Vantage security and ODBC

Maybe you could put a paswword share on the server mapped vantage directory?

Rick

"Lepley, Scott A." wrote:

> That's a good point, Troy. One outcome of the issue being raised here has
> been my recognition of the security holes I've created by installing Report
> Builder for various users. I plan to remove Report Builder where necessary.
>
> How would you prevent a user from installing or re-installing Report
> Builder?
>
> Regards,
> Scott
>
> -----Original Message-----
> From: Troy Funte [mailto:tfunte@...]
> Sent: Thursday, February 22, 2001 12:22 PM
> To: vantage@yahoogroups.com
> Subject: Re: [Vantage] Vantage security and ODBC
>
> Incidently, any user who knows how to create a shortcut could, in theory,
> install report builder on their machine and run it too.
>
> So using Access, although a potential time-bomb, relies on the ignorance of
> the general user. It is the rogue programmer-in-disguise-as-an-engineer
> that will might you headaches.
>
> Troy
> ----- Original Message -----
> From: Lepley, Scott A.
> To: 'vantage@yahoogroups.com'
> Sent: Thursday, February 22, 2001 5:46 AM
> Subject: RE: [Vantage] Vantage security and ODBC
>
> Thanks for the reply, Troy. I understand that allowing data input via
> ODBC
> would or could bypass validation routines and thereby corrupt the
> database.
> That type of access is already ruled out in my opinion. However, even if
> the ODBC link were limited to read-only, that doesn't alleviate my
> concern.
> My concern is regarding just that ability, that of the Access application
> users being able to read the data. It appears that ODBC would allow them
> to
> see virtually any data, whether they needed to see it or not. If it were
> acceptable for these users to see all data, I would simply install Report
> Builder on their machines to let them access the data that way.
>
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/


[Non-text portions of this message have been removed]
I'm sure this has been discussed previously, but I sure would appreciate it
if some users would be willing to respond again regarding this issue.

The situation here at this company is the following. The Customer Service
Supervisor here is knowledgeable about databases. He is currently
developing a customer service application in Microsoft Access and wishes to
establish connections between Access and Vantage using ODBC functionality.
I am the person responsible for coordinating the company's use of Vantage.
I have no control over the application development. I am uncomfortable
providing this functionality because of security concerns. As far as I
know, if I implement ODBC, it will allow access to all of the Progress
tables, except payroll, and thereby circumvent the access controls
established in Vantage. Everything that I have been able to learn so far
about this issue seems to confirm my concern. If my concern is legitimate,
are there any ways to mitigate this security risk?

Regards,
Scott A. Lepley
Systems Administrator
Mauell Corporation
31 Old Cabin Hollow Road
Dillsburg PA 17019-8815
Phone: 717-432-8686, ext. 14
Fax: 717-432-8688
Email: sal@...



[Non-text portions of this message have been removed]
What I've heard on the list before, is that you want Access to have Read only links. Otherwise there is the risk of Access changing Vantage data in a compromising way - meaning there are no checks and balances and data could be corrupted. The SAFEST way to use Access is to import it from an exported file. By linking directly through ODBC, it would be hard, in my opinion to maintain any kind of security on the database. A user could corrupt the database, or have access to confidential information such as payroll stuff.

I'm no expert, but these are some of the things I've heard. There are probably others on the list who could give you more detail.

Troy Funte
Liberty Electronics
----- Original Message -----
From: Lepley, Scott A.
To: Vantage YahooGroup (E-mail)
Cc: O'Rourke, Kevin P.
Sent: Wednesday, February 21, 2001 4:45 PM
Subject: [Vantage] Vantage security and ODBC


I'm sure this has been discussed previously, but I sure would appreciate it
if some users would be willing to respond again regarding this issue.

The situation here at this company is the following. The Customer Service
Supervisor here is knowledgeable about databases. He is currently
developing a customer service application in Microsoft Access and wishes to
establish connections between Access and Vantage using ODBC functionality.
I am the person responsible for coordinating the company's use of Vantage.
I have no control over the application development. I am uncomfortable
providing this functionality because of security concerns. As far as I
know, if I implement ODBC, it will allow access to all of the Progress
tables, except payroll, and thereby circumvent the access controls
established in Vantage. Everything that I have been able to learn so far
about this issue seems to confirm my concern. If my concern is legitimate,
are there any ways to mitigate this security risk?

Regards,
Scott A. Lepley
Systems Administrator
Mauell Corporation
31 Old Cabin Hollow Road
Dillsburg PA 17019-8815
Phone: 717-432-8686, ext. 14
Fax: 717-432-8688
Email: sal@...



[Non-text portions of this message have been removed]


Yahoo! Groups Sponsor

Click here for Classmates.com


To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]
The whole database is wide open with ODBC including payroll. Also
consider that v5 installs odbc by default on each workstation
like it or not. All they need is the host name, database name
and the port number. That info is easy to get. So really any user
anywhere can use ODBC and get at payroll or any other table.

That said... I'm very glad ODBC access is there and fortunately
none of our users know anything about ODBC.

Troy Funte wrote:
>
> What I've heard on the list before, is that you want Access to have Read only links. Otherwise there is the risk of Access changing Vantage data in a compromising way - meaning there are no checks and balances and data could be corrupted. The SAFEST way to use Access is to import it from an exported file. By linking directly through ODBC, it would be hard, in my opinion to maintain any kind of security on the database. A user could corrupt the database, or have access to confidential information such as payroll stuff.
>
> I'm no expert, but these are some of the things I've heard. There are probably others on the list who could give you more detail.
>
> Troy Funte
> Liberty Electronics
> ----- Original Message -----
> From: Lepley, Scott A.
> To: Vantage YahooGroup (E-mail)
> Cc: O'Rourke, Kevin P.
> Sent: Wednesday, February 21, 2001 4:45 PM
> Subject: [Vantage] Vantage security and ODBC
>
> I'm sure this has been discussed previously, but I sure would appreciate it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes to
> establish connections between Access and Vantage using ODBC functionality.
> I am the person responsible for coordinating the company's use of Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so far
> about this issue seems to confirm my concern. If my concern is legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
> Click here for Classmates.com
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Thanks for the reply, Troy. I understand that allowing data input via ODBC
would or could bypass validation routines and thereby corrupt the database.
That type of access is already ruled out in my opinion. However, even if
the ODBC link were limited to read-only, that doesn't alleviate my concern.
My concern is regarding just that ability, that of the Access application
users being able to read the data. It appears that ODBC would allow them to
see virtually any data, whether they needed to see it or not. If it were
acceptable for these users to see all data, I would simply install Report
Builder on their machines to let them access the data that way.

I welcome any further comments.

Regards,
Scott

-----Original Message-----
From: Troy Funte [mailto:tfunte@...]
Sent: Thursday, February 22, 2001 2:56 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.

I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.

Troy Funte
Liberty Electronics
----- Original Message -----
From: Lepley, Scott A.
To: Vantage YahooGroup (E-mail)
Cc: O'Rourke, Kevin P.
Sent: Wednesday, February 21, 2001 4:45 PM
Subject: [Vantage] Vantage security and ODBC


I'm sure this has been discussed previously, but I sure would appreciate
it
if some users would be willing to respond again regarding this issue.

The situation here at this company is the following. The Customer Service
Supervisor here is knowledgeable about databases. He is currently
developing a customer service application in Microsoft Access and wishes
to
establish connections between Access and Vantage using ODBC functionality.
I am the person responsible for coordinating the company's use of Vantage.
I have no control over the application development. I am uncomfortable
providing this functionality because of security concerns. As far as I
know, if I implement ODBC, it will allow access to all of the Progress
tables, except payroll, and thereby circumvent the access controls
established in Vantage. Everything that I have been able to learn so far
about this issue seems to confirm my concern. If my concern is
legitimate,
are there any ways to mitigate this security risk?





[Non-text portions of this message have been removed]
Thanks for the reply, Joe. I should have mentioned that we are using
version 3.00.632. Regarding payroll, I understood that the payroll table
was encrypted and therefore could be read only through Vantage. Was this
true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
even if the payroll table is encrypted, this does nothing to protect labor
rate information that may be stored in tables related to job management.

I welcome additional comments.

Regards,
Scott

-----Original Message-----
From: Joe Konecny [mailto:jkonecn@...]
Sent: Thursday, February 22, 2001 8:19 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

The whole database is wide open with ODBC including payroll. Also
consider that v5 installs odbc by default on each workstation
like it or not. All they need is the host name, database name
and the port number. That info is easy to get. So really any user
anywhere can use ODBC and get at payroll or any other table.

That said... I'm very glad ODBC access is there and fortunately
none of our users know anything about ODBC.

Troy Funte wrote:
>
> What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.
>
> I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.
>
> Troy Funte
> Liberty Electronics
> ----- Original Message -----
> From: Lepley, Scott A.
> To: Vantage YahooGroup (E-mail)
> Cc: O'Rourke, Kevin P.
> Sent: Wednesday, February 21, 2001 4:45 PM
> Subject: [Vantage] Vantage security and ODBC
>
> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer
Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC
functionality.
> I am the person responsible for coordinating the company's use of
Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so
far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
> Click here for Classmates.com
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>




Yahoo! Groups Sponsor


<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
Click here for Classmates.com


<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
00007183:N/A=524804/rand=582186115>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
<http://docs.yahoo.com/info/terms/> Terms of Service.


[Non-text portions of this message have been removed]
Ignorance is not normally considered a valid security policy, especially
when the natives are becoming more and more computer literate. ( Whether we
like it or not ... )

-----Original Message-----
From: Joe Konecny [mailto:jkonecn@...]
Sent: Thursday, February 22, 2001 7:19 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC


The whole database is wide open with ODBC including payroll. Also
consider that v5 installs odbc by default on each workstation
like it or not. All they need is the host name, database name
and the port number. That info is easy to get. So really any user
anywhere can use ODBC and get at payroll or any other table.

That said... I'm very glad ODBC access is there and fortunately
none of our users know anything about ODBC.

Troy Funte wrote:
>
> What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.
>
> I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.
>
> Troy Funte
> Liberty Electronics
> ----- Original Message -----
> From: Lepley, Scott A.
> To: Vantage YahooGroup (E-mail)
> Cc: O'Rourke, Kevin P.
> Sent: Wednesday, February 21, 2001 4:45 PM
> Subject: [Vantage] Vantage security and ODBC
>
> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer
Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC
functionality.
> I am the person responsible for coordinating the company's use of
Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so
far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
> Click here for Classmates.com
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>


Yahoo! Groups Sponsor

<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
Click here for Classmates.com

<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
00007183:N/A=524804/rand=582186115>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .
Couldn't agree more but there are no other options if you want
to use ODBC.

Todd Anderson wrote:
>
> Ignorance is not normally considered a valid security policy, especially
> when the natives are becoming more and more computer literate. ( Whether we
> like it or not ... )
>
> -----Original Message-----
> From: Joe Konecny [mailto:jkonecn@...]
> Sent: Thursday, February 22, 2001 7:19 AM
> To: vantage@yahoogroups.com
> Subject: Re: [Vantage] Vantage security and ODBC
>
> The whole database is wide open with ODBC including payroll. Also
> consider that v5 installs odbc by default on each workstation
> like it or not. All they need is the host name, database name
> and the port number. That info is easy to get. So really any user
> anywhere can use ODBC and get at payroll or any other table.
>
> That said... I'm very glad ODBC access is there and fortunately
> none of our users know anything about ODBC.
>
> Troy Funte wrote:
> >
> > What I've heard on the list before, is that you want Access to have Read
> only links. Otherwise there is the risk of Access changing Vantage data in a
> compromising way - meaning there are no checks and balances and data could
> be corrupted. The SAFEST way to use Access is to import it from an exported
> file. By linking directly through ODBC, it would be hard, in my opinion to
> maintain any kind of security on the database. A user could corrupt the
> database, or have access to confidential information such as payroll stuff.
> >
> > I'm no expert, but these are some of the things I've heard. There are
> probably others on the list who could give you more detail.
> >
> > Troy Funte
> > Liberty Electronics
> > ----- Original Message -----
> > From: Lepley, Scott A.
> > To: Vantage YahooGroup (E-mail)
> > Cc: O'Rourke, Kevin P.
> > Sent: Wednesday, February 21, 2001 4:45 PM
> > Subject: [Vantage] Vantage security and ODBC
> >
> > I'm sure this has been discussed previously, but I sure would appreciate
> it
> > if some users would be willing to respond again regarding this issue.
> >
> > The situation here at this company is the following. The Customer
> Service
> > Supervisor here is knowledgeable about databases. He is currently
> > developing a customer service application in Microsoft Access and wishes
> to
> > establish connections between Access and Vantage using ODBC
> functionality.
> > I am the person responsible for coordinating the company's use of
> Vantage.
> > I have no control over the application development. I am uncomfortable
> > providing this functionality because of security concerns. As far as I
> > know, if I implement ODBC, it will allow access to all of the Progress
> > tables, except payroll, and thereby circumvent the access controls
> > established in Vantage. Everything that I have been able to learn so
> far
> > about this issue seems to confirm my concern. If my concern is
> legitimate,
> > are there any ways to mitigate this security risk?
> >
> > Regards,
> > Scott A. Lepley
> > Systems Administrator
> > Mauell Corporation
> > 31 Old Cabin Hollow Road
> > Dillsburg PA 17019-8815
> > Phone: 717-432-8686, ext. 14
> > Fax: 717-432-8688
> > Email: sal@...
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> > Click here for Classmates.com
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> <http://docs.yahoo.com/info/terms/>
>
> Yahoo! Groups Sponsor
>
> <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> Click here for Classmates.com
>
> <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> 00007183:N/A=524804/rand=582186115>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
> <http://docs.yahoo.com/info/terms/> .
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Scott:

I feel for you big time! I hate it when someone "knowledgeable" gets these
great ideas, especially when they get management behind them on this "great new
thinking". If you balk, you're perceived as "not a team player".

I would have this person map exactly what data they need access (no pun) to and
determine if there is a problem to grant this. There is NO WAY IN HECK I would
let this person upload one iota of data into my database! You may have to make
a stand here.

But if the data is relatively harmless (shipment history, lead times, etc.)
then perhaps let this person make his database.

Good luck to you!

Rick Gors
MR/MMIS
Osco

"Lepley, Scott A." wrote:

> I'm sure this has been discussed previously, but I sure would appreciate it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes to
> establish connections between Access and Vantage using ODBC functionality.
> I am the person responsible for coordinating the company's use of Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so far
> about this issue seems to confirm my concern. If my concern is legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/


[Non-text portions of this message have been removed]
Incidently, any user who knows how to create a shortcut could, in theory, install report builder on their machine and run it too.

So using Access, although a potential time-bomb, relies on the ignorance of the general user. It is the rogue programmer-in-disguise-as-an-engineer that will might you headaches.

Troy
----- Original Message -----
From: Lepley, Scott A.
To: 'vantage@yahoogroups.com'
Sent: Thursday, February 22, 2001 5:46 AM
Subject: RE: [Vantage] Vantage security and ODBC


Thanks for the reply, Troy. I understand that allowing data input via ODBC
would or could bypass validation routines and thereby corrupt the database.
That type of access is already ruled out in my opinion. However, even if
the ODBC link were limited to read-only, that doesn't alleviate my concern.
My concern is regarding just that ability, that of the Access application
users being able to read the data. It appears that ODBC would allow them to
see virtually any data, whether they needed to see it or not. If it were
acceptable for these users to see all data, I would simply install Report
Builder on their machines to let them access the data that way.

I welcome any further comments.

Regards,
Scott

-----Original Message-----
From: Troy Funte [mailto:tfunte@...]
Sent: Thursday, February 22, 2001 2:56 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.

I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.

Troy Funte
Liberty Electronics
----- Original Message -----
From: Lepley, Scott A.
To: Vantage YahooGroup (E-mail)
Cc: O'Rourke, Kevin P.
Sent: Wednesday, February 21, 2001 4:45 PM
Subject: [Vantage] Vantage security and ODBC


I'm sure this has been discussed previously, but I sure would appreciate
it
if some users would be willing to respond again regarding this issue.

The situation here at this company is the following. The Customer Service
Supervisor here is knowledgeable about databases. He is currently
developing a customer service application in Microsoft Access and wishes
to
establish connections between Access and Vantage using ODBC functionality.
I am the person responsible for coordinating the company's use of Vantage.
I have no control over the application development. I am uncomfortable
providing this functionality because of security concerns. As far as I
know, if I implement ODBC, it will allow access to all of the Progress
tables, except payroll, and thereby circumvent the access controls
established in Vantage. Everything that I have been able to learn so far
about this issue seems to confirm my concern. If my concern is
legitimate,
are there any ways to mitigate this security risk?





[Non-text portions of this message have been removed]


Yahoo! Groups Sponsor

Click here for Classmates.com


To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]
No... none of it is encrypted. What they have is a "find" trigger
on most of the payroll tables that prevent access from Vantage
and report builder. Anyone that has access to progress's
procedure editor (which is probably everyone) or the Vantage
Basic command window can override the find trigger and look
at any data they want.

"Lepley, Scott A." wrote:
>
> Thanks for the reply, Joe. I should have mentioned that we are using
> version 3.00.632. Regarding payroll, I understood that the payroll table
> was encrypted and therefore could be read only through Vantage. Was this
> true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
> even if the payroll table is encrypted, this does nothing to protect labor
> rate information that may be stored in tables related to job management.
>
> I welcome additional comments.
>
> Regards,
> Scott
>
> -----Original Message-----
> From: Joe Konecny [mailto:jkonecn@...]
> Sent: Thursday, February 22, 2001 8:19 AM
> To: vantage@yahoogroups.com
> Subject: Re: [Vantage] Vantage security and ODBC
>
> The whole database is wide open with ODBC including payroll. Also
> consider that v5 installs odbc by default on each workstation
> like it or not. All they need is the host name, database name
> and the port number. That info is easy to get. So really any user
> anywhere can use ODBC and get at payroll or any other table.
>
> That said... I'm very glad ODBC access is there and fortunately
> none of our users know anything about ODBC.
>
> Troy Funte wrote:
> >
> > What I've heard on the list before, is that you want Access to have Read
> only links. Otherwise there is the risk of Access changing Vantage data in a
> compromising way - meaning there are no checks and balances and data could
> be corrupted. The SAFEST way to use Access is to import it from an exported
> file. By linking directly through ODBC, it would be hard, in my opinion to
> maintain any kind of security on the database. A user could corrupt the
> database, or have access to confidential information such as payroll stuff.
> >
> > I'm no expert, but these are some of the things I've heard. There are
> probably others on the list who could give you more detail.
> >
> > Troy Funte
> > Liberty Electronics
> > ----- Original Message -----
> > From: Lepley, Scott A.
> > To: Vantage YahooGroup (E-mail)
> > Cc: O'Rourke, Kevin P.
> > Sent: Wednesday, February 21, 2001 4:45 PM
> > Subject: [Vantage] Vantage security and ODBC
> >
> > I'm sure this has been discussed previously, but I sure would appreciate
> it
> > if some users would be willing to respond again regarding this issue.
> >
> > The situation here at this company is the following. The Customer
> Service
> > Supervisor here is knowledgeable about databases. He is currently
> > developing a customer service application in Microsoft Access and wishes
> to
> > establish connections between Access and Vantage using ODBC
> functionality.
> > I am the person responsible for coordinating the company's use of
> Vantage.
> > I have no control over the application development. I am uncomfortable
> > providing this functionality because of security concerns. As far as I
> > know, if I implement ODBC, it will allow access to all of the Progress
> > tables, except payroll, and thereby circumvent the access controls
> > established in Vantage. Everything that I have been able to learn so
> far
> > about this issue seems to confirm my concern. If my concern is
> legitimate,
> > are there any ways to mitigate this security risk?
> >
> > Regards,
> > Scott A. Lepley
> > Systems Administrator
> > Mauell Corporation
> > 31 Old Cabin Hollow Road
> > Dillsburg PA 17019-8815
> > Phone: 717-432-8686, ext. 14
> > Fax: 717-432-8688
> > Email: sal@...
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> > Click here for Classmates.com
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> <http://docs.yahoo.com/info/terms/>
>
> Yahoo! Groups Sponsor
>
>
> <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> Click here for Classmates.com
>
>
> <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> 00007183:N/A=524804/rand=582186115>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> <http://docs.yahoo.com/info/terms/> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
There really isn't a lot that can be done regarding security using ODBC.
ODBC was setup to use the database security of the DBMS itself. Here is a
KB article from Progress regarding security -
http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
l?kbid=14081
<http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
you could implement Progress database security, but then everyone would have
to log on twice to access Vantage, once into Progress and once into Vantage.


The payroll tables are not accessible via ODBC in v4. I haven't tried this
with v5 yet. I view it just a little irresponsible, on Epicor's part, to
leave a corporate wide system wide open like this. Nothing gets the blood
boiling like everyone in the company finding out where the money goes and
who gets how much of it.

Ted Kitch
ted@...

-----Original Message-----
From: Lepley, Scott A. [mailto:sal@...]
Sent: Thursday, February 22, 2001 7:59 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Vantage security and ODBC

Thanks for the reply, Joe. I should have mentioned that we are using
version 3.00.632. Regarding payroll, I understood that the payroll table
was encrypted and therefore could be read only through Vantage. Was this
true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
even if the payroll table is encrypted, this does nothing to protect labor
rate information that may be stored in tables related to job management.

I welcome additional comments.

Regards,
Scott

-----Original Message-----
From: Joe Konecny [mailto:jkonecn@...]
Sent: Thursday, February 22, 2001 8:19 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

The whole database is wide open with ODBC including payroll. Also
consider that v5 installs odbc by default on each workstation
like it or not. All they need is the host name, database name
and the port number. That info is easy to get. So really any user
anywhere can use ODBC and get at payroll or any other table.

That said... I'm very glad ODBC access is there and fortunately
none of our users know anything about ODBC.

Troy Funte wrote:
>
> What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.
>
> I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.
>
> Troy Funte
> Liberty Electronics
> ----- Original Message -----
> From: Lepley, Scott A.
> To: Vantage YahooGroup (E-mail)
> Cc: O'Rourke, Kevin P.
> Sent: Wednesday, February 21, 2001 4:45 PM
> Subject: [Vantage] Vantage security and ODBC
>
> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer
Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC
functionality.
> I am the person responsible for coordinating the company's use of
Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so
far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
> Click here for Classmates.com
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >




Yahoo! Groups Sponsor


<
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
>
A=524804/* http://www.classmates.com/index.tf?s=2629
<http://www.classmates.com/index.tf?s=2629> > Classmates.com
Click here for Classmates.com


<
http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
>
00007183:N/A=524804/rand=582186115>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
Terms of Service.


[Non-text portions of this message have been removed]





Yahoo! Groups Sponsor


<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
Click here for Classmates.com


<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
00007183:N/A=524804/rand=801979269>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
<http://docs.yahoo.com/info/terms/> Terms of Service.


[Non-text portions of this message have been removed]
I'm almost certain that they are accessible. I don't have v4
loaded anymore to check it though.

Ted Kitch wrote:
<snip>
> The payroll tables are not accessible via ODBC in v4. I haven't tried this
> with v5 yet. I view it just a little irresponsible, on Epicor's part, to
> leave a corporate wide system wide open like this. Nothing gets the blood
> boiling like everyone in the company finding out where the money goes and
> who gets how much of it.
>
> Ted Kitch
> ted@...
>
> -----Original Message-----
> From: Lepley, Scott A. [mailto:sal@...]
> Sent: Thursday, February 22, 2001 7:59 AM
> To: 'vantage@yahoogroups.com'
> Subject: RE: [Vantage] Vantage security and ODBC
>
> Thanks for the reply, Joe. I should have mentioned that we are using
> version 3.00.632. Regarding payroll, I understood that the payroll table
> was encrypted and therefore could be read only through Vantage. Was this
> true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
> even if the payroll table is encrypted, this does nothing to protect labor
> rate information that may be stored in tables related to job management.
>
> I welcome additional comments.
>
> Regards,
> Scott
>
> -----Original Message-----
> From: Joe Konecny [mailto:jkonecn@...]
> Sent: Thursday, February 22, 2001 8:19 AM
> To: vantage@yahoogroups.com
> Subject: Re: [Vantage] Vantage security and ODBC
>
> The whole database is wide open with ODBC including payroll. Also
> consider that v5 installs odbc by default on each workstation
> like it or not. All they need is the host name, database name
> and the port number. That info is easy to get. So really any user
> anywhere can use ODBC and get at payroll or any other table.
>
> That said... I'm very glad ODBC access is there and fortunately
> none of our users know anything about ODBC.
>
> Troy Funte wrote:
> >
> > What I've heard on the list before, is that you want Access to have Read
> only links. Otherwise there is the risk of Access changing Vantage data in a
> compromising way - meaning there are no checks and balances and data could
> be corrupted. The SAFEST way to use Access is to import it from an exported
> file. By linking directly through ODBC, it would be hard, in my opinion to
> maintain any kind of security on the database. A user could corrupt the
> database, or have access to confidential information such as payroll stuff.
> >
> > I'm no expert, but these are some of the things I've heard. There are
> probably others on the list who could give you more detail.
> >
> > Troy Funte
> > Liberty Electronics
> > ----- Original Message -----
> > From: Lepley, Scott A.
> > To: Vantage YahooGroup (E-mail)
> > Cc: O'Rourke, Kevin P.
> > Sent: Wednesday, February 21, 2001 4:45 PM
> > Subject: [Vantage] Vantage security and ODBC
> >
> > I'm sure this has been discussed previously, but I sure would appreciate
> it
> > if some users would be willing to respond again regarding this issue.
> >
> > The situation here at this company is the following. The Customer
> Service
> > Supervisor here is knowledgeable about databases. He is currently
> > developing a customer service application in Microsoft Access and wishes
> to
> > establish connections between Access and Vantage using ODBC
> functionality.
> > I am the person responsible for coordinating the company's use of
> Vantage.
> > I have no control over the application development. I am uncomfortable
> > providing this functionality because of security concerns. As far as I
> > know, if I implement ODBC, it will allow access to all of the Progress
> > tables, except payroll, and thereby circumvent the access controls
> > established in Vantage. Everything that I have been able to learn so
> far
> > about this issue seems to confirm my concern. If my concern is
> legitimate,
> > are there any ways to mitigate this security risk?
> >
> > Regards,
> > Scott A. Lepley
> > Systems Administrator
> > Mauell Corporation
> > 31 Old Cabin Hollow Road
> > Dillsburg PA 17019-8815
> > Phone: 717-432-8686, ext. 14
> > Fax: 717-432-8688
> > Email: sal@...
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> > Click here for Classmates.com
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> <http://docs.yahoo.com/info/terms/>
> < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
>
> Yahoo! Groups Sponsor
>
> <
> http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> >
> A=524804/* http://www.classmates.com/index.tf?s=2629
> <http://www.classmates.com/index.tf?s=2629> > Classmates.com
> Click here for Classmates.com
>
> <
> http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> >
> 00007183:N/A=524804/rand=582186115>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
>
> <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> Click here for Classmates.com
>
>
> <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> 00007183:N/A=524804/rand=801979269>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> <http://docs.yahoo.com/info/terms/> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Scott,

We have implemented a similar type of system here. There is a custom sales
and customer support application written in access. In that application,
some of the reports combine data from Vantage with the data in the
application. We use ODBC to do this. Here's what I would recommend.
First, you need to get management to understand the security risk. Then,
you need to get management to agree that the access database needs to be an
access application instead. This will be more costly, as I doubt that your
knowledgeable user knows access programming. You will probably have to
outsource this, unless you have an access programmer on staff. The benefit
is that you can write the security into the application. My users only have
access to print pre-defined reports that are shown on their menus in the
custom application. Therefore, they have ODBC access to Vantage, but only
as it is controlled by me. You can also insert Vantage data into screens,
views, tables, etc. using ODBC. The point is that you (or your application)
control the security. In the mean time, you can export the data that your
user wants, on a timed basis (maybe each night).

All that being said, I would also recommend learning all you can about what
your user is trying to accomplish, and make every effort to recommend a
solution that can be performed fully inside Vantage. My custom application
does things that could, and should be done in Vantage. Unfortunately, I
inherited it, and I've been unable to convince anyone that the access
application is redundant.

Good luck...B

-----Original Message-----
From: Lepley, Scott A. [mailto:sal@...]
Sent: Wednesday, February 21, 2001 5:45 PM
To: Vantage YahooGroup (E-mail)
Cc: O'Rourke, Kevin P.
Subject: [Vantage] Vantage security and ODBC


I'm sure this has been discussed previously, but I sure would appreciate it
if some users would be willing to respond again regarding this issue.

The situation here at this company is the following. The Customer Service
Supervisor here is knowledgeable about databases. He is currently
developing a customer service application in Microsoft Access and wishes to
establish connections between Access and Vantage using ODBC functionality.
I am the person responsible for coordinating the company's use of Vantage.
I have no control over the application development. I am uncomfortable
providing this functionality because of security concerns. As far as I
know, if I implement ODBC, it will allow access to all of the Progress
tables, except payroll, and thereby circumvent the access controls
established in Vantage. Everything that I have been able to learn so far
about this issue seems to confirm my concern. If my concern is legitimate,
are there any ways to mitigate this security risk?

Regards,
Scott A. Lepley
Systems Administrator
Mauell Corporation
31 Old Cabin Hollow Road
Dillsburg PA 17019-8815
Phone: 717-432-8686, ext. 14
Fax: 717-432-8688
Email: sal@...



[Non-text portions of this message have been removed]



To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
In my estimation, it's my responsibility (not Epicor's) to make sure the
system is not wide open to the users. They have implemented their own
security in their own application, and provided the necessary tools to
administer it from and IS/IT admin. We (their customers) have demanded the
ability to access the data via ODBC. Maybe we should be careful what we ask
for. After all, it's up to us to either install or not install the drivers
on the workstations. In Scott's case, I understand that the company is
pushing it on him. But isn't this a management responsibility within his
company, and not really reflective of Epicor?

-----Original Message-----
From: Ted Kitch [mailto:ted@...]
Sent: Thursday, February 22, 2001 7:32 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Vantage security and ODBC


There really isn't a lot that can be done regarding security using ODBC.
ODBC was setup to use the database security of the DBMS itself. Here is a
KB article from Progress regarding security -
http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
l?kbid=14081
<http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
you could implement Progress database security, but then everyone would have
to log on twice to access Vantage, once into Progress and once into Vantage.


The payroll tables are not accessible via ODBC in v4. I haven't tried this
with v5 yet. I view it just a little irresponsible, on Epicor's part, to
leave a corporate wide system wide open like this. Nothing gets the blood
boiling like everyone in the company finding out where the money goes and
who gets how much of it.

Ted Kitch
ted@...

-----Original Message-----
From: Lepley, Scott A. [mailto:sal@...]
Sent: Thursday, February 22, 2001 7:59 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Vantage security and ODBC

Thanks for the reply, Joe. I should have mentioned that we are using
version 3.00.632. Regarding payroll, I understood that the payroll table
was encrypted and therefore could be read only through Vantage. Was this
true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
even if the payroll table is encrypted, this does nothing to protect labor
rate information that may be stored in tables related to job management.

I welcome additional comments.

Regards,
Scott

-----Original Message-----
From: Joe Konecny [mailto:jkonecn@...]
Sent: Thursday, February 22, 2001 8:19 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

The whole database is wide open with ODBC including payroll. Also
consider that v5 installs odbc by default on each workstation
like it or not. All they need is the host name, database name
and the port number. That info is easy to get. So really any user
anywhere can use ODBC and get at payroll or any other table.

That said... I'm very glad ODBC access is there and fortunately
none of our users know anything about ODBC.

Troy Funte wrote:
>
> What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.
>
> I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.
>
> Troy Funte
> Liberty Electronics
> ----- Original Message -----
> From: Lepley, Scott A.
> To: Vantage YahooGroup (E-mail)
> Cc: O'Rourke, Kevin P.
> Sent: Wednesday, February 21, 2001 4:45 PM
> Subject: [Vantage] Vantage security and ODBC
>
> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer
Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC
functionality.
> I am the person responsible for coordinating the company's use of
Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so
far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
> Click here for Classmates.com
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >




Yahoo! Groups Sponsor


<
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
>
A=524804/* http://www.classmates.com/index.tf?s=2629
<http://www.classmates.com/index.tf?s=2629> > Classmates.com
Click here for Classmates.com


<
http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
>
00007183:N/A=524804/rand=582186115>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
Terms of Service.


[Non-text portions of this message have been removed]





Yahoo! Groups Sponsor


<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
Click here for Classmates.com


<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
00007183:N/A=524804/rand=801979269>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
<http://docs.yahoo.com/info/terms/> Terms of Service.


[Non-text portions of this message have been removed]



To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Has anyone out there implemented Progress level security on top of Vantage's
security for the purpose of controlling ODBC access or report writer access
?

-----Original Message-----
From: Ted Kitch [mailto:ted@...]
Sent: Thursday, February 22, 2001 8:32 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Vantage security and ODBC



There really isn't a lot that can be done regarding security using ODBC.
ODBC was setup to use the database security of the DBMS itself. Here is a
KB article from Progress regarding security -
http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
<http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
m>
l?kbid=14081
<
http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
<http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
>
ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
you could implement Progress database security, but then everyone would have
to log on twice to access Vantage, once into Progress and once into Vantage.


The payroll tables are not accessible via ODBC in v4. I haven't tried this
with v5 yet. I view it just a little irresponsible, on Epicor's part, to
leave a corporate wide system wide open like this. Nothing gets the blood
boiling like everyone in the company finding out where the money goes and
who gets how much of it.

Ted Kitch
ted@...

-----Original Message-----
From: Lepley, Scott A. [mailto:sal@...]
Sent: Thursday, February 22, 2001 7:59 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Vantage security and ODBC

Thanks for the reply, Joe. I should have mentioned that we are using
version 3.00.632. Regarding payroll, I understood that the payroll table
was encrypted and therefore could be read only through Vantage. Was this
true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
even if the payroll table is encrypted, this does nothing to protect labor
rate information that may be stored in tables related to job management.

I welcome additional comments.

Regards,
Scott

-----Original Message-----
From: Joe Konecny [mailto:jkonecn@...]
Sent: Thursday, February 22, 2001 8:19 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

The whole database is wide open with ODBC including payroll. Also
consider that v5 installs odbc by default on each workstation
like it or not. All they need is the host name, database name
and the port number. That info is easy to get. So really any user
anywhere can use ODBC and get at payroll or any other table.

That said... I'm very glad ODBC access is there and fortunately
none of our users know anything about ODBC.

Troy Funte wrote:
>
> What I've heard on the list before, is that you want Access to have Read
only links. Otherwise there is the risk of Access changing Vantage data in a
compromising way - meaning there are no checks and balances and data could
be corrupted. The SAFEST way to use Access is to import it from an exported
file. By linking directly through ODBC, it would be hard, in my opinion to
maintain any kind of security on the database. A user could corrupt the
database, or have access to confidential information such as payroll stuff.
>
> I'm no expert, but these are some of the things I've heard. There are
probably others on the list who could give you more detail.
>
> Troy Funte
> Liberty Electronics
> ----- Original Message -----
> From: Lepley, Scott A.
> To: Vantage YahooGroup (E-mail)
> Cc: O'Rourke, Kevin P.
> Sent: Wednesday, February 21, 2001 4:45 PM
> Subject: [Vantage] Vantage security and ODBC
>
> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer
Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC
functionality.
> I am the person responsible for coordinating the company's use of
Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so
far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
> Click here for Classmates.com
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
>
> [Non-text portions of this message have been removed]
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/>
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> <
http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> > >




Yahoo! Groups Sponsor


<
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
>
<
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
>
>
A=524804/* http://www.classmates.com/index.tf?s=2629
<http://www.classmates.com/index.tf?s=2629>
< http://www.classmates.com/index.tf?s=2629
<http://www.classmates.com/index.tf?s=2629> > > Classmates.com
Click here for Classmates.com


<
http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
>
<
http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
>
>
00007183:N/A=524804/rand=582186115>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> <
http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> > >
Terms of Service.


[Non-text portions of this message have been removed]





Yahoo! Groups Sponsor


<
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
>
A=524804/* http://www.classmates.com/index.tf?s=2629
<http://www.classmates.com/index.tf?s=2629> > Classmates.com
Click here for Classmates.com


<
http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
>
00007183:N/A=524804/rand=801979269>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo!
< http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
Terms of Service.


[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
Click here for Classmates.com

<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
00007183:N/A=524804/rand=498460280>

To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .
Brian,

If I read correctly, the ODBC in emanufacturing version 5.0 is automatically
installed on your client. You do not have a choice. I have not verified this.
But can someone running 5.0 verify? - If this is the case I will think twice
about going live with 5.0 until there is better security.

Best Regards,
Dina

Brian Davis wrote:

> In my estimation, it's my responsibility (not Epicor's) to make sure the
> system is not wide open to the users. They have implemented their own
> security in their own application, and provided the necessary tools to
> administer it from and IS/IT admin. We (their customers) have demanded the
> ability to access the data via ODBC. Maybe we should be careful what we ask
> for. After all, it's up to us to either install or not install the drivers
> on the workstations. In Scott's case, I understand that the company is
> pushing it on him. But isn't this a management responsibility within his
> company, and not really reflective of Epicor?
>
> -----Original Message-----
> From: Ted Kitch [mailto:ted@...]
> Sent: Thursday, February 22, 2001 7:32 AM
> To: 'vantage@yahoogroups.com'
> Subject: RE: [Vantage] Vantage security and ODBC
>
> There really isn't a lot that can be done regarding security using ODBC.
> ODBC was setup to use the database security of the DBMS itself. Here is a
> KB article from Progress regarding security -
> http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
> l?kbid=14081
> <http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
> ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
> you could implement Progress database security, but then everyone would have
> to log on twice to access Vantage, once into Progress and once into Vantage.
>
>
> The payroll tables are not accessible via ODBC in v4. I haven't tried this
> with v5 yet. I view it just a little irresponsible, on Epicor's part, to
> leave a corporate wide system wide open like this. Nothing gets the blood
> boiling like everyone in the company finding out where the money goes and
> who gets how much of it.
>
> Ted Kitch
> ted@...
>
> -----Original Message-----
> From: Lepley, Scott A. [mailto:sal@...]
> Sent: Thursday, February 22, 2001 7:59 AM
> To: 'vantage@yahoogroups.com'
> Subject: RE: [Vantage] Vantage security and ODBC
>
> Thanks for the reply, Joe. I should have mentioned that we are using
> version 3.00.632. Regarding payroll, I understood that the payroll table
> was encrypted and therefore could be read only through Vantage. Was this
> true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
> even if the payroll table is encrypted, this does nothing to protect labor
> rate information that may be stored in tables related to job management.
>
> I welcome additional comments.
>
> Regards,
> Scott
>
> -----Original Message-----
> From: Joe Konecny [mailto:jkonecn@...]
> Sent: Thursday, February 22, 2001 8:19 AM
> To: vantage@yahoogroups.com
> Subject: Re: [Vantage] Vantage security and ODBC
>
> The whole database is wide open with ODBC including payroll. Also
> consider that v5 installs odbc by default on each workstation
> like it or not. All they need is the host name, database name
> and the port number. That info is easy to get. So really any user
> anywhere can use ODBC and get at payroll or any other table.
>
> That said... I'm very glad ODBC access is there and fortunately
> none of our users know anything about ODBC.
>
> Troy Funte wrote:
> >
> > What I've heard on the list before, is that you want Access to have Read
> only links. Otherwise there is the risk of Access changing Vantage data in a
> compromising way - meaning there are no checks and balances and data could
> be corrupted. The SAFEST way to use Access is to import it from an exported
> file. By linking directly through ODBC, it would be hard, in my opinion to
> maintain any kind of security on the database. A user could corrupt the
> database, or have access to confidential information such as payroll stuff.
> >
> > I'm no expert, but these are some of the things I've heard. There are
> probably others on the list who could give you more detail.
> >
> > Troy Funte
> > Liberty Electronics
> > ----- Original Message -----
> > From: Lepley, Scott A.
> > To: Vantage YahooGroup (E-mail)
> > Cc: O'Rourke, Kevin P.
> > Sent: Wednesday, February 21, 2001 4:45 PM
> > Subject: [Vantage] Vantage security and ODBC
> >
> > I'm sure this has been discussed previously, but I sure would appreciate
> it
> > if some users would be willing to respond again regarding this issue.
> >
> > The situation here at this company is the following. The Customer
> Service
> > Supervisor here is knowledgeable about databases. He is currently
> > developing a customer service application in Microsoft Access and wishes
> to
> > establish connections between Access and Vantage using ODBC
> functionality.
> > I am the person responsible for coordinating the company's use of
> Vantage.
> > I have no control over the application development. I am uncomfortable
> > providing this functionality because of security concerns. As far as I
> > know, if I implement ODBC, it will allow access to all of the Progress
> > tables, except payroll, and thereby circumvent the access controls
> > established in Vantage. Everything that I have been able to learn so
> far
> > about this issue seems to confirm my concern. If my concern is
> legitimate,
> > are there any ways to mitigate this security risk?
> >
> > Regards,
> > Scott A. Lepley
> > Systems Administrator
> > Mauell Corporation
> > 31 Old Cabin Hollow Road
> > Dillsburg PA 17019-8815
> > Phone: 717-432-8686, ext. 14
> > Fax: 717-432-8688
> > Email: sal@...
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> > Click here for Classmates.com
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> <http://docs.yahoo.com/info/terms/>
> < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
>
> Yahoo! Groups Sponsor
>
> <
> http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> >
> A=524804/* http://www.classmates.com/index.tf?s=2629
> <http://www.classmates.com/index.tf?s=2629> > Classmates.com
> Click here for Classmates.com
>
> <
> http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> >
> 00007183:N/A=524804/rand=582186115>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
>
> <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> Click here for Classmates.com
>
>
> <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> 00007183:N/A=524804/rand=801979269>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> <http://docs.yahoo.com/info/terms/> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
It's installed by default. Don't expect much to change in
security though.

Dina Hieber wrote:
>
> Brian,
>
> If I read correctly, the ODBC in emanufacturing version 5.0 is automatically
> installed on your client. You do not have a choice. I have not verified this.
> But can someone running 5.0 verify? - If this is the case I will think twice
> about going live with 5.0 until there is better security.
>
> Best Regards,
> Dina
>
> Brian Davis wrote:
>
> > In my estimation, it's my responsibility (not Epicor's) to make sure the
> > system is not wide open to the users. They have implemented their own
> > security in their own application, and provided the necessary tools to
> > administer it from and IS/IT admin. We (their customers) have demanded the
> > ability to access the data via ODBC. Maybe we should be careful what we ask
> > for. After all, it's up to us to either install or not install the drivers
> > on the workstations. In Scott's case, I understand that the company is
> > pushing it on him. But isn't this a management responsibility within his
> > company, and not really reflective of Epicor?
> >
> > -----Original Message-----
> > From: Ted Kitch [mailto:ted@...]
> > Sent: Thursday, February 22, 2001 7:32 AM
> > To: 'vantage@yahoogroups.com'
> > Subject: RE: [Vantage] Vantage security and ODBC
> >
> > There really isn't a lot that can be done regarding security using ODBC.
> > ODBC was setup to use the database security of the DBMS itself. Here is a
> > KB article from Progress regarding security -
> > http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
> > l?kbid=14081
> > <http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
> > ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
> > you could implement Progress database security, but then everyone would have
> > to log on twice to access Vantage, once into Progress and once into Vantage.
> >
> >
> > The payroll tables are not accessible via ODBC in v4. I haven't tried this
> > with v5 yet. I view it just a little irresponsible, on Epicor's part, to
> > leave a corporate wide system wide open like this. Nothing gets the blood
> > boiling like everyone in the company finding out where the money goes and
> > who gets how much of it.
> >
> > Ted Kitch
> > ted@...
> >
> > -----Original Message-----
> > From: Lepley, Scott A. [mailto:sal@...]
> > Sent: Thursday, February 22, 2001 7:59 AM
> > To: 'vantage@yahoogroups.com'
> > Subject: RE: [Vantage] Vantage security and ODBC
> >
> > Thanks for the reply, Joe. I should have mentioned that we are using
> > version 3.00.632. Regarding payroll, I understood that the payroll table
> > was encrypted and therefore could be read only through Vantage. Was this
> > true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
> > even if the payroll table is encrypted, this does nothing to protect labor
> > rate information that may be stored in tables related to job management.
> >
> > I welcome additional comments.
> >
> > Regards,
> > Scott
> >
> > -----Original Message-----
> > From: Joe Konecny [mailto:jkonecn@...]
> > Sent: Thursday, February 22, 2001 8:19 AM
> > To: vantage@yahoogroups.com
> > Subject: Re: [Vantage] Vantage security and ODBC
> >
> > The whole database is wide open with ODBC including payroll. Also
> > consider that v5 installs odbc by default on each workstation
> > like it or not. All they need is the host name, database name
> > and the port number. That info is easy to get. So really any user
> > anywhere can use ODBC and get at payroll or any other table.
> >
> > That said... I'm very glad ODBC access is there and fortunately
> > none of our users know anything about ODBC.
> >
> > Troy Funte wrote:
> > >
> > > What I've heard on the list before, is that you want Access to have Read
> > only links. Otherwise there is the risk of Access changing Vantage data in a
> > compromising way - meaning there are no checks and balances and data could
> > be corrupted. The SAFEST way to use Access is to import it from an exported
> > file. By linking directly through ODBC, it would be hard, in my opinion to
> > maintain any kind of security on the database. A user could corrupt the
> > database, or have access to confidential information such as payroll stuff.
> > >
> > > I'm no expert, but these are some of the things I've heard. There are
> > probably others on the list who could give you more detail.
> > >
> > > Troy Funte
> > > Liberty Electronics
> > > ----- Original Message -----
> > > From: Lepley, Scott A.
> > > To: Vantage YahooGroup (E-mail)
> > > Cc: O'Rourke, Kevin P.
> > > Sent: Wednesday, February 21, 2001 4:45 PM
> > > Subject: [Vantage] Vantage security and ODBC
> > >
> > > I'm sure this has been discussed previously, but I sure would appreciate
> > it
> > > if some users would be willing to respond again regarding this issue.
> > >
> > > The situation here at this company is the following. The Customer
> > Service
> > > Supervisor here is knowledgeable about databases. He is currently
> > > developing a customer service application in Microsoft Access and wishes
> > to
> > > establish connections between Access and Vantage using ODBC
> > functionality.
> > > I am the person responsible for coordinating the company's use of
> > Vantage.
> > > I have no control over the application development. I am uncomfortable
> > > providing this functionality because of security concerns. As far as I
> > > know, if I implement ODBC, it will allow access to all of the Progress
> > > tables, except payroll, and thereby circumvent the access controls
> > > established in Vantage. Everything that I have been able to learn so
> > far
> > > about this issue seems to confirm my concern. If my concern is
> > legitimate,
> > > are there any ways to mitigate this security risk?
> > >
> > > Regards,
> > > Scott A. Lepley
> > > Systems Administrator
> > > Mauell Corporation
> > > 31 Old Cabin Hollow Road
> > > Dillsburg PA 17019-8815
> > > Phone: 717-432-8686, ext. 14
> > > Fax: 717-432-8688
> > > Email: sal@...
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > > Yahoo! Groups Sponsor
> > >
> > > Click here for Classmates.com
> > >
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > >
> > >
> > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> > <http://docs.yahoo.com/info/terms/>
> > < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> >
> > Yahoo! Groups Sponsor
> >
> > <
> > http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> > <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> > >
> > A=524804/* http://www.classmates.com/index.tf?s=2629
> > <http://www.classmates.com/index.tf?s=2629> > Classmates.com
> > Click here for Classmates.com
> >
> > <
> > http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> > <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> > >
> > 00007183:N/A=524804/rand=582186115>
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo!
> > < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> > Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> >
> > <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> > A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> > Click here for Classmates.com
> >
> >
> > <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> > 00007183:N/A=524804/rand=801979269>
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo!
> > <http://docs.yahoo.com/info/terms/> Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
You could always delete the odbc dll though.

Joe Konecny wrote:
>
> It's installed by default. Don't expect much to change in
> security though.
>
> Dina Hieber wrote:
> >
> > Brian,
> >
> > If I read correctly, the ODBC in emanufacturing version 5.0 is automatically
> > installed on your client. You do not have a choice. I have not verified this.
> > But can someone running 5.0 verify? - If this is the case I will think twice
> > about going live with 5.0 until there is better security.
> >
> > Best Regards,
> > Dina
> >
> > Brian Davis wrote:
> >
> > > In my estimation, it's my responsibility (not Epicor's) to make sure the
> > > system is not wide open to the users. They have implemented their own
> > > security in their own application, and provided the necessary tools to
> > > administer it from and IS/IT admin. We (their customers) have demanded the
> > > ability to access the data via ODBC. Maybe we should be careful what we ask
> > > for. After all, it's up to us to either install or not install the drivers
> > > on the workstations. In Scott's case, I understand that the company is
> > > pushing it on him. But isn't this a management responsibility within his
> > > company, and not really reflective of Epicor?
> > >
> > > -----Original Message-----
> > > From: Ted Kitch [mailto:ted@...]
> > > Sent: Thursday, February 22, 2001 7:32 AM
> > > To: 'vantage@yahoogroups.com'
> > > Subject: RE: [Vantage] Vantage security and ODBC
> > >
> > > There really isn't a lot that can be done regarding security using ODBC.
> > > ODBC was setup to use the database security of the DBMS itself. Here is a
> > > KB article from Progress regarding security -
> > > http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
> > > l?kbid=14081
> > > <http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
> > > ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
> > > you could implement Progress database security, but then everyone would have
> > > to log on twice to access Vantage, once into Progress and once into Vantage.
> > >
> > >
> > > The payroll tables are not accessible via ODBC in v4. I haven't tried this
> > > with v5 yet. I view it just a little irresponsible, on Epicor's part, to
> > > leave a corporate wide system wide open like this. Nothing gets the blood
> > > boiling like everyone in the company finding out where the money goes and
> > > who gets how much of it.
> > >
> > > Ted Kitch
> > > ted@...
> > >
> > > -----Original Message-----
> > > From: Lepley, Scott A. [mailto:sal@...]
> > > Sent: Thursday, February 22, 2001 7:59 AM
> > > To: 'vantage@yahoogroups.com'
> > > Subject: RE: [Vantage] Vantage security and ODBC
> > >
> > > Thanks for the reply, Joe. I should have mentioned that we are using
> > > version 3.00.632. Regarding payroll, I understood that the payroll table
> > > was encrypted and therefore could be read only through Vantage. Was this
> > > true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
> > > even if the payroll table is encrypted, this does nothing to protect labor
> > > rate information that may be stored in tables related to job management.
> > >
> > > I welcome additional comments.
> > >
> > > Regards,
> > > Scott
> > >
> > > -----Original Message-----
> > > From: Joe Konecny [mailto:jkonecn@...]
> > > Sent: Thursday, February 22, 2001 8:19 AM
> > > To: vantage@yahoogroups.com
> > > Subject: Re: [Vantage] Vantage security and ODBC
> > >
> > > The whole database is wide open with ODBC including payroll. Also
> > > consider that v5 installs odbc by default on each workstation
> > > like it or not. All they need is the host name, database name
> > > and the port number. That info is easy to get. So really any user
> > > anywhere can use ODBC and get at payroll or any other table.
> > >
> > > That said... I'm very glad ODBC access is there and fortunately
> > > none of our users know anything about ODBC.
> > >
> > > Troy Funte wrote:
> > > >
> > > > What I've heard on the list before, is that you want Access to have Read
> > > only links. Otherwise there is the risk of Access changing Vantage data in a
> > > compromising way - meaning there are no checks and balances and data could
> > > be corrupted. The SAFEST way to use Access is to import it from an exported
> > > file. By linking directly through ODBC, it would be hard, in my opinion to
> > > maintain any kind of security on the database. A user could corrupt the
> > > database, or have access to confidential information such as payroll stuff.
> > > >
> > > > I'm no expert, but these are some of the things I've heard. There are
> > > probably others on the list who could give you more detail.
> > > >
> > > > Troy Funte
> > > > Liberty Electronics
> > > > ----- Original Message -----
> > > > From: Lepley, Scott A.
> > > > To: Vantage YahooGroup (E-mail)
> > > > Cc: O'Rourke, Kevin P.
> > > > Sent: Wednesday, February 21, 2001 4:45 PM
> > > > Subject: [Vantage] Vantage security and ODBC
> > > >
> > > > I'm sure this has been discussed previously, but I sure would appreciate
> > > it
> > > > if some users would be willing to respond again regarding this issue.
> > > >
> > > > The situation here at this company is the following. The Customer
> > > Service
> > > > Supervisor here is knowledgeable about databases. He is currently
> > > > developing a customer service application in Microsoft Access and wishes
> > > to
> > > > establish connections between Access and Vantage using ODBC
> > > functionality.
> > > > I am the person responsible for coordinating the company's use of
> > > Vantage.
> > > > I have no control over the application development. I am uncomfortable
> > > > providing this functionality because of security concerns. As far as I
> > > > know, if I implement ODBC, it will allow access to all of the Progress
> > > > tables, except payroll, and thereby circumvent the access controls
> > > > established in Vantage. Everything that I have been able to learn so
> > > far
> > > > about this issue seems to confirm my concern. If my concern is
> > > legitimate,
> > > > are there any ways to mitigate this security risk?
> > > >
> > > > Regards,
> > > > Scott A. Lepley
> > > > Systems Administrator
> > > > Mauell Corporation
> > > > 31 Old Cabin Hollow Road
> > > > Dillsburg PA 17019-8815
> > > > Phone: 717-432-8686, ext. 14
> > > > Fax: 717-432-8688
> > > > Email: sal@...
> > > >
> > > > [Non-text portions of this message have been removed]
> > > >
> > > > Yahoo! Groups Sponsor
> > > >
> > > > Click here for Classmates.com
> > > >
> > > >
> > > > To unsubscribe from this group, send an email to:
> > > > vantage-unsubscribe@egroups.com
> > > >
> > > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> > > >
> > > > [Non-text portions of this message have been removed]
> > > >
> > > >
> > > > To unsubscribe from this group, send an email to:
> > > > vantage-unsubscribe@egroups.com
> > > >
> > > >
> > > >
> > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> > > <http://docs.yahoo.com/info/terms/>
> > > < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> > >
> > > Yahoo! Groups Sponsor
> > >
> > > <
> > > http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> > > <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> > > >
> > > A=524804/* http://www.classmates.com/index.tf?s=2629
> > > <http://www.classmates.com/index.tf?s=2629> > Classmates.com
> > > Click here for Classmates.com
> > >
> > > <
> > > http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> > > <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> > > >
> > > 00007183:N/A=524804/rand=582186115>
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > > Your use of Yahoo! Groups is subject to the Yahoo!
> > > < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> > > Terms of Service.
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > > Yahoo! Groups Sponsor
> > >
> > >
> > > <http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> > > A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> > > Click here for Classmates.com
> > >
> > >
> > > <http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> > > 00007183:N/A=524804/rand=801979269>
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > > Your use of Yahoo! Groups is subject to the Yahoo!
> > > <http://docs.yahoo.com/info/terms/> Terms of Service.
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > >
> > >
> > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> > >
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > >
> > >
> > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
As Scott says below, labor rates are available from the EMPBASIC
table using ODBC. I have not tried to update tables via Microsoft
Access, but I have tried to update them via Visual Basic, and the
call fails. According to Epicor tech support, there are triggers
which prevent table updates unless certain conditions are met, but
they couldn't elaborate.

--- In vantage@y..., Dina Hieber <dhieber@v...> wrote:
> Brian,
>
> If I read correctly, the ODBC in emanufacturing version 5.0 is
automatically
> installed on your client. You do not have a choice. I have not
verified this.
> But can someone running 5.0 verify? - If this is the case I will
think twice
> about going live with 5.0 until there is better security.
>
> Best Regards,
> Dina
>
> Brian Davis wrote:
>
> > In my estimation, it's my responsibility (not Epicor's) to make
sure the
> > system is not wide open to the users. They have implemented
their own
> > security in their own application, and provided the necessary
tools to
> > administer it from and IS/IT admin. We (their customers) have
demanded the
> > ability to access the data via ODBC. Maybe we should be careful
what we ask
> > for. After all, it's up to us to either install or not install
the drivers
> > on the workstations. In Scott's case, I understand that the
company is
> > pushing it on him. But isn't this a management responsibility
within his
> > company, and not really reflective of Epicor?
> >
> > -----Original Message-----
> > From: Ted Kitch [mailto:ted@m...]
> > Sent: Thursday, February 22, 2001 7:32 AM
> > To: 'vantage@y...'
> > Subject: RE: [Vantage] Vantage security and ODBC
> >
> > There really isn't a lot that can be done regarding security
using ODBC.
> > ODBC was setup to use the database security of the DBMS itself.
Here is a
> > KB article from Progress regarding security -
> > http://www.progress.com/services/support/cgi-bin/techweb-
kbase.cgi/webkb.htm
> > l?kbid=14081
> > <http://www.progress.com/services/support/cgi-bin/techweb-
kbase.cgi/webkb.ht
> > ml?kbid=14081> Epicor uses their own security in Vantage. I
believe that
> > you could implement Progress database security, but then everyone
would have
> > to log on twice to access Vantage, once into Progress and once
into Vantage.
> >
> >
> > The payroll tables are not accessible via ODBC in v4. I haven't
tried this
> > with v5 yet. I view it just a little irresponsible, on Epicor's
part, to
> > leave a corporate wide system wide open like this. Nothing gets
the blood
> > boiling like everyone in the company finding out where the money
goes and
> > who gets how much of it.
> >
> > Ted Kitch
> > ted@m...
> >
> > -----Original Message-----
> > From: Lepley, Scott A. [mailto:sal@m...]
> > Sent: Thursday, February 22, 2001 7:59 AM
> > To: 'vantage@y...'
> > Subject: RE: [Vantage] Vantage security and ODBC
> >
> > Thanks for the reply, Joe. I should have mentioned that we are
using
> > version 3.00.632. Regarding payroll, I understood that the
payroll table
> > was encrypted and therefore could be read only through Vantage.
Was this
> > true in ver. 3 and now isn't in ver. 5? Additionally, I
understand that,
> > even if the payroll table is encrypted, this does nothing to
protect labor
> > rate information that may be stored in tables related to job
management.
> >
> > I welcome additional comments.
> >
> > Regards,
> > Scott
> >
> > -----Original Message-----
> > From: Joe Konecny [mailto:jkonecn@g...]
> > Sent: Thursday, February 22, 2001 8:19 AM
> > To: vantage@y...
> > Subject: Re: [Vantage] Vantage security and ODBC
> >
> > The whole database is wide open with ODBC including payroll. Also
> > consider that v5 installs odbc by default on each workstation
> > like it or not. All they need is the host name, database name
> > and the port number. That info is easy to get. So really any
user
> > anywhere can use ODBC and get at payroll or any other table.
> >
> > That said... I'm very glad ODBC access is there and fortunately
> > none of our users know anything about ODBC.
> >
> > Troy Funte wrote:
> > >
> > > What I've heard on the list before, is that you want Access to
have Read
> > only links. Otherwise there is the risk of Access changing
Vantage data in a
> > compromising way - meaning there are no checks and balances and
data could
> > be corrupted. The SAFEST way to use Access is to import it from
an exported
> > file. By linking directly through ODBC, it would be hard, in my
opinion to
> > maintain any kind of security on the database. A user could
corrupt the
> > database, or have access to confidential information such as
payroll stuff.
> > >
> > > I'm no expert, but these are some of the things I've heard.
There are
> > probably others on the list who could give you more detail.
> > >
> > > Troy Funte
> > > Liberty Electronics
> > > ----- Original Message -----
> > > From: Lepley, Scott A.
> > > To: Vantage YahooGroup (E-mail)
> > > Cc: O'Rourke, Kevin P.
> > > Sent: Wednesday, February 21, 2001 4:45 PM
> > > Subject: [Vantage] Vantage security and ODBC
> > >
> > > I'm sure this has been discussed previously, but I sure would
appreciate
> > it
> > > if some users would be willing to respond again regarding
this issue.
> > >
> > > The situation here at this company is the following. The
Customer
> > Service
> > > Supervisor here is knowledgeable about databases. He is
currently
> > > developing a customer service application in Microsoft Access
and wishes
> > to
> > > establish connections between Access and Vantage using ODBC
> > functionality.
> > > I am the person responsible for coordinating the company's
use of
> > Vantage.
> > > I have no control over the application development. I am
uncomfortable
> > > providing this functionality because of security concerns.
As far as I
> > > know, if I implement ODBC, it will allow access to all of the
Progress
> > > tables, except payroll, and thereby circumvent the access
controls
> > > established in Vantage. Everything that I have been able to
learn so
> > far
> > > about this issue seems to confirm my concern. If my concern
is
> > legitimate,
> > > are there any ways to mitigate this security risk?
> > >
> > > Regards,
> > > Scott A. Lepley
> > > Systems Administrator
> > > Mauell Corporation
> > > 31 Old Cabin Hollow Road
> > > Dillsburg PA 17019-8815
> > > Phone: 717-432-8686, ext. 14
> > > Fax: 717-432-8688
> > > Email: sal@m...
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > > Yahoo! Groups Sponsor
> > >
> > > Click here for Classmates.com
> > >
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of
Service.
> > >
> > > [Non-text portions of this message have been removed]
> > >
> > >
> > > To unsubscribe from this group, send an email to:
> > > vantage-unsubscribe@egroups.com
> > >
> > >
> > >
> > > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> > <http://docs.yahoo.com/info/terms/>
> > < http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/> >
> >
> > Yahoo! Groups Sponsor
> >
> > <
> >
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=17000071
83:N/
> >
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007
183:N/
> > >
> > A=524804/* http://www.classmates.com/index.tf?s=2629
> > <http://www.classmates.com/index.tf?s=2629> > Classmates.com
> > Click here for Classmates.com
> >
> > <
> > http://us.adserver.yahoo.com/l?
M=163100.1330039.2920210.2/D=egroupmail/S=17
> > <http://us.adserver.yahoo.com/l?
M=163100.1330039.2920210.2/D=egroupmail/S=17
> > >
> > 00007183:N/A=524804/rand=582186115>
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo!
> > < http://docs.yahoo.com/info/terms/
<http://docs.yahoo.com/info/terms/> >
> > Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> >
> >
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007
183:N/
> > A=524804/*http://www.classmates.com/index.tf?s=2629>
Classmates.com
> > Click here for Classmates.com
> >
> >
> > <http://us.adserver.yahoo.com/l?
M=163100.1330039.2920210.2/D=egroupmail/S=17
> > 00007183:N/A=524804/rand=801979269>
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo!
> > <http://docs.yahoo.com/info/terms/> Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/