The Andrew N. Wiggins Consultancy

Contact me at webmaster@anw.biz

Experimental Site
 

This site designed by Byg Software Ltd

  

The ANW.BIZ Home Page

Access - add a user

  1. Log on with administrator's rights
  2. Menu: Tools > Security > User and Group Accounts
  3. Type in a new user name in the "Name" box (example: "two")
  4. Make the new user a "Member Of" groups you select from the "Available Groups" list.
  5. Click on "OK"
  6. Exit from the application and from Access
  7. Log on as the user you have just created. At this stage the user does not have a password.
  8. Menu: Tools > Security > User and Group Accounts
  9. Click on the "Change Logon Password" tab.
  10. Enter the user's password in the "New Password" box and again in the "Verify" box.
  11. Click on "Apply" and then on "OK".
  12. To test the password,
    • exit from the application and from Access.
    • Log on as the user you have just created.
    • This time you will need the password you have just created.

Securing an Access Database

(Access Frequently Asked Questions - MS website - secfaq.asp)

  1. Use the Workgroup Administrator program (Wrkgadm.exe) to create a new workgroup information file.
    • The default is called System.mda in Microsoft Access 2.0 and System.mdw in Microsoft Access 95 and Microsoft Access 97.
    • Write down the Name, Organization, and WorkGroup ID strings that you will be prompted for when creating your new workgroup information file and store them in a safe place.
    • If your workgroup information file ever becomes lost or corrupted, you can reconstruct it using these identical strings, which are then encrypted to create a unique token. Without a valid workgroup information file, you could conceivably be locked out of your database forever.
  2. The Workgroup Administrator automatically logs you on using the new workgroup information file.
  3. Open any database.
  4. You'll be logged on as a user named Admin.
    • Select Security > Change Password in Microsoft Access 2.0 and Tools > Security > User and Group Accounts in Microsoft Access 95 and Microsoft Access 97 to add a password for the Admin user.
    • The Admin user is the default account, and setting its password is what "activates" security.
  5. Create a new user, which is the account you will use to secure the database.
    • Add this new user to the Admins group.
    • Write down the strings that you use for the name and PID in case you ever need to recreate your workgroup information file.
    • The PID is not the password - it is encrypted, along with the Name, to create a unique token identifying the user.
  6. Quit Microsoft Access
    • Log back on as the new user account you created in step 5.
    • You will not have a password for this account yet, so now is a good time to set one.
  7. Remove the Admin user from the Admins group so that Admin is a member only of the Users group.
    • There have been several books published stating that you can delete the Admin user, but this is not true in Microsoft Access 2.0, Microsoft Access 95, or Microsoft Access 97. You cannot delete any of the built-in users or groups.
  8. Open the database you want to secure and run the Security Wizard.
    • Select the objects you want to secure (it makes sense to secure them all).
    • The wizard will then create a new database which will be owned by your new user and import all of the objects and relationships into it.
    • It will also remove all permissions from the Admin user and the Users group and encrypt the new database.
    • The original database will not be altered.
  9. Open the new database.
    • Because the Security Wizard removed permissions from the Users group, you need to create your own custom groups and assign the level of permissions needed to these groups.
    • Because everyone is a member of the Users group (otherwise, a user would not be able to start Microsoft Access), only grant permissions to it that you want everyone to have.
    • Do not place people in the Admins group because its members have irrevocable power to administer database objects, which is not what you want.
  10. Create your own users and assign them to the groups that reflect the level of permissions you want them to have.
    • Do not assign permissions directly to users because that is extremely hard to administer.
    • Users inherit permissions from the groups they are members of, and keeping track of the permissions assigned to a group is much easier than keeping track of the separate permissions of individuals.
    • If a user is a member of multiple groups, then that user will have all of permissions granted to any of those groups plus any permissions assigned specifically to the user (the "least restrictive" rule).
  11. Additionally, you will need to remove the Open/Run permission from the database container for the Users group manually through the security menus or through code.
    • The Security Wizard in Microsoft Access 2.0 and Microsoft Access 95 does not do this
    • This will prevent someone from opening the database by using another workgroup information file or the default System.mda/mdw.


    The User Level Security Wizard that ships with Microsoft Access 97 now removes the Open/Run database permissions for the Users group (not on my version at Orange it didn't - if you don't do it manually anyone can get in).

 

Published: 10 Feb 2004
Last edited: 29 July 2006 23:26