Implementing User-Level Security

[Tim]

I recently implemented user-level security for a group of twenty people for
my database. On my PC, a prompt will ask for a User Name and Password. On
someone else's PC, they can access the database as an Admin with the
System1.mdw as the Workgroup File. They are not prompted for anything! A fix
I read was to Import the database with the security to a new database. I did
that and still no prompt!
How can I make sure that everyone on our network will not have access to the
database and just the people I choose?

 

[Larry Linson]

I recently implemented user-level security for a group
of twenty people for my database. On my PC, a prompt
will ask for a User Name and Password.

On someone else's PC, they can access the database
as an Admin with the System1.mdw as the Workgroup
File. They are not prompted for anything! A fix I read
was to Import the database with the security to a new
database. I did that and still no prompt!

Then clearly, you did not "recently implement user-level security"; instead,
you _attempted_ to implement it.

The authoritative source on Access User/Group Level Security is the Security
FAQ, for which see http://support.microsoft.com/kb/207793/en-us. It is 39
pages of dense content, none of which is "padding", so you need to read,
re-read, study, re-study and then experiment with copies or test databases.
Rarely does anyone find it so trivial that they cover all the bases and get
it right the very first time. If you omit a step in the process, you can
make it so trivial to get in that anyone can (as you've discovered) or,
alternatively, so secure that even you cannot get in.

How can I make sure that everyone on our network
will not have access to the database and just the
people I choose?

See above.

I must caution you that Access user and group level security (also called
Workgroup Security) has flaws and will not keep a determined cracker out. It
works very nicely to keep honest folk from stumbling over their own
fingertips and accidentally ending up somewhere they should not be in your
application. User and group level security is no longer supported by Access
2007 for the new ACCDB databases; it is still available if you choose to use
the tried, trusted, and true .MDB file format.

Larry Linson
Microsoft Office Access MVP

 

[Tim]

Well, you've got me there. I did try but failed.

Thanks for the link. I will give it a try and hopefully pull something out
of it.

 

[Larry Linson]

Well, you've got me there. I did try but failed.

Don't feel lonesome. [Many | most | all] of us have failed, more than once,
in early attempts to secure a database using Workgroup Security. Roger
Jennings, in his book "Access 2.0 Developer Guide" described Access security
as "labrynthine" and it didn't get any simpler over time.

In fact, most of my clients opted not to use Workgroup Security, but relied
on using a server back-end and using the server's security to protect their
data. Once I did work through it, I've secured a few clients' databases...
and warned all of them that it was far from foolproof.

Larry Linson
Microsoft Office Access MVP