Access Cookbook - Ken Getz [203]
Once you have come up with a plan of users and groups of users, you need to inventory your database objects and determine which groups of users can do what with which objects. While you can assign each user a separate set of permissions, it's better to assign permissions to groups of users; this makes adding or subtracting users later much easier. An object inventory for the solution company database (10-01UNS.MDB) is shown in Table 10-2.
Table 10-2. The object inventory
Object
Group
Access level
tblCustomer
Employees
Read, write access to data only
Programmers
Read, write access to data and design
Managers
Read, write access to data only
Admins
Full access
tblEmployee
Employees
No access
Programmers
Read, write access to data and design
Managers
Read, write access to data only
Admins
Full access
frmCustomer
Employees
Run access
Programmers
Run, read, write access to design
Managers
Run, read, write access to design
Admins
Full access
frmEmployee
Employees
No access
Programmers
Run, read, write access to design
Managers
Run, read, write access to design
Admins
Full access
Secure your database
Note that Access ships with a Security Wizard that will help you secure your database. With a plan in hand, you can now begin to secure your database, following these steps:
Choose Tools → Security → User-Level Security Wizard from the menu. The first dialog prompts you to create a new workgroup information file, and the second dialog (shown in Figure 10-1) prompts for the workgroup file information. The strings you enter here for the Workgroup ID (WID), name, and company will be encrypted to form a unique identifier. The default workgroup file, system.mdw, is the same across all installations of Access, and is thus not secure. At the bottom of the dialog you can choose either to make this workgroup file the default or to create a shortcut to open the secured database. If you choose the first option, the workgroup file will be used with all databases. For most environments, the second option is a better choice. Click Next to continue the wizard.
Figure 10-1. Creating a new workgroup file
You will see a tabbed dialog for selecting the database objects you want to secure. You'll probably want to secure all the objects in your database. Click the All Objects tab, then click the Select All button (see Figure 10-2). Click Next to continue.
Figure 10-2. Selecting the objects to secure
The next dialog (see Figure 10-3) can create default groups for you. If you click on a group, you can see the permissions that will be granted to it. However, for this example, you'll create your own custom groups after the wizard has completed. Don't select any of these items, and click Next to continue.
Figure 10-3. Creating default groups
The next dialog allows you to grant the Users group selected permissions on some objects. However, you probably don't want to do that, since permissions granted to the Users group are granted to everyone—all authorized users must be members of the Users group. The best policy here is to grant permissions only to your own custom groups, so don't select that option. Click Next to continue.
The next dialog allows you to create additional administrators and set a password on the administrator account that will be automatically created (see Figure 10-4). This name of this account comes from your Windows login. So if you are logged in as Paul, as shown in Figure 10-4), then this account will be named Paul. Any additional administrators you create here will be added to the Admins built-in group, giving them irrevocable administrative powers in your secured database. You will therefore want to limit the number of administrators, as they have unlimited power. Only administrators can manage passwords and create and delete users and groups. Set a password