MS Access Security Local Database

[Marvinator]

I've been working on a database which I now would like to distribute
but there is a need to secure the design and layout of the database
objects. I want users to be able to enter informaiton but not to
delete or change any of the queries, forms etc, which have been
created.

I've been reading this forum trying to get a handle on Access security.
I"ve tried a few things, but as you can probably guess, I ended up
locking myself out. (Yes, I'm working on a copy, I'm not that much of
a newbie - :: smile:

It appears that each time I read one of the posts here, i end up with
more questions than answers. All the white papers can't help me
either, as I end up wanting to ask more questions. So allow me to ask
them here:

These all pertain to the following scenario: I have a database which I
am going to put on a receiving computer. The database and any needed
files (.mdw file?) will be zipped and downloaded to the receiving
computer.

What I understand is that I must set up a workgroup file. Ok, but each
time I read these 'faq's' I am told to delete the Admin from the Admin
users group. Why? I may need to go into the receiving computer's
database at a later date to add new functions or correct problems, and
it would seem to me that the Admin account is how I would do this?

When setting up the Workgroup Informaiton file, how can I protect this
from affecting other databases on my original computer AND on receiving
computers? Alll the faq's I've read say to exit the database and set
up the workgroup file, which seem to me that you're setting this up to
affect ALL databases on that computer. How do I protect my OTHER
databases from being locked out?

Lastly (for the moment, thank you) what files need to be zipped up with
the MDB files to be distributed to the receivng computer? Do they need
to be distributed to a particular folder?

Thank you for your help here. I really appreciate it.

 

[Keith Wilby]

What I understand is that I must set up a workgroup file. Ok, but each
time I read these 'faq's' I am told to delete the Admin from the Admin
users group. Why?

You need to set up your *own* admin account which should also be the owner
of all objects.

I may need to go into the receiving computer's
database at a later date to add new functions or correct problems, and
it would seem to me that the Admin account is how I would do this?

You should not be tinkering with an app in the production environment (ie at
the "receiving computer") - you should split your app into front and back
ends (FE/BE), work on your development copy of the FE in isolation and
supply users with updated FEs as and when necessary. You would only need to
access the BE if you needed to change any tables.

When setting up the Workgroup Informaiton file, how can I protect this
from affecting other databases on my original computer AND on receiving
computers? Alll the faq's I've read say to exit the database and set
up the workgroup file, which seem to me that you're setting this up to
affect ALL databases on that computer. How do I protect my OTHER
databases from being locked out?

You create a custom WIF and leave the default "system.mdw" alone. You
instruct Access to join your custom wrokgroup using the "/wrkgrp" command
line switch.

Lastly (for the moment, thank you) what files need to be zipped up with
the MDB files to be distributed to the receivng computer? Do they need
to be distributed to a particular folder?

You need the mdb (or mde), the WIF and a suitable desktop shortcut with a
command line in the format:

"Full path to MSACCESS.exe" "Full path to your app.mdb" /wrkgrp "Full path
to your WIF.mdw"

including the quotation marks.

If you've already read the MS FAQ then try working through the example on my
web site.

HTH - Keith.
www.keithwilby.com

 

[Marvinator]

AGain I have more questions than answers. Am I being obtuse?

Again, if I am going to create my "own" Admin account, why can't I use
the ADMIN Account which is already set up? It's password protected so
why not just leave it? Otherwise, it seems like i"m using Admin to log
on, Delete it from the admin Users Group and then RECREATE THE ADMIN
ACCOUNT. Huh?? Again, I just don't understand the logic behind this.
I feel like I"m missing something crucial.

 

[jacksonmacd]

What you are missing is the fact that Admin from *any* workgroup file
is identical. The fact that you applied a password to Admin in your
*particular* workgroup file is irrelevant. Any user from any default
installation of Access could become the *same* Admin as you thought
you protected.

The problem arises from the *dumb* name "Admin" that Microsoft chose
to use. Consider that "Admin" is "anybody", and that a custom admin
account (notice: no capitalization!) with a name of your choosing are
two completely separate entities. Furthermore, you need to add make
your new admin account into the Admins group. Once you get the
confusing jargon sorted out, it starts to make sense...

AGain I have more questions than answers. Am I being obtuse?

Again, if I am going to create my "own" Admin account, why can't I use
the ADMIN Account which is already set up? It's password protected so
why not just leave it? Otherwise, it seems like i"m using Admin to log
on, Delete it from the admin Users Group and then RECREATE THE ADMIN
ACCOUNT. Huh?? Again, I just don't understand the logic behind this.
I feel like I"m missing something crucial.

**********************
(e-mail address removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

 

[Marvinator]

Thank you! This does seem to make more sence. Perhaps it is becuase
at work I log in using ADMIN to any one of over 150 servers in our
system. ADMIN to me has always been a very strong password protected
Unique Name. Now I understand that it is merely an open ended entry.
THanks again, I really do appreciate it.