Implementing levels of security (XP)

Topic

New Reply

I don’t mean to be dense but I read Wendell’s great summary of securing an Access database as well as the links from his site:
207793 – Security FAQ Available in Download Center
235961 – Security Manager Add-In Available in Download Center
254372

Reply | Quote

Replies

I believe the answer is that a user who belongs to the Admin account can modify security settings, including resetting a user password, but I can’t find that written down in the material I have at hand. In Access 2002, as long as the user is pointed at the .MDW file, you can edit security settings without having a database open, so you could give a clerical type the task of managing users, including adding new users. It is generally recommended that you remove all priviledges from both the Admin account and the Admins group if you really want to secure a database anyhow, so there wouldn’t be any harm in putting the users in the Admins group, though I believe they could also change other people’s group membership, which would create a potential risk. You would probably be better off to write some code to give a specific user the ability to reset the password, and not give them any other capabilities.

Reply | Quote

Wendell,

Thanks for the followup.
You wrote:
“It is generally recommended that you remove all priviledges from both the Admin account and the Admins group if you really want to secure a database anyhow, so there wouldn’t be any harm in putting the users in the Admins group,”

If I remove all priviledges from Admin account, would I then create another account with Admin priviledges that “CAN” modify objects?
You would probably be better off to write some code to give a specific user the ability to reset the password, and not give them any other capabilities.

When you say “You would probably be better off to write some code “, would that include creating some table to store users and passwords, or would I still be using Access’ security?

Thanks again.

Reply | Quote

When securing a database, you create a MyAdmin of some sort, and then create the secure database with them as the owner. You then create a MyAdmins group and give that group all of the usual admins permissions. (The names are just example names.) Thus MyAdmin can make design changes, do deletes of objects and so on, but someone who is using the default Admin account cannot get into the database or make changes of any kind, depending on how restrictive you make that user’s permissions. But you need to remove permissions from the Admins group as well, since Admin belongs to that group.

As to using code, you would still be using the User Security feature – just working with it in code. It’s a rather complex subject, so let me refer you to the Access Developer’s Handbook – I believe it is covered in the second volume for Access 2002, but you may want to check if you have to buy it. It should be a part of your reference library anyhow if you wish to do serious Access development. Finally, putting passwords in an Access table is not secure, and is easily defeated, so not a good idea.

Reply | Quote

When securing a database, you create a MyAdmin of some sort, and then create the secure database with them as the owner. You then create a MyAdmins group and give that group all of the usual admins permissions. (The names are just example names.) Thus MyAdmin can make design changes, do deletes of objects and so on, but someone who is using the default Admin account cannot get into the database or make changes of any kind, depending on how restrictive you make that user’s permissions. But you need to remove permissions from the Admins group as well, since Admin belongs to that group.

As to using code, you would still be using the User Security feature – just working with it in code. It’s a rather complex subject, so let me refer you to the Access Developer’s Handbook – I believe it is covered in the second volume for Access 2002, but you may want to check if you have to buy it. It should be a part of your reference library anyhow if you wish to do serious Access development. Finally, putting passwords in an Access table is not secure, and is easily defeated, so not a good idea.

Reply | Quote

Wendell,

Thanks for the followup.
You wrote:
“It is generally recommended that you remove all priviledges from both the Admin account and the Admins group if you really want to secure a database anyhow, so there wouldn’t be any harm in putting the users in the Admins group,”

If I remove all priviledges from Admin account, would I then create another account with Admin priviledges that “CAN” modify objects?
You would probably be better off to write some code to give a specific user the ability to reset the password, and not give them any other capabilities.

When you say “You would probably be better off to write some code “, would that include creating some table to store users and passwords, or would I still be using Access’ security?

Thanks again.

Reply | Quote

I believe the answer is that a user who belongs to the Admin account can modify security settings, including resetting a user password, but I can’t find that written down in the material I have at hand. In Access 2002, as long as the user is pointed at the .MDW file, you can edit security settings without having a database open, so you could give a clerical type the task of managing users, including adding new users. It is generally recommended that you remove all priviledges from both the Admin account and the Admins group if you really want to secure a database anyhow, so there wouldn’t be any harm in putting the users in the Admins group, though I believe they could also change other people’s group membership, which would create a potential risk. You would probably be better off to write some code to give a specific user the ability to reset the password, and not give them any other capabilities.

Reply | Quote