Hi Hilmar,

SNIP

>So, you would basically recommend an approach based on login+password, and user rights, right?

More than that. I guess this stems from my years as an Information Security Manager. The security should be managed at all levels: physical, OS, application, etc. With business apps that require a level of classification, in effect, there is the physical security (which he does not have because the office is not secure, they just don't go in there) and which entails much more in secure sites including the cabling, routers, etc; then the OS security which entails authentication and user rights to folders and files (requires working with the network administrator) to avoid backdoor acess to the files themselves let alone the app; and then application level security which entails the login/password to the application itself. There is more but this suffices for this purpose I think. The benefit of levels 2 and 3 of course is that the manager can reliably access the application from any location. Level 1 (physical security) is required when the manager should only be allowed to access the app from one physical location (which is the case in many classified sites and also when corporate espionage is a concern). Once you think like a security analyst it is hard to stop. :o)

Tracy