I'm trying to create a link between MS Access and a remote Informix db.
The Access db will be used for generating reports/views etc with the data from the linked Informix db.
I have setup a DSN for the Informix DB and can connect to it.
Using the MS Access 2016 GUI I can select to create a link via the external data tab. However, I need to make sure that this is a read only link. It is imperative that any changes made (either on purpose or accident) in the linked access db do not filter back.
One option I have considered was contacting the Informix DBA to make sure my account is read only. Unfortunately, this is not possible, so I wonder if there is some other approach I can take?
Informix ODBC doesn't support SQL_ACCESS_MODE and as far as I know, there is no option that would make a 'read-only' connection.
You can ask our DBA to create a view on the table and restrict access on just that view (e.g. only have the 'SELECT' permission on it). Then use that view as the source for your linked table.
A second option would be to not have a linked table, just import the data from the source.
There are several things you can do to create a read-only connection.
The most secure way, in general, is to create a user that only has read access, and use that user for your DSN (also fixes the issue that DSN information is publicly available in Access and might be reused.
Another way is to set SQL_ACCESS_MODE to 1 (=SQL_MODE_READ_ONLY) in your DSN file, which creates a read-only connection on supported databases. However, a tech-savvy user can just change that value, so this doesn't add the security the first way provides.
Best safest solution is for the Informix DBA to create a new user for your Access front end with GRANT SELECT permissions only for the tables your application will be querying.
Related
I am working on an Access database that has linked tables to a DB2 database via DSN ODBC connection.
All of the tables use the same System DSN since they're both in the same DB2 database. To get one group of tables, I use the system DSN "A" with one userid and password, and for the other group of tables, I use the same system DSN "A" as in the first group of tables, but with another userid and password.
This wrecked havoc in Access since if I open a table from the first group, it would cache the credentials and then if i tried to open a table from the second group without restarting Access, it would throw an Invalid credentials/username error.
Using this answer I was able to work my way around it: I created two different System DSN ODBC connections, one for each group of tables. This allows me to open the tables from either group without authorization errors in the same session (e.g. wihtout having to restart Access).
I was wondering, if there's a way in Windows 10 and Office 365 (via vba, AutoExec macro, changing the registry, policies, etc.) to change the default behaviour of CurrentProject.AccessConnection.Properties("Cache Authentication") from True to False
This property is readonly once the database is opened.
So another thought I had is: if you open a remote database with the cache authentication set to False and add it to your workspace in another database, can you run queries via DAO in VBA in that "remote" database?
For example: Database "A" has all of the linked tables to DB2. From another database "B" I open Database "A" and add it to Database "B"'s workspace with Cache Authentication set to false (<- is this possible?) vía OpenConnection? or OpenDatabase. Once Database "A" is opened from Database "B", would I be able to run on-the-fly queries (meaning no stored proc) in database "B" using VBA referencing the linked tables in Database "A"?
UPDATE
According to Access 2003 VBA Programmer's Reference p.556 one can't specify advanced options using OpenConnection
This question has been asked before several times:
Access Caching ODBC connection settings
Clearing Access Cache
How can I force Access to change the user-name and password for a DSN less ODBC connection?
Forcing Access to forget a username and password for a linked table
Unfortunately, I am not aware this is possible.
You could however adopt (and should) adopt DSN less connections. This would thus eliminate the need to use a DSN. (the are a pain these days - especially with locked down machines). And this would allow you to change the logon/uid without having to re-link.
However, you STILL will quite much need two sets of tables if you need to get at both databases at the same time. You could also re-run the link code, but no doubt you been avoiding the re-link, and you want to just swap the DSN.
So, you CAN switch user/pass without a re-link. However, if you need to switch the database your pointing to? No way around this - you have to re-link the tables.
So, with JUST one set of linked tables, you can logon again (with different user/id), but to switch the database you pointing to, you have to re-link.
And no, you can't clear the password cache unless you exit, and re-load access.
I have a SQL Server database that we are trying to make read-only for everyone except one user. I already went to properties>options>Database read-only = true and set the entire DB to read-only. Now we are finding that one program updates this DB and will not work correctly without being able to do so. Is there a way to leave the whole DB read-only and just grant write to this one single "user"? SQL server 2008 using SSMS 2017.
No, a database that is read-only cannot be written to by any user. You're best solution would be to give read only permissions to all users except this app.
I am not sure what the correct forum is for a question like this, so if it would go better on a different one could you move it there please?
I have split my database into a front and back-end database. The front end is using linked tables which are linked to the back-end real tables. If a user changes something in a table on the front-end database, the changes are carried over to the backend database.
Why is this and how can I prevent this from happening? Is there a way to change the settings to make the database read only? Whether it's through VBA or not, I would accept either answer.
That's a feature, not a bug. You're using a linked table, it's linked.
If you want a separate table, make a separate table, and make some ETL (extract/transform/load) process to keep the two tables in sync as needed, accordingly with whatever business rules you need to implement.
If your Access DB is connecting to SQL Server via SQL authentication, you could have the SQL user on the SQL Server side only authorized to SELECT, and denied UPDATE, DELETE and INSERT permissions. Expect errors on the Access side when the linked table is modified then.
I need to be able to restrict access to a specific columns in my database.
The user cannot make a SQL view of columns A and D or C and D but are allowed to for B and D.
Any suggestions and help would be greatly appreciated.
The Access Database Engine is not designed to manage security in the way that you have described*. You could restrict access to certain items at the application level, but users would still be able to open the back-end database file directly and see things that you apparently don't want them to see.
If this sort of security really is important then you should use a client/server back-end database and set permissions on various objects at the database level. For example, any edition of Microsoft SQL Server, even the Express Edition, can do this.
*(The older Access .mdb database format supported user-level security, but that security model has been deprecated.)
As a general approach for relational databases, I would just suggest a view creation (which would contain only columns available for particular users) and then just allowing access to the views and forbidding access to the tables.
I just came across the concept of SYNONYM in a database. By reading this: http://msdn.microsoft.com/en-us/library/ms187552.aspx
and this What is the use of SYNONYM in SQL Server 2008? I figure out the purposse of synonym.
however, I still don't understand a little step in real process of creating a synonym for a remote table. I have search the web, but generally the instruction mainly focus on SQL syntax(for example this one:http://www.oninit.com/manual/informix/english/docs/dbdk/is40/sqls/02cr_prc8.html). And I find none of the guidance mention the authentication part when creating a synonym for remote table. I guess a database can't just let anyone make a synonym then get the access to its tables?
so I curious how the target remote table's database can know if the synonym reference accessing its table is legal?
The answer to your question is going to depend a lot on what database platform you are using to contain the synonym; in your question, you referenced documentation from at least two (SQL Server and Informix). I don't know much about Informix, but I'm going to assume that it's security model is different than SQL Server.
For SQL Server, the remote server must be set up as a linked server first (assuming that you are using a remote object). See http://technet.microsoft.com/en-us/library/ms188279.aspx for details on how to do that.
From CREATE SYNONYM:
You do not need permission on the base object to successfully compile the CREATE SYNONYM statement, because all permission checking on the base object is deferred until run time.
That is, there's no security issues around synonyms, because the permissions checks take place when the synonym is used, and the permission checks are based on the real object, not the synonym.