I read somewhere that the Enterprise version of QB now uses SQL. Is it using SQL for all transactions? I am hoping to find a version that does not give individual users read write access to the Quickbooks data file through the Windows file system, and use of an SQL database process that runs separately from the user's Quickbooks process should allow for that .
How robust are the user controls in the Enterprise version?
Unless there has been a recent change of which I am not aware, QuickBooks uses a locked version of the Sybase SQLAnywhere database server -- since the 2006 version.
formatting link
The Intuit QB version is locked in the sense that there is no way to query it directly using SQL statements. All external access to the data has to go through the QB SDK.
As for Enterprise, I believe it's the same engine, just with less restrictions on list size and possible some performance enhancements
The question is whether the SQL server is running in a separate process space, or do individual users end up sharing a flat file that they all access read/write on the file system?
Running SQL in a separate process makes it possible to achieve a very good level of security. Running users with shared read/write access to a file on the file system makes security almost meaningless. A user could just copy the entire file and do with it what they like.
Your question was well stated the first time. I believe the database engine that comes with QB Enterprize does not have the level of security you are looking for. Perhaps those in this group that do Enterprize consulting can confirm this. When any of my clients or prospects outgrow QB Pro or Premium I always recomend they make the real move up to an actual mid-range product rather than QB on vitamins AKA Enterprize..
One more thing. If the database engine used by Enterprise had that security feature then I would assume that Intuit would tout it in their list of features.
They do it by advertising additional security controls for users. But what I am referring to is at a more technical level than I would expect a marketing brochure to discuss.
I've never heard of a shared SQL database using a flat file shared on the file system by all users having read/write access to that file. So getting confirmation of that from someone who is technical and who runs Enterprise Edition would be helpful.
QuickBooks no longer uses shared access to a single data file, with each user's copy of QB directly accessing the file -- which it did in version QB 2005 and earlier.
The data file is now a true database file which is only directly acted upon by a separate db server process, which fields SQL requests made by instances of QB.
However, even when setting up a hosting-only server, QB requires a share on the folder holding the data file with read-write access for any user that will be using any data files therein.
So, you are right that any of those users could make a copy of the data file.
My guess as to why Intuit does it this way is to maintain their paradigm of users opening a specific "company file" including the full path to the file, rather than just having the SQL database server provide a list of "company databases" as aliases to the actual files.
Although I agree this opens a possible security problem, what a user could actually do with the file deserves some discussion.
Before QB was moved to the Sybase database with version 2006, there were many ways to extract all data from a QB company data file without even having the password, which opened a serious security hole.
With the database format of version 2006 and later about the only thing that can be done is open it with QB, and of course be subject to the rights of whatever QB login. I have second-hand information that not only is the db server build for QB proprietary, but that the data is stored with strong encryption. I haven't seen any reports that the file has been cracked.
Some may look at it as a cost others an investment. In the past the loss of some features went hand-in-hand with moving up the software food chain. Today's mid-range offerings have come a long way. Very little if nothing at all is lost.
It seems to be some sort of a weird hybrid. Some stuff gets done using SQL queries and some doesn't. You must still share out the company file giving full access rights to the user accounts. So anyone who has access could easily copy the file onto a memory stick or whatever.
The sad part is that already have a version that only requires a web client. It is what they run on their online version. I think they are so focused on hosting stuff that they don't see the opportunity for users who have no interest in someone else holding their data.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.