Add an API for Security - Including IT Governance issues in the security envelope
In losing Desktop Jet ULS security (which was poorly implemented anyway), the security baby was thrown out with the bath water. It needs to be brought back! Integrate security groups with Active directory, and store the security within an internally encrypted section of the database file, using a key separate from the database password/encryption key. This security needs to include such things as permission to create a new database, permission to copy/export data, table access and field-level access controls, permission to cut/paste data. These security options should be able to be respected across WAN/Sharepoint/AWA scenarios as well as desktop/thick client access scenarios. (that part may be too tall an order, but it's worth asking for, at least). Like the Data macros, these security settings would need to be respected and enforced at the DATABASE ENGINE level (inside Ace).
Mark Burns commented
Yes, many of us have done things like that over the decades, but the real problem is that anybody can bypass all that security by simply opening up a DAO connection in vbscript and doing whatever they want to the database - since there is no security that extends from within the database engine! This is the real problem here - and it is one that cries out for serious changes to the ACE engine to be extended (along with the database file's 2GB size limits which date back to limits from the early FAT filesystem and 32-bit address space limitations that haven't really been applicable for 20 years, but I digress).
PJ Bryant commented
This is something I have done on most projects for a couple of decades. I use an API call to Active Directory to get a list of Group Membership; and use custom groups in AD to control who can do what in the app. Works a treat, and keeps AD Managers happy as we use an app specific container and group names to achieve the results. I spoke on this at the UKAUG group a couple of years ago - slides and demo code here: http://www.corylus-business.co.uk/UKAUG/May%202015.html
Like this quite a bit, but I ran out of votes on page 7??? and this is on page 19.
Adrian Bell (MVP) commented
Votes are hard to come by as so many are tied up with so many other ideas that have been waiting a long time to get reviewed.
That said, I like the idea that security can be linked with AD. Even without a domain Windows users have to sign in to a PC.
I can't say if this might cause some serious difficulties to implement, but I haven't thought of any myself, so maybe no obvious ones.
I like the idea.
Frank Rotolo commented
I am very surprised that this idea has not received more votes, and is not being reviewed by the Access Team at MS. This is a very important feature, and the main reason most corporate IT managers do not approve the use of Access! Yet ironically, Excel is widely used by corporate, despite the fact that its very easy to crack the password protection.