Vantage security and ODBC

I'm still debating the upgrade to 5.0, but it still seems to me that the
ODBC drivers would have to be configured on each workstation. There has to
be some way to control their use through policies or something.

-----Original Message-----
From: Dina Hieber [mailto:dhieber@...]
Sent: Thursday, February 22, 2001 12:43 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC


Brian,

If I read correctly, the ODBC in emanufacturing version 5.0 is automatically
installed on your client. You do not have a choice. I have not verified
this.
But can someone running 5.0 verify? - If this is the case I will think
twice
about going live with 5.0 until there is better security.

Best Regards,
Dina

Brian Davis wrote:

> In my estimation, it's my responsibility (not Epicor's) to make sure the
> system is not wide open to the users. They have implemented their own
> security in their own application, and provided the necessary tools to
> administer it from and IS/IT admin. We (their customers) have demanded
the
> ability to access the data via ODBC. Maybe we should be careful what we
ask
> for. After all, it's up to us to either install or not install the
drivers
> on the workstations. In Scott's case, I understand that the company is
> pushing it on him. But isn't this a management responsibility within his
> company, and not really reflective of Epicor?
>
> -----Original Message-----
> From: Ted Kitch [mailto:ted@...]
> Sent: Thursday, February 22, 2001 7:32 AM
> To: 'vantage@yahoogroups.com'
> Subject: RE: [Vantage] Vantage security and ODBC
>
> There really isn't a lot that can be done regarding security using ODBC.
> ODBC was setup to use the database security of the DBMS itself. Here is a
> KB article from Progress regarding security -
>
http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.htm
> l?kbid=14081
>
<http://www.progress.com/services/support/cgi-bin/techweb-kbase.cgi/webkb.ht
> ml?kbid=14081> Epicor uses their own security in Vantage. I believe that
> you could implement Progress database security, but then everyone would
have
> to log on twice to access Vantage, once into Progress and once into
Vantage.
>
>
> The payroll tables are not accessible via ODBC in v4. I haven't tried
this
> with v5 yet. I view it just a little irresponsible, on Epicor's part, to
> leave a corporate wide system wide open like this. Nothing gets the blood
> boiling like everyone in the company finding out where the money goes and
> who gets how much of it.
>
> Ted Kitch
> ted@...
>
> -----Original Message-----
> From: Lepley, Scott A. [mailto:sal@...]
> Sent: Thursday, February 22, 2001 7:59 AM
> To: 'vantage@yahoogroups.com'
> Subject: RE: [Vantage] Vantage security and ODBC
>
> Thanks for the reply, Joe. I should have mentioned that we are using
> version 3.00.632. Regarding payroll, I understood that the payroll table
> was encrypted and therefore could be read only through Vantage. Was this
> true in ver. 3 and now isn't in ver. 5? Additionally, I understand that,
> even if the payroll table is encrypted, this does nothing to protect labor
> rate information that may be stored in tables related to job management.
>
> I welcome additional comments.
>
> Regards,
> Scott
>
> -----Original Message-----
> From: Joe Konecny [mailto:jkonecn@...]
> Sent: Thursday, February 22, 2001 8:19 AM
> To: vantage@yahoogroups.com
> Subject: Re: [Vantage] Vantage security and ODBC
>
> The whole database is wide open with ODBC including payroll. Also
> consider that v5 installs odbc by default on each workstation
> like it or not. All they need is the host name, database name
> and the port number. That info is easy to get. So really any user
> anywhere can use ODBC and get at payroll or any other table.
>
> That said... I'm very glad ODBC access is there and fortunately
> none of our users know anything about ODBC.
>
> Troy Funte wrote:
> >
> > What I've heard on the list before, is that you want Access to have Read
> only links. Otherwise there is the risk of Access changing Vantage data in
a
> compromising way - meaning there are no checks and balances and data could
> be corrupted. The SAFEST way to use Access is to import it from an
exported
> file. By linking directly through ODBC, it would be hard, in my opinion
to
> maintain any kind of security on the database. A user could corrupt the
> database, or have access to confidential information such as payroll
stuff.
> >
> > I'm no expert, but these are some of the things I've heard. There are
> probably others on the list who could give you more detail.
> >
> > Troy Funte
> > Liberty Electronics
> > ----- Original Message -----
> > From: Lepley, Scott A.
> > To: Vantage YahooGroup (E-mail)
> > Cc: O'Rourke, Kevin P.
> > Sent: Wednesday, February 21, 2001 4:45 PM
> > Subject: [Vantage] Vantage security and ODBC
> >
> > I'm sure this has been discussed previously, but I sure would
appreciate
> it
> > if some users would be willing to respond again regarding this issue.
> >
> > The situation here at this company is the following. The Customer
> Service
> > Supervisor here is knowledgeable about databases. He is currently
> > developing a customer service application in Microsoft Access and
wishes
> to
> > establish connections between Access and Vantage using ODBC
> functionality.
> > I am the person responsible for coordinating the company's use of
> Vantage.
> > I have no control over the application development. I am
uncomfortable
> > providing this functionality because of security concerns. As far as
I
> > know, if I implement ODBC, it will allow access to all of the Progress
> > tables, except payroll, and thereby circumvent the access controls
> > established in Vantage. Everything that I have been able to learn so
> far
> > about this issue seems to confirm my concern. If my concern is
> legitimate,
> > are there any ways to mitigate this security risk?
> >
> > Regards,
> > Scott A. Lepley
> > Systems Administrator
> > Mauell Corporation
> > 31 Old Cabin Hollow Road
> > Dillsburg PA 17019-8815
> > Phone: 717-432-8686, ext. 14
> > Fax: 717-432-8688
> > Email: sal@...
> >
> > [Non-text portions of this message have been removed]
> >
> > Yahoo! Groups Sponsor
> >
> > Click here for Classmates.com
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> >
> > [Non-text portions of this message have been removed]
> >
> >
> > To unsubscribe from this group, send an email to:
> > vantage-unsubscribe@egroups.com
> >
> >
> >
> > Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
> <http://docs.yahoo.com/info/terms/>
> < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
>
> Yahoo! Groups Sponsor
>
> <
>
http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
>
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> >
> A=524804/* http://www.classmates.com/index.tf?s=2629
> <http://www.classmates.com/index.tf?s=2629> > Classmates.com
> Click here for Classmates.com
>
> <
>
http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
>
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> >
> 00007183:N/A=524804/rand=582186115>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> < http://docs.yahoo.com/info/terms/ <http://docs.yahoo.com/info/terms/> >
> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
> Yahoo! Groups Sponsor
>
>
>
<http://rd.yahoo.com/M=163100.1330039.2920210.2/D=egroupmail/S=1700007183:N/
> A=524804/*http://www.classmates.com/index.tf?s=2629> Classmates.com
> Click here for Classmates.com
>
>
>
<http://us.adserver.yahoo.com/l?M=163100.1330039.2920210.2/D=egroupmail/S=17
> 00007183:N/A=524804/rand=801979269>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
> Your use of Yahoo! Groups is subject to the Yahoo!
> <http://docs.yahoo.com/info/terms/> Terms of Service.
>
> [Non-text portions of this message have been removed]
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
At 03:02 PM 2/22/2001 , you wrote:
>As Scott says below, labor rates are available from the EMPBASIC
>table using ODBC. I have not tried to update tables via Microsoft
>Access, but I have tried to update them via Visual Basic, and the
>call fails. According to Epicor tech support, there are triggers
>which prevent table updates unless certain conditions are met, but

This is one of the most aggravating parts of the whole ODBC security
hole! Before purchasing it, I wanted to use it to directly update a few
tables. In order to clean up some garbage data that was stuck in a few
places. No can do... Access protested the I/O failed because there was a
write trigger on that particular table.

BUT... no trigger, and you can use Access, VB or whatever and easily
update the data. Also easily corrupt it in lot of places!

Great example: in Access, link the Vantage UserFile into a blank
database. Double click on it; it opens in a nice spreadsheet-like
format. Find your userid, then go to the SecurityMgr column and enter 1
(or maybe it wants -1) Tada! You now have full priv's in Vantage.

I you look in \Vantage\DB\Trg\{table_name} you can see which tables have
triggers for the various actions.

-Wayne
ODBC does not cause triggers to fire. As far as I know, Vantage
does not have the sql92 triggers.

This is from someone who knows more than I do...
--------
The 4GL triggers only fire from 4gl runtime access.
You must create sql-92 triggers in sql-92/java, load them into the
progress database via sql-92 explorer and then those sql triggers will
fire
upon odbc access.
--------



Wayne Cox wrote:
>
> At 03:02 PM 2/22/2001 , you wrote:
> >As Scott says below, labor rates are available from the EMPBASIC
> >table using ODBC. I have not tried to update tables via Microsoft
> >Access, but I have tried to update them via Visual Basic, and the
> >call fails. According to Epicor tech support, there are triggers
> >which prevent table updates unless certain conditions are met, but
>
> This is one of the most aggravating parts of the whole ODBC security
> hole! Before purchasing it, I wanted to use it to directly update a few
> tables. In order to clean up some garbage data that was stuck in a few
> places. No can do... Access protested the I/O failed because there was a
> write trigger on that particular table.
>
> BUT... no trigger, and you can use Access, VB or whatever and easily
> update the data. Also easily corrupt it in lot of places!
>
> Great example: in Access, link the Vantage UserFile into a blank
> database. Double click on it; it opens in a nice spreadsheet-like
> format. Find your userid, then go to the SecurityMgr column and enter 1
> (or maybe it wants -1) Tada! You now have full priv's in Vantage.
>
> I you look in \Vantage\DB\Trg\{table_name} you can see which tables have
> triggers for the various actions.
>
> -Wayne
>
>
> To unsubscribe from this group, send an email to:
> vantage-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
I verified this, and yes, you can access the ENTIRE database via
whatever means you want, and change the data... Just like Wayne said.
This is *VERY* disheartning. I was able to change a normal user to
full MANAGER status without so much as Admin privliges. And ANYONE
could set up an ODBC connector from their machine and connect
to the database. EPICOR better get their *&^% together. Is there a
way to put a DIFFERENT password on the sysprogress account, or are
we just stuck with that (blank I mean)?

Corbett Lashbrook

--- In vantage@y..., Wayne Cox <wmc@u...> wrote:
> At 03:02 PM 2/22/2001 , you wrote:
> >As Scott says below, labor rates are available from the EMPBASIC
> >table using ODBC. I have not tried to update tables via Microsoft
> >Access, but I have tried to update them via Visual Basic, and the
> >call fails. According to Epicor tech support, there are triggers
> >which prevent table updates unless certain conditions are met, but
>
> This is one of the most aggravating parts of the whole ODBC
security
> hole! Before purchasing it, I wanted to use it to directly update
a few
> tables. In order to clean up some garbage data that was stuck in a
few
> places. No can do... Access protested the I/O failed because
there was a
> write trigger on that particular table.
>
> BUT... no trigger, and you can use Access, VB or whatever and
easily
> update the data. Also easily corrupt it in lot of places!
>
> Great example: in Access, link the Vantage UserFile into a blank
> database. Double click on it; it opens in a nice spreadsheet-like
> format. Find your userid, then go to the SecurityMgr column and
enter 1
> (or maybe it wants -1) Tada! You now have full priv's in Vantage.
>
> I you look in \Vantage\DB\Trg\{table_name} you can see which tables
have
> triggers for the various actions.
>
> -Wayne
Thanks, Rick. I'm sorry for not replying sooner, I've been detained by
"issues". Regrettably, I believe the scenario you described will become
reality here, if indeed it hasn't already.

Having the supervisor map the fields that he wishes to access does not help
me resolve the potential security breach, because he is the person
developing the application, not me. Even if he would provide this map, I
would not be able to stop him from accessing other fields after installing
ODBC.

Regards,
Scott

-----Original Message-----
From: Rick Gors [mailto:rgors@...]
Sent: Thursday, February 22, 2001 9:16 AM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

Scott:

I feel for you big time! I hate it when someone "knowledgeable" gets these
great ideas, especially when they get management behind them on this "great
new
thinking". If you balk, you're perceived as "not a team player".

I would have this person map exactly what data they need access (no pun) to
and
determine if there is a problem to grant this. There is NO WAY IN HECK I
would
let this person upload one iota of data into my database! You may have to
make
a stand here.

But if the data is relatively harmless (shipment history, lead times, etc.)
then perhaps let this person make his database.

Good luck to you!

Rick Gors
MR/MMIS
Osco

"Lepley, Scott A." wrote:

> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC functionality.
> I am the person responsible for coordinating the company's use of Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?




[Non-text portions of this message have been removed]
That's a good point, Troy. One outcome of the issue being raised here has
been my recognition of the security holes I've created by installing Report
Builder for various users. I plan to remove Report Builder where necessary.

How would you prevent a user from installing or re-installing Report
Builder?

Regards,
Scott

-----Original Message-----
From: Troy Funte [mailto:tfunte@...]
Sent: Thursday, February 22, 2001 12:22 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

Incidently, any user who knows how to create a shortcut could, in theory,
install report builder on their machine and run it too.

So using Access, although a potential time-bomb, relies on the ignorance of
the general user. It is the rogue programmer-in-disguise-as-an-engineer
that will might you headaches.

Troy
----- Original Message -----
From: Lepley, Scott A.
To: 'vantage@yahoogroups.com'
Sent: Thursday, February 22, 2001 5:46 AM
Subject: RE: [Vantage] Vantage security and ODBC


Thanks for the reply, Troy. I understand that allowing data input via
ODBC
would or could bypass validation routines and thereby corrupt the
database.
That type of access is already ruled out in my opinion. However, even if
the ODBC link were limited to read-only, that doesn't alleviate my
concern.
My concern is regarding just that ability, that of the Access application
users being able to read the data. It appears that ODBC would allow them
to
see virtually any data, whether they needed to see it or not. If it were
acceptable for these users to see all data, I would simply install Report
Builder on their machines to let them access the data that way.



[Non-text portions of this message have been removed]
Scott,
I'm sorry, I don't have an answer to that question.

Troy Funte
Liberty Electronics
----- Original Message -----
From: Lepley, Scott A.
To: 'vantage@yahoogroups.com'
Sent: Thursday, February 22, 2001 3:49 PM
Subject: RE: [Vantage] Vantage security and ODBC


That's a good point, Troy. One outcome of the issue being raised here has
been my recognition of the security holes I've created by installing Report
Builder for various users. I plan to remove Report Builder where necessary.

How would you prevent a user from installing or re-installing Report
Builder?

Regards,
Scott

-----Original Message-----
From: Troy Funte [mailto:tfunte@...]
Sent: Thursday, February 22, 2001 12:22 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Vantage security and ODBC

Incidently, any user who knows how to create a shortcut could, in theory,
install report builder on their machine and run it too.

So using Access, although a potential time-bomb, relies on the ignorance of
the general user. It is the rogue programmer-in-disguise-as-an-engineer
that will might you headaches.

Troy
----- Original Message -----
From: Lepley, Scott A.
To: 'vantage@yahoogroups.com'
Sent: Thursday, February 22, 2001 5:46 AM
Subject: RE: [Vantage] Vantage security and ODBC


Thanks for the reply, Troy. I understand that allowing data input via
ODBC
would or could bypass validation routines and thereby corrupt the
database.
That type of access is already ruled out in my opinion. However, even if
the ODBC link were limited to read-only, that doesn't alleviate my
concern.
My concern is regarding just that ability, that of the Access application
users being able to read the data. It appears that ODBC would allow them
to
see virtually any data, whether they needed to see it or not. If it were
acceptable for these users to see all data, I would simply install Report
Builder on their machines to let them access the data that way.



[Non-text portions of this message have been removed]


Yahoo! Groups Sponsor

Click here for Classmates.com


To unsubscribe from this group, send an email to:
vantage-unsubscribe@egroups.com



Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]
Scott - I too am having these issues. I am thinking that the best way for
us to handle is creating a data download area for Vantage data so that I
can control access to this area through NT permissions. I feel that I will
still have the control that I need and other applications like Crystal,
Access, and Excel can be used. I am still working on the reverse/upload
into Vantage yet. I may be forced to do some custom programming to be able
to pull/push information back into Vantage.

Les Hanson - MIS Mgr
Aqua-Aerobic Systems, Inc.


Message text written by INTERNET:vantage@yahoogroups.com
>
"Lepley, Scott A." wrote:

> I'm sure this has been discussed previously, but I sure would appreciate
it
> if some users would be willing to respond again regarding this issue.
>
> The situation here at this company is the following. The Customer
Service
> Supervisor here is knowledgeable about databases. He is currently
> developing a customer service application in Microsoft Access and wishes
to
> establish connections between Access and Vantage using ODBC
functionality.
> I am the person responsible for coordinating the company's use of
Vantage.
> I have no control over the application development. I am uncomfortable
> providing this functionality because of security concerns. As far as I
> know, if I implement ODBC, it will allow access to all of the Progress
> tables, except payroll, and thereby circumvent the access controls
> established in Vantage. Everything that I have been able to learn so far
> about this issue seems to confirm my concern. If my concern is
legitimate,
> are there any ways to mitigate this security risk?
>
> Regards,
> Scott A. Lepley
> Systems Administrator
> Mauell Corporation
> 31 Old Cabin Hollow Road
> Dillsburg PA 17019-8815
> Phone: 717-432-8686, ext. 14
> Fax: 717-432-8688
> Email: sal@...
<