is a wide ranging requirement to protect personal data - this might be by preventing unauthorised user access, using a non disclosing ID key, hashing certain fields so only users who have the hash key are able to view the actual contents, etc

    perhaps you don't want sales people to leave in a huff and take all the company customer data. So you limit them to just their data, prevent them from copy/pasting or printing long reports - but not to the extent they can't do their job. You might even need to disable screenshots.

    perhaps you want to protect your code. You have multiple developers so you need a code vault to ensure versioning is kept current. For users you provide a .accde FE rather than a .accdb

    or perhaps you have some sophisticated users who are not above practising the sql injection techniques to mess around with your data

    etc.

    You have mentioned you have multiple users so it is vital that the db is split - tables only in the BE (back end), queries/forms/reports/code in the FE (front end) and each user has their own copy of the FE on their local machine, whilst the BE is stored on the server. If you don't do this (MS recommended practice) I can guarantee your file will become corrupted and you will need to revert to a backup

  6. #6
    skydivetom is offline Advanced Beginner
    Windows 8 Access 2010 64bit
    Join Date
    Feb 2019
    Posts
    77
    Ajax:

    Great... no, I didn't run it. It appears that's working now.

    And, yes, users can have access to the objects. However, if you have a recommendation for "admin access" vs. "user access" (e.g., small sample db), I am totally open to your recommendations.

    Thanks,
    EEH

  7. #7
    skydivetom is offline Advanced Beginner
    Windows 8 Access 2010 64bit
    Join Date
    Feb 2019
    Posts
    77
    Ajax:

    Your recommendations make total sense. I'll make sure to integrate your recommendation into the development.

    Again, thanks!
    EEH

Please reply to this thread with any new information or opinions.

Similar Threads

  1. Replies: 2
    Last Post: 09-15-2017, 10:53 AM
  2. Cannot open database app in "bypass" mode
    By Paul H in forum Access
    Replies: 11
    Last Post: 05-11-2017, 02:20 PM
  3. Replies: 1
    Last Post: 09-07-2015, 08:00 AM
  4. Replies: 1
    Last Post: 04-12-2013, 07:56 AM
  5. Replies: 2
    Last Post: 03-23-2012, 05:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Tech Forums: Microsoft Office Forums