(This is section 3 of 7 in this chapter)
Access includes an advanced form of user security that is based on essentially the same concepts used in protecting computer networks: users and groups. You can define users, organize those users into groups, and then assign different permissions to the groups.
Microsoft refers to this approach to security as user-level security. In reality, this type of security is built-in to Access, and turned on all the time. You may not realize it, of course, because everyone starts out as an Administrator, able to do anything in Access. When you fully implement user-level security, you are simply "demoting" certain users from their original Administrator status to a regular user status, and limiting what they can do in the databases to which they have access.
When you use user-level security, you have complete control over who has access to not only databases, but also individual objects within a database. Users are required to supply both a user name and password to access information. The simplicity or complexity of the security system is left entirely up to you.
Note: User-level security is typically set up on a company-wide level. If your company has standardized on Access for data management tasks, you may already have a user-level security system in place. In this case, the information in the balance of this chapter will be of little use. If you want to better understand the security system you are using, speak with your network administrator.
In implementing user-level security, Access relies on workgroup information files. When you first install Access, a default workgroup information file is created on your system. Later, if you set up user-level security on the system, you can modify the default workgroup information file or create a new workgroup information file for a particular database. The file indicates which users and groups have which permissions for a particular database and its objects.
Changes to a workgroup information file are done using the Workgroup Administrator program. A workgroup information file contains the following predefined accounts:
You can add additional user accounts or group accounts to any workgroup information file, provided you have Administer permissions for the database. Because the Admin account is available in every copy of Access, the first step in securing any database is to create additional administrator accounts and then remove the Admin account from the Admins group. In this way, anyone using the Admin account (any plain-vanilla Access user) will belong to the Users group instead of the Admins group.
Access to specific databases and the objects in a database are granted based on what permissions have been granted to a user. There are two types of permissions understood by Access: explicit and implicit permissions. Explicit permissions are those granted directly to a user account, while implicit permissions are those inherited by a user account based on its membership in a particular group.
The rights which a user enjoys are defined by the least restrictive of a user's explicit and implicit permissions. Thus, if a user is permitted to view a particular database object by virtue of belonging to a particular group, but an explicit permission granted to the user allows him or her to modify that object, then the modification permission is least restrictive, and the one that is enjoyed by the user.
For most purposes, it is best to stick strictly with implicit permissions. These are the most flexible type of permissions, and the easiest to administer. For instance, if you have user groups set up along company organizational lines, you may have different groups for sales and marketing. When a person changes jobs at the company and moves from sales to marketing, it is a simple matter to move their user account from one group to the other. The account then inherits the permissions of the group of which it is a member. If you instead used explicit permissions, you would need to modify the individual permissions granted to the user when the switch was made.
There are a number of different permissions which can be used in Access. The exact permissions which are available depend on the object in question. Some permissions are applicable to databases as a whole, while others are applicable only to individual objects within a database. Table 16-1 details the different permissions you can use in Access.
|Open/Run||Allows user to open an object||Databases, forms, reports, macros|
|Open Exclusive||Allows user to open an object for exclusive access||Databases|
|Read Design||Allows user to look at objects in Design view||Tables, queries, forms, reports, macros|
|Modify Design||Allows user to look at and change objects in Design view||Tables, queries, forms, reports, macros|
|Administer||Allows user complete control over an object||Databases, tables, queries, forms, reports, macros|
|Read Data||Allows user to look at data||Tables, queries|
|Update Data||Allows user to look at and change existing data, but not add or remove records||Tables, queries|
|Insert Data||Allows user to look at existing data and add new records||Tables, queries|
|Delete Data||Allows user to look at existing data and remove records, but not change existing data or add records||Tables, queries|
A member of the Admins group for a particular database can change permissions for any object in that database. In addition, permissions for a particular object can be changed by the owner of that object (generally the person that created the object) or by anyone who has Administer permission for the object.