Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

password protected code

Status
Not open for further replies.
diwin

diwin

Technical User
Nov 29, 2002
218
CA
I have a dilemma about securing VBA code in an Access database application.

I am a self-taught, amateur MS Access VBA coder. I created a custom app for a local foundation to manage their donations while on a "work experience" placement while unemployed. It is substantial is size and utility (74 tables, 191 queries, 165 forms, 31 reports, 8 class modules, reams of code behind forms). Now that it is finished, I have pledged to provide necessary support on a voluntary basis.

The Director of Finance would like me to provide the password for the VBA code, "in case something happens to me". I don't know if I ought to give it to him.

One of the functions of the application is to prevent issuing bogus receipts. Problems had arisen in their pre-digital past that were difficult to resolve when duplicate receipts had been mistakenly issued. They had also lost the ability to determine which donors belonged in honor roll categories.

One of the strengths of the database is the reporting feature that notifies the Director of Finance by email of any deletions, changes to donations and reprinting of receipts.

So, does the organization, or specifically the Director of Finance, have a right to get that password? Should I not keep it from him as a requirement to protect the validity of the reporting feature? Can I provide a third party with the password and the obligation to use it as required -- but not more, and only in the case of my incapacity to provide support?

Who owns the code? Who has access to the code? Who "inherits" the code?

Your input or ideas are very welcome.



Daniel Dillon
O o . (<--- brain shrinking at rate shown.)
 
Sort by date Sort by votes
You may find in useful to post in either or both of these fora:
Information Technology Ethics in the Workplace Forum
forum717
Information Security Group Forum
forum1117
 
Upvote 0 Downvote
Given that you didn't (I gather) charge them for your efforts, it does sound like you are the owner of the code.

The questions for me are

- Are you hesitant because of possible unauthorized use of the code?

OR

- Are you concerned that someone else may make inappropriate changes to the system that you developed?

If it's the first one then you are essentially defending an intellectual property right and my position on that would be to say that use of the system is free but ownership is not. If you want the code then you have to pay for it.

If it's the second then my position would be that if I supply the password then all bets are off with respect to my support of the system. You cannot effectively support a system when there is the possibility that it is being modified by persons and in ways unknown to you.

A fairly usual industry practice in these cases is to place the password (or possibly the entire application) in a secure location (a safety deposit box for example) with instructions to the institution that the contents are to be delivered to the CFO of the organization either upon your instructions or your death, dismemberment, etc. Usually the organization that wants the protection bears the cost of any such third-party protection.

All this really comes down to the fact that, even for no-charge projects, there should be a written up-front agreement about what everyone involved is expected to do and what their responsibilities are.
 
Upvote 0 Downvote
Dear DiWin,

You have quite a problem here.

Couple of questions/points for you.

1) Did you charge and get paid for the program?
If so, then unless specified in a contract, email or fax, I would assume the client owns the source code. If it was a donation on your part, then you own the code. If you brought some prevously developed routines to the program, then you own that part. If the client provided some type of key knowledge (Unique and unknow by the general public) about the program function, they might those rights.

2) If you must provide the password, then make sure the company sends an email or letter stating that you are not responsible for any errors or problems once the password has been provided.

3) Moving forward, it is always best to have an agreement stating who owns what and what is allowed to be done by both parties with the program and the code.

4) If you are getting paid for maintenance, and someone does mess up your VBA code, well that could generate more support revenue for you.

5) It does make sense for both of you to have a third party, such as a lawyer, be brought in to hold the password incase you do become 'un-available' Note: make sure it is clearly stated what 'un-available' means in some type of legal document.

Good Luck,
Hap...


Access Developer [pc] Access based Add-on Solutions
Access Consultants forum
 
Upvote 0 Downvote
Thanks folks! Good reading.
My thoughts after reading all your replies...

I got paid for the work. I am sure they own the application. I am not interested in seeking payment for support, but would indicate that payment is deserved if the support is required due to someone else's errors.

I am interested in donation records being managed correctly.

I wonder who is responsible for (i.e. who gets to dictate) security measures for the business rules that are in the VBA code.

My idea is this: If any staff, even the Finance Director, have access to the code, then there is no safeguard against staff producing bogus records that are not reported. The effort I put into producing an application that forces honest accounting would be wasted as soon as someone in the organization gets the password to the VBA code.

If I can provide a mechanism to make the password available in the event that I become unavailable, the organization would have two benefits:

1)The assurance that the VBA code is still accessible
2)They would still be able to boast that their donation records are genuine and complete.

If I give them the code, they only get benefit 1).



Daniel Dillon
O o . (<--- brain shrinking at rate shown.)
 
Upvote 0 Downvote
If they paid for it, then they own the code and you should give it to them (unless your contract specifically said that you own the code).

diwin said:
I wonder who is responsible for (i.e. who gets to dictate) security measures for the business rules that are in the VBA code.
Click to expand...
They do - they are the client, they make the rules. Just make sure it is written and signed by them.

BTW, I would not make any claims if I were you about the security of the database. Access is notoriously easy to hack. The strongest wording I would use is "if properly used without malicious intentions, the program enforces business rules that make the records genuine and complete".

Be careful of what obligations you agree to for supporting the code. Make it clear that it only covers the version that you release to them. Any changes done by others means you get to choose the terms, including whether you want to support it at all (if someone made a real mess out of it, it may not be worth trying to fix).

Regarding the two "benefits", you can not really enforce what they boast about the application. They can say whatever they want about it. Just make sure that you have clearly documented what you guarantee about the application, and that the guarantee is voided if they tamper with the code base you provide them. That protects you if they introduce a flaw and try to pass the blame onto you.

 
Upvote 0 Downvote
Dear Diwin,

I agree with JoeAtWork, they seem to own the code.

I might suggest:
1) Change the password to a new password.
2) Now, compile the mdb to an mde file.
3) Then, give them the mdb, the mde and the new password.
Note: You may want to burn a CD version to freeze in time what you have given them. Make yourself a copy also.
4) Document that they should only run the compiled mde version.
5) Get a receipt acknowledging that they received and understood your instructions.

The VBA code will not be available to the general user base and only the person who received the code and password will have the resposibility in the future.

Good Luck,
Hap...

Access Developer [pc] Access based Add-on Solutions
Access Consultants forum
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ameedoo3000
  • Locked
  • Question
format partition by vba code
Replies
6
Views
727
mattKnight
mattKnight
cimoli
  • Locked
  • Question
Best password method with time factor
Replies
3
Views
285
cimoli
cimoli
qqp
  • Locked
  • Question
Need my msgbox that warns user of missing criteria to stop the rest of the code from running
Replies
2
Views
239
Andrzejek
Andrzejek
lameid
  • Locked
  • Question
Output to PDF - Adobe Protected mode error
Replies
0
Views
113
lameid
lameid
hudsma1
  • Locked
  • Question
how to make field value start with area code
Replies
2
Views
202
zandsc1
zandsc1

Part and Inventory Search

Sponsor

Back
Top