Re: Limited user account with Accounting 2007 Express
![Jesper [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jesper [MS]
We have designed Office Accounting to be able to run all functions with a
limited Windows user account. The specific problem you're reporting here
sounds like it's just that the user doesn't have access to the particular
sbc-file you have created. It is not really related to Office Accounting but
just the way Windows access works.
You need to create or copy the file to a location that this user has access
to.
But note that in the Express edition you don't have the ability to add and
manage other users so the other user won't be able to open the company
anyway. Only one user is possible in the Express edition.
I would recommend that you find a user that you elevate to Windows
administrator and let that user install - the user that installs will always
have access to everything in Office Accounting regardless of the user's
Windows role.
So after installing you can then change the user to a normal low-rights user
again and the user should still be able to create companies etc. Technically
this is because we assign the user who installs the "SysAdmin" role in SQL
Express.
--
Thanks
Jesper
http://blogs.msdn.com/jesperbirkolsen/
"Matt" <Ma...@discussions.microsoft.com> wrote in message
news:689C21A8-D980-474A...@microsoft.com...
>I have been searching for an answer and haven't found it yet. I understand
> the need for an administrator to install Office Accounting 2007 Express. I
> also understand the need for an administrator to crreate a company. But
> what
> I don't see is how a limited user account can access that company file. I
> get
> the typical access is denied type of error when I try to browse to the
> company file. Even changing file permissions does not help.
>
> So the question is:
> Can a limited user account be used to run Office Accounting 2007 Express
> if
> an administrator is first used to create a company? If so, how? It seems
> like
> a common catch 22 scenario. You need to be an admin to create a company
> but
> the files created are inaccessible to limited users. I've read somewhere
> else
> that limited user accounts can be granted access only in the Professional
> version. Is this true?
Jesper [MS]
Thanks for your feedback.
As mentioned then the only time you need to run as a Windows administrator
is when you install the program. After that you can use all features as a
normal Windows user. Accessing the "company-file" is a matter of Windows
security and you need to place the file in a location that the user can
access.
You don't mention what OS you're running on but if you are running on Vista
then you will be elevated using the Vista elevation-of-privileges
functionality during install time and won't even need the workaround I
mentioned below.
--
Thanks
Jesper
http://blogs.msdn.com/jesperbirkolsen/
"Matt" <Ma...@discussions.microsoft.com> wrote in message
news:23D2F945-5CF1-4F38...@microsoft.com...
> Thanks Jesper.
>
> I'm not sure how you can say that MS has "designed Office Accounting to be
> able to run all functions with a limited Windows user account" if I must
> first elevate the privileges of the account in order to even open a
> company
> file. Moving the file to a shared area and adjusting file permissions does
> not work. The workaround you give seems to be the only way to do it. Not
> exactly user friendly for a company who is supposed to be leading by
> example
> when it comes to writing programs that operate under least privilege. I
> don't
> know how you can expect non-technical users to ever end up running under
> LUA
> if they you keep making us jump through so many hoops.
>
> Perhaps MS should spend some time re-reading Aaron Margosis' weblog. I'm
> sure that he would agree with me that this should be classified as a "LUA
> Bug". Is there somewhere that I can log this issue for consideration to be
> fixed?
>
Matt
I am running Windows XP Pro with SP2. I disagree that the only time you need
to run as an administrator is when you install the program. You also need to
run as an administrator when you create a company file. But that would be ok
if you could simply save the company file so that a limited user can access
it. It seems that simply changing NTFS file permissions is not enough. The
user who is going to use the created company file must also be an
administrator or temporarily have their rights raised so that they can create
their own file. This is not an acceptable practice and would not even pass
Microsoft's own "designed for XP" logo requirements.
I've read that this is "fixed" in the professional version by providing
more granular security control but that just leaves Express users out in the
cold when it comes to real security. After all, which is more dangerous:
forcing users to run as admin to use a simple accounting program, or allowing
a limited user to create a company file? I believe that not only is the
former more dangerous but is also against Microsoft's own guidelines.
As for Vista I fail to see the relevance. People will be running this
program primarily on XP for many years. The fact that Vista allows
non-compliant programming practices to pass does not say much for the new
security model. After all, Vista should be reinforcing the idea of
programming for least privilege. Not allowing it to be easily sidestepped.
Matt
understand what's going on. The company "file" itself is really not the
issue. It simply contains the database connection info formatted much like an
.ini file. Having read-only access to this file should be sufficient. The
real issue is one of database roles and permissions within SQL Server. All of
the application security is implemented within the SQL Server security
features.
When an admin creates the company he/she becomes the database owner and is
the only user given appropriate permissions in SQL server to access the
database. Another user can only access the database if given the right to do
so by an administrator (regardless of whether or not they are an admin or
limited user). Since the Express edition does not provide a way to give
another user access and the only way to get access in the first place is to
be an administrator, it follows that limited user accounts cannot access ANY
features of Accounting 2007 Express without jumping through hoops.
Two workarounds are as follows:
1) Temporarily give the limited user admin rights to create the company.
However, this could create other issues when the user is reverted back to a
limited user status. Would the limited user even be able to backup the
database? What are the implications of having a limited user listed as the
owner for a database? Could database upgrades be performed without raising
the limited user's rights again sometime in the future?
2) Download SQL Server Management Studio Express and manually give the
limited user access to the database. This can be done by adding the
associated user and assigning them a role like "Acountant".
Option #2 appears to be the best approach, especially since this is the
method used by the Professional edition. A simple fix would have been to
include the security management features found in the Professional edition
within the Express edition.
Either way the issue stands as reported. The Express edition doesn't allow
limited users to use the software at all without resorting to undocumented
workarounds. This is against the Microsoft Designed for Windows XP
Guidelines.
Jesper [MS]
Just to elaborate a bit on the creating-a-company part;
It really isn't necessary to be Windows Administrator to create a company.
The requirement (that I implemented myself) is that you are SysAdmin on SQL
Server which will ensure that you have the necessary rights to create a
database on the server.
A Windows administrator is always SysAdmin but the reverse is not
necessarily true - you can have the SysAdmin role without being Windows
administrator.
So a low-rights Windows user can create a company just as long as the user
has the SysAdmin role on the server.
That is why we automatically grant the user who installs this SysAdmin role
so that user will always be able to create a company regardless of the
user's Windows role.
Now, on XP this doesn't make much difference for most people since you have
to be Windows administrator to install and therefore already have full
access to everything - but it does mean that if you follow my workaround of
temporarily granting a particular user Windows admin rights when installing,
the user will still be able to create companies later even when you lower
the Windows rights again (because the low-rights user was made SysAdmin
during install).
The big difference is on Vista where you never run as Windows administrator
and we therefore had to make sure all features work for low-rights users.
On Vista you will see that a low-rights user that tries to install the
product (or most other products) are asked for an administrator password (or
asked to confirm if already an administrator) and then granted SysAdmin
during install.
this means that the user will later be able to create companies even when
not running as administrator.
Hope that explains the access story that we have implemented.
--
Thanks
Jesper
http://blogs.msdn.com/jesperbirkolsen/
"Matt" <Ma...@discussions.microsoft.com> wrote in message
news:55A01775-4302-4877...@microsoft.com...
Jesper [MS]
I don't know what problem you're refering to.
You don't need to be elevated to do anything if you're SysAdmin. And we
assign you SysAdmin during install so it will always work for low-rights
users.
In the professional edition you can add other users and assign them
SysAdmin. Express is not intented for multiple users which is why you don't
see an ability to add other users and grant them access. So no need to use
Management Studio or other tools.
--
Thanks
Jesper
http://blogs.msdn.com/jesperbirkolsen/
"Matt" <Ma...@discussions.microsoft.com> wrote in message
news:970A45B0-CCAC-41DF...@microsoft.com...
> Well Jesper, that may help explain why it behaves the way it currently
> does
> but it still doesn't address the issue in question. Does Microsoft intend
> to
> actually do something about this problem?
>
> Requiring a user to elevate their rights (even temporarily) is clearly not
> a
> recommended practice. And having to download SQL Server Management Studio
> Express to grant rights to a limited user in the database does not seem
> appropriate for non-technical users.
>
> I find it to be very sad that this issue got through QA. I would find it
> even more disturbing if Microsoft did not consider this to be a valid
> issue.
>
>
Matt
The issue I'm referring to is that there is no way within the current
Accounting 2007 Express software to allow a Limited User Account access to a
company. The Professional version can do it and I can download other
utilities that allow me to hack it up. But I can't do it with what gets
installed.
Here is the test. Pretend you are a non-technical user of the product. That
is who the Express edition is aimed at isn't it? Now install the Express
edition on a clean computer. Using nothing other than what comes with the
Express edition, show me how to allow a Limited User to access a company. If
you can't do this without downloading other components or manually jumping
into SQL Server then the product doesn't meet the Windows XP Logo
Requirements.
Unless I'm not understanding you then I think that this is a major issue.
Matt
Jesper [MS]
Express is limited to one user - the user that installs the product. You are
not supposed to be able to grant other users access.
On XP you have to be Windows admin to install due to the limited elevation
support in XP but you can always lower that user's access before running the
program the first time and still perform all tasks in the program (like
create a company).
On Vista the user does not even have to be admin when installing but can be
elevated and will always have full access as a low-rights user.
This is all because the user that installs is granted the necessary access
on the server and therefore can do anything in the program regardless of his
Windows role.
So the only issue in your scenario is that on XP you have to be Windows
admin to install the product (NOT to run it). But tis is a normal
requirement for programs that install on a per-machine basis.
--
Thanks
Jesper
http://blogs.msdn.com/jesperbirkolsen/
"Matt" <Ma...@discussions.microsoft.com> wrote in message
news:B6757CA1-87E8-43D1...@microsoft.com...
Matt
You are in complete denial. You are not even listening to yourself. "So the
only issue in your scenario is that on XP you have to be Windows
admin to install the product (NOT to run it). ".
You also have to be an admin to RUN IT. Saying that I can reduce my
privileges after install and creation of a company file as an administrator
is NOT acceptable.
1) Express is limited to one user, the user that installs the product.
2) The user that installs the product and creates a company must be an
administrator.
3) It follows that in order to run the product you must then also be an
administrator unless you use unsanctioned methods to raise and lower your
privileges or manipulate the SQL Server roles for the database.
4) If this is the case then the Express Edition does not meet the Windows XP
Logo Requirements.
I understand perfectly what is going on here. Some marketing guru decided to
push an Express edition out the door. But one of the requirements was to only
allow one person to use the product so multi-users would have to upgrade. So
the user management features found in the Professional edition were removed.
But this left a big hole that no one decided to test or think about.
How do I file a bug report on this rather than going through other channels
like Slashdot to get this issue the attention it deserves? I am tired of
going back and forth on this with you. Is there at least someone else I can
discuss this with who is not so close to the product as to have their
perspective tainted.
Matt
P.S. - I haven't tested this on Vista because I don't have a copy available.
But I am concerned that you are not giving me the full story there either.
Running as an administrator with UAC lowering your privileges is not the same
thing as running as a true Limited User. Have you personally tested both ways
and ensured that a true Limited User Account can create a new company?
Doesn't UAC just prompt for admin credentials in the Limited User case and
actually run the company creation as a different user (one with admin
credentials)? If this is the case, don't we end up with the same problem
because the actual Limited User Account does not get added to the SQL Server
roles? Again, I haven't tried it but it sounds fishy to me...
Matt
Kollen Glynn [MS]
aware of the current shortcomings. Fortunately this scenario works much
better on Vista but I realize that's no consolation and we have been
actively discussing how to make it better for users on XP.
Kollen
"Matt" <Ma...@discussions.microsoft.com> wrote in message
news:22CFB5CA-CB6B-4499...@microsoft.com...
Matt
Matt