Here's an odd one. We've been looking at permissions today (of which more elsewhere) and as a test, I restricted access to all surveys except one for one of our volunteers (we wanted to see how the new survey restriction facility works).

I then logged off Recorder (but not windows) and logged back on to Recorder using the voluteer's login (his personal Recorder user login), there was no change, he could still see all the surveys.

We tried logging onto my machine, with someone else's Windows login and the volunteer's recorder login, the restriction worked. We tried on another machine, with someone elses Windows login and the volunteers Recorder login and the restriction worked, then we tried on the second machine with my Windows login and the volunteer's Recorder login, again the restriction worked.

So to summarise, the survey restriction works for that volunteer in all circumstances except for when he is using my machine on my windows login, when he can see all surveys (his access level is restricted correctly however).

I should mention that I installed Recorder in the first place and am the database owner & have full system administrator access privileges to the SQL server.

This raises an important point (beyond the obvious problem with the new survey restriction facility). That it is very bad practice to allow a user to use a windows login other than his own (we do have a generic volunteer windows login, but we do not allow this login access to Recorder).

Furthermore the relationship between the windows login and the recorder login is complex and difficult to manipulate, because the various Recorder access levels determine to which SQL server database role the windows login is added to (E.g. a recorder user with Full edit access will have their Windows login added to the SQL server R2k_FullEdit role), which determines what type of access (Insert, Update, Delete etc.) they have to the various tables and other objects in the database, yet it is perfectly possible for any user to log onto Recorder whilst logged onto Windows under someone elses login.

This looks to me like a serious security risk which makes a mockery of the various Recorder access levels. Inspection of the USER table shows that there is no direct link between a Recorder user and their Windows login (but the Windows login determines at least partially what they can do to the database). Or am I missing something?

Some at least of the Recorder security seems to be coded into the software itself (since there is no SQLserver role called R2k_FullEdit_owndataonly) and the Survey restriction facility must fall into this category.

So the question is how tight is the security?