<< . .

. 46
( : 51)



. . >>

4. Enter the name Student1 for the Name, and enter a unique Personal ID of 1234.
(You can enter any appropriate information into these two fields, if you don™t want
to use these example names.) Write this information down and store it in a safe
place; you will need it if you have to re-create the user in the workgroup.
5. Select OK to save the new user.
After you have created the new user, Student1, you can assign Group Memberships and/or a
password for the user. Notice that Student1 is automatically a member of the Users group.
Any new member must at least belong to this group. You can make Student1 a member of
the Admins group by simply selecting the Add button in the Group Membership section.
Part III ¦ Beyond Mastery: Initiative Within Office
532


To fully secure your database, you must remove all permissions for the Admin user, found
Caution
under the Tools_Security_User and Group Permissions menu. (Defining Group Permis-
sions is covered later in this chapter.) All Admin users share the same SID in all workgroups,
on all machines. If you don™t remove the permissions for the Admin user, an unauthorized user
using a different workgroup can open the database as the Admin user with all permissions of
the Admin user. The Admin user can™t be deleted, so the Admin user account needs to be
adjusted accordingly.

If you want to delete the user Student1 that you just created, follow these steps:
1. Select Tools_Security_User and Group Accounts to display the User and Group
Accounts dialog box.
2. From the User Name drop-down list, select the User Student1.
3. Click the Delete button to delete the selected user.

Creating and changing user passwords
Any user who is a member of the Admins group can remove a password from any user
account. A user who is a not a member of the Admins group can change his or her own
password. However, a user who is not a member of the Admins group cannot change or
create a password for any other user.

When Access opens and a password has been assigned to any user, the Logon Dialog box
displays (refer back to Figure 22-7).
Caution

If no passwords are assigned to any of the users, however, Access will automatically open,
using the Admin user. This means that any additional users that you create in Security will not
be able to set a password. To correct this, you will need to create a password for the Admin
user. Then exit from Access and restart Access, logging on as the user whose password you
want to change.

To create or change the Admin password, follow these steps:
1. Open the database Chap34Start.mdb.
2. Select Tools_Security_User and Group Accounts.

Caution
Make sure that the user name selected is Admin (not Student1 that you created earlier).

3. Click the Change Logon Password tab (see Figure 22-14).
Chapter 22 ¦ Adding Security to Access Applications 533




Figure 22-14: The Change Logon Password tab of the User and Group Accounts dialog
box. Notice that the name is “Admin” and can™t be changed.

4. Because no password has been assigned to Admin, leave the Old Password field
blank.


If you are logging on as the Admin user after you have assigned a password, or if a pass-
Tip
word exists for the user that you logged on as, enter it in the Old Password field. If no
password is assigned to the user, leave the Old Password field blank.

5. Move to the New Password field and enter the new password Admin (or any other
password that you want to assign ” remember that Access™s security is case-
sensitive) in the New Password field. Access won™t show you the word that you are
typing; rather, it shows an asterisk for each character that you type.
6. Move to the Verify field and enter the new password Admin again. (Again,
remember that Access™s security is case-sensitive.) Each character is replaced with
an asterisk.
7. Click the Apply button to save the new password for the Admin user.
8. Click OK to close the User and Group Accounts dialog box.

After you have created a password for the user, you will have to exit from Access and restart
Tip
Access for the changes to take effect. Simply closing the database and opening it again won™t
activate the security changes (such as assigning a password to Admin) that you made.
Tip
The Logon dialog box will not display if no passwords have been set for any users.
Part III ¦ Beyond Mastery: Initiative Within Office
534


Tip
Users can™t create or change passwords for other users, regardless of their permission settings.

Any user who is a member of Admins can clear the password of another user, so that user can
Tip
log on if he or she has forgotten his or her password.

To change another person™s password, you will have to start Access and open the database
by logging on as the user whose password you want to change.

Working with groups
Groups are collections of users. A user may belong to one or more groups. You use groups
to organize multiple users together who will be granted the same object permission
privileges. You can then define object permissions to the group once, versus having to assign
them individually for each user. When you create a new user, you simply add the user to the
group that has the object permission privileges that the new user should have.
For example, you may have a number of users in a credit department and in a sales
department. If you want to allow all of these users to look at a customer™s credit history but
restrict the sales staff to viewing only basic customer information, you have the following
options:
. Create an individual user account for each user in each department and assign object
permissions for each user.
. Allow all users in the credit department to log on as one user, and allow all users in
the sales department to log on as a different user. You can then restrict the object
permissions for each of these two users.
. Create an individual user account for each user in each department, and create a
group account for each department. You can then make the permissions assignments
for each of the two groups and place each user into his or her respective group to
inherit the group™s permissions.
Although creating a unique user account and assigning specific permissions to each user is a
valid scenario, it is an administrator™s nightmare. If policy dictates that one of the
departments needs to have permissions added or revoked, the change has to be made to each
of the users™ accounts in that department.
The second method is straightforward and simple but presents many problems. If a user
transfers from one department to another, he knows the user names and passwords for both
departments and may be able to retrieve data that he is no longer authorized to view. In
addition, if an employee leaves, the user name and password need to be changed, and each
user of the workgroup has to be made aware of the change. In a multi-user environment,
creating a unique user account for each user and then grouping them accordingly is a much
better solution.
With the third option, the change can be made to the department group once, and all users
inherit the new permission settings.
Chapter 22 ¦ Adding Security to Access Applications 535


Adding and deleting groups
Just as Access automatically creates an Admin user in all new workgroups, it also
automatically creates two groups: Users and Admins. Every user account in the system
belongs to the Users group; you can™t remove a user from the Users group. The Admins
group is the all-powerful, super-user group. Users of the Admins group have the ability to
add and delete user and group accounts, as well as to assign and remove permissions for any
object for any user or group in the workgroup. In addition, a member of the Admins group
has the ability to remove other user accounts from the Admins group. For this reason, you
need to carefully consider which users you allow to be a member of the Admins group. The
Admins group and the Users group are permanent groups; they can never be deleted.

Access doesn™t enable you to remove all users from the Admins group; one user must belong to
Tip
the Admins group at all times (the default is the user named Admin). If you were allowed to
remove all users from the Admins group, you could set up security so tight that you would never
be able to bypass it yourself! In general, when securing a database, you should place only one
user and one backup user in the Admins group.


Unlike the Admin user™s SID, which is identical in every Access workgroup, the Admins group™s
Note
SIDs are not identical from workgroup to workgroup, so unauthorized users using a workgroup
other than the one that you used to define security can™t access your database as a member of
the Admins group. The Users group™s SIDs are the same throughout all workgroups, however,
so you need to remove all permissions for the Users group. If you don™t remove permissions
from the Users group, any user in any workgroup can open your database with the Users
group™s permissions.

To create a new group named Sales, follow these steps:
1. Open Access and then open the Chap34Start.mdb database and log in with the
Admin user name and Admin password. Then select Tools_Security_User and
Group Accounts to display the User and Group Accounts dialog box.
2. Select the Groups tab.
3. Select the New button to display the New User/Group dialog box (see Figure 22-15).
Part III ¦ Beyond Mastery: Initiative Within Office
536




Figure 22-15: Jet uses the group name and personal identifier to create a unique SID for
a group, just as it does for user accounts.

4. Just as you do to create users, enter the group name Sales and a personal ID of
Dept405. (If you aren™t following along with this example, you can enter your own
group name and personal ID.) Also, just as before, write down this information and
put it in a safe place because you will need it if you ever need to re-create the group.
5. Select OK to save the new group.
6. After this is complete, you can select OK in the User and Group Accounts dialog
box to save your work.
If, at a later time, you want to delete the Sales group that you just created, follow these steps:
1. Select Tools_Security_User and Group Accounts ¦ to display the User and
Group Accounts dialog box.
2. Select the Groups tab (refer to Figure 22-15).
3. From the drop-down list, select the Sales group to delete.
4. Select the Delete button to delete the selected group.

Assigning and removing group members
Assigning users to and removing users from groups is a simple process. You use the Users
tab on the User and Group Accounts dialog box to add to and remove users from a group.
You may place any user in any group, and a user may belong to more than one group. You
cannot remove a user from the Users group nor can you remove all users from the Admins
group ” you must always have at least one user in the Admins group.
To add the user Student1 to the new group Sales, follow these steps:
1. Open Chap34Start. Select Tools_Security_User and Group Accounts to display
the User and Group Accounts dialog box.
Chapter 22 ¦ Adding Security to Access Applications 537

2. From the User Name drop-down list, select the user Student1 to modify her group
assignments.
3. To assign the user Student1 to the group Sales, select the Sales group in the
Available Groups list and select the Add button (see Figure 22-16). The Sales group
displays in the Member Of list.




Figure 22-16: Assigning users to groups makes controlling object permissions much
easier for the system administrator.

4. Select OK to save the new group assignments.
To remove the user Student1 from the group Sales, follow these steps:
1. Select Tools_Security_User and Group Accounts to display the User and Group
Accounts dialog box.

Caution
Make sure that the user name selected is Student1 (not Admin).

2. Select the group Sales in the Member Of list and select the Remove button. The
Sales group no longer displays in the Member Of list.
3. Select OK to save the new group assignments.
4. Because Jet uses the same SIDs for all Admin user accounts throughout all
workgroups, you always need to remove the Admin user from the Admins group
when securing a database. Figure 22-16 shows that the user Student1 has been added
to the Sales group. Notice that Student1 is a member of two groups: Users and Sales.
Before leaving this section, assign Student1 to the Admins group so that you can use
this example later in this chapter.
The only remaining task is to set the appropriate object permissions for the Users and Sales
groups.
Part III ¦ Beyond Mastery: Initiative Within Office
538


Securing objects by using permissions
After you have defined your users and groups, you must determine the appropriate object
permissions for each group. Permissions control who can view data, update data, add data,
and work with objects in Design view. Permissions are the heart of the Jet security system
and can be set only by a member of the Admins group, by the owner of the object (see the
next section), or by any user who has Administrator permission for an object.

Setting an object™s owner
Every object in the database has an owner. The owner is a user account in the workgroup
that is designated to always have Administrator rights to the object. Administrator rights
override the permissions defined for the logged-on user or defined for any of the user™s
groups. You can designate one user to be the owner of all the objects in a database, or you
can assign an owner to individual objects.
Access queries require special consideration when assigning owners to objects. When
creating a query, you can set the Run Permissions property of the query to either User™s or
Owner™s (see Figure 22-17). When a password is defined for a workgroup, Run Permissions
is automatically set to User™s. Setting Run Permissions to User™s limits the users of the query
to viewing only the data that their security permissions permit. If you want to enable users to
view or modify data for which they do not have permissions, you can set the Run
Permissions property to Owner™s. When the query is run with the Owner™s permissions
(WITH OWNERACCESS OPTION in an SQL statement), users inherit the permissions of
the owner of the query. These permissions are applicable only to the query and not to the
entire database.




Figure 22-17: Setting a query™s Run Permissions determines which users can run the
query or modify the query.
Chapter 22 ¦ Adding Security to Access Applications 539


When a query™s Run Permissions property is set to Owner™s, only the owner can make changes
Tip
to the query. If this restriction poses a problem, you may want to set the owner of the query to a
group rather than to a user account. Note that only the owner of an OwnerAccess query can
change the query™s owner.

Note
If you haven™t assigned passwords to Admin or other users, the user is automatically assumed
to be Admin and the query™s Run Permissions property is set to Owner™s.

To change the owner of any object in the database, follow these steps:
1. Select Tools_Security_User and Group Permissions to display the User and Group
Permissions dialog box.
2. Select the Change Owner tab (see Figure 22-18).




Figure 22-18: Transferring ownership of one or more tables from the Admin user to the
Sales group.

3. Select the object (or objects) whose ownership you want to transfer. You can select
the type of objects to display by changing the Object Type field.
4. Select the user or group that you want to make the owner of the selected object. To
select a group name, first select the List: Groups radio button.
5. Select the Change Owner button to change the object™s owner to the selected
user or group.
Part III ¦ Beyond Mastery: Initiative Within Office
540



Each object in a database has an owner. The database itself also has an owner. You can
Note
view the owner of the database by selecting Database from the Object Type drop-down list.
You can™t change an object™s owner by using Access™s interface. The only way to change a
database™s owner is to log on as the user that you want to make the owner of the database,
create a new database, and then import the original database into the new database by
using the File_Get External Data_Import menu option. When you import a database, the
current user is assigned as the new owner of the database and all of its database objects.
This is essentially what the Security Wizard (discussed later in this chapter) does for you.

Setting object permissions
Object permissions are the heart of Jet security. You can set one or more object
permissions at a time for a user or group. When assigning permissions, you must keep in
mind that some permissions automatically imply other permissions. For example, if you
assign a user Read Data permission for a table, the Read Design permission is also granted
because a table™s design must be available to access the data. A more complex example is
assigning permission for Insert Data ” this automatically grants permission for Read Data
and Read Design.
An object™s permission assignments are persistent until one of the following conditions
occurs:
. A member of the Admins group changes the object™s permissions.
. The object is saved with a new name by using the Save As command from the File
menu.
. The object is cut and pasted in the Database window.
. The object is imported or exported.
If any of the preceding actions occurs, all permissions for the manipulated object are lost
and you will need to reassign them. When you perform any of these actions, you are actually
creating a new object. Access assigns default permissions for each object type.
There are two ways that permissions can be granted to a user:
. Explicit permissions are permissions that are granted directly to a user. When you
manually assign a permission to a user, no other user™s permissions are affected.
. Implicit permissions are permissions that are granted to a group. All users belong-
ing to a group inherit the permissions of that group.


Because permissions can be assigned implicitly and because some permissions grant
Note
other permissions (Insert Data, Read Data, and Read Design permissions), users may be
able to grant themselves permissions that they do not currently have. Because of this
possibility, you must plan carefully when assigning permissions to groups of users and to
individual users.
Chapter 22 ¦ Adding Security to Access Applications 541

To assign or revoke a user™s permissions for an object, follow these steps:
1. Select Tools_Security_User and Group Permissions ¦ to display the User and
Group Permissions dialog box. Select the Permissions tab.
2. In the Object Type drop-down list, select the type of object whose permissions you
want to change.
3. In the User/Group Name list box, select the user or group account that you want to
modify. To see a list of all Groups, click the List: radio button in the Name section.
4. In the Object Name list box, select the object (or objects) that you want to modify.
5. In the Permissions grouping section, select or unselect the permissions check boxes
for the object(s).
6. Select Apply to save the permission assignments.
Remember that Admin user SIDs are identical throughout all workgroups. So after you
assign Administer permissions to a specific user, you need to remove all permissions for the
Admin user in order to secure your database. Figure 22-19 shows the Admin user™s
permissions being revoked for all tables in the database. Notice that all checkboxes have
been cleared for all tables. Clearing the checkboxes prevents an Admin user from doing
anything with table objects. You must repeat the process for each Object type until the
Admin user has no permissions for any object.




Figure 22-19: Removing all permissions for the Admin user is critical
to securing your database.
Part III ¦ Beyond Mastery: Initiative Within Office
542


Setting default object permissions
You can create default permission assignments for each type of object in a database. These
default permissions are assigned when you create new objects in the database. You set the
default permissions just as you set them for any other object™s permissions. You select the
user or group to assign the default permissions, but you do not select a specific object name.
Instead, select the first item in the Object Name list that is enclosed in <> and begins with
“New.” When you select the Object Type Table, for example, you select <New Tables/
Queries> in the Object Name list. When you assign permissions for users and groups to
these <New> items, the permissions are used as defaults for all new objects of that type.

When removing default permissions for table objects, make sure that users have the necessary
Caution
permissions to create new tables. Otherwise, users will not be able to execute make-table
queries.

Setting database permissions
Just as objects in a database have permissions, the database itself also has its own permis-
sions. Selecting Database from the Object Type drop-down list will display the database
permissions that can be modified (see Figure 22-20). The database permissions enable you
to control who has administrative rights to the entire database, who can open the database
exclusively (locking out other users), and who can open or run the database.




Figure 22-20: Assigning permissions for the entire database.


Securing your database for distribution: A basic approach
If you are securing a database for distribution, setting up detailed security for multiple users
for all the objects in your database may not be important to you. Often, the only concern
with shipping a secured database is protecting your development investment by securing the
design of the application™s objects and code. If you need this type of protection, you can
distribute your application as an .MDE file (see the section “Protecting Visual Basic Code”).
Chapter 22 ¦ Adding Security to Access Applications 543

Another method is to follow these steps:
1. Create a workgroup to distribute with your database.

<< . .

. 46
( : 51)



. . >>