New to security

[Danu]

Hi -

I have been reading the info presented for starting workgroup security. A
couple of questions, please.

If I wanted to "protect" all the db objects and just present the form for
users, should I secure and/or split the db?

Am I reading correctly? If I setup a workgroup, EACH time I open Access,
Access will refer to the new mdw file instead of the "transparent" mdw file
used for unsecured dbs? If so, how would that effect dbs run through a
scheduler?

If a db is created on a personal PC but then uploaded to network for general
use, can you go in and change the mdw file to reflect the change of location?

Thank you. Before I go making copies of dbs and start tinkering around, just
want to be sure I'll be heading in the direction we need.

- Danu

 

[Joan Wild]

If I wanted to "protect" all the db objects and just present the form for
users, should I secure and/or split the db?

You should always split a database - nothing to do with protection. In addition you don't *have* to implement security to hide things from the user, but it provides additional barriers. You can do a lot to keep users out of things - set the startup properties, hide the db window, create and use custom menus/toolbars, disable the shiftkey bypass. Security will add an additional lavyer that users would have to break through.

Am I reading correctly? If I setup a workgroup, EACH time I open Access,
Access will refer to the new mdw file instead of the "transparent" mdw file
used for unsecured dbs? If so, how would that effect dbs run through a
scheduler?

Access always uses a mdw file - it uses system.mdw out of the box, and this one is usually set as the default. When you create a new mdw to secure the mdb, it'll make this new mdw the default; you can just use the workgroup administrator to change the default back to system.mdw. For your secure mdb, create a desktop shortcut with the following as the target:
"path to msaccess.exe" "path to FE" /wrkgrp "path to secure mdw"
The /wrkgrp switch will override the default for just that session of Access. All other sessions will use the default system.mdw

If a db is created on a personal PC but then uploaded to network for general
use, can you go in and change the mdw file to reflect the change of location?

The mdw file isn't 'stored' with the mdb - i.e. the database doesn't know what mdw it was secured with. The mdw controls the Access session; any number of mdb files may be used with the mdw. If you move the secure mdw, then you just have to modify your desktop shortcut to change the path of the mdw.

 

[Danu]

Thanks, Joan. For my level of expertise and for the safety of the dbs, I
think I will try to split the db and secure it without using any security but
this is something I want to learn more. I've been reading and rereading the
KB articles but can you direct me to something "less dry" and with examples?

- Danu

 

[Joan Wild]

If you're just looking to keep the idle curious out, there are a number of things you can do:

Backup your database; you can easily lock yourself out playing around with these features.

Create custom menus/toolbars for use throughout your application.
Create a startup form (a main menu form if you have one) that is opened on startup.
Use the features in Tools, Startup to
set the startup form
set your default menu (the custom one you made)
disable all the checkboxes about allowing built in menus, toolbars, changes etc.
hide the db window (ensure the custom menu you create does not include the Windows, Unhide item)
uncheck the allow special keys (this will disable the F11 key, among others)

If you need to bypass these startup features, you can hold the shift key down while you open the db. If you feel that your users may use this to bypass your settings, you can disable the shift key bypass - there's an example in help for doing this(look for AllowBypassKey) or at
http://www.mvps.org/access/modules/mdl0011.htm
and
http://www.mvps.org/access/general/gen0040.htm

You can also create a MDE from your database, which will prevent changes to forms, reports and modules (If you do this, be certain to keep your original mdb in case you need to make changes).

None of this will keep the determined out. All they need to do is start a new db and link to your's, but this may suffice for your purposes.

 

[Danu]

Hi -
We need to lock users out from all but the form. They know about overriding
the shift key on opening the db. Even using a custome menu bar, wouldn't they
still be able to override the shift key?

I have made a backup of the db. My first concern is what do you use as a
logon? Do you use the same password needed to logonto the network? If not,
how does Access recognize the user?

I have many questions but this security must be done on several dbs. Can you
direct me to some "how-tos"?

Thank you for your time.

- Danu

 

[Joan Wild]

Hi -
We need to lock users out from all but the form. They know about overriding
the shift key on opening the db. Even using a custome menu bar, wouldn't they
still be able to override the shift key?

You can disable the shiftkey bypass. If you secure the database, then only members of the Admins Group can re-enable it. If you don't implement security, then your users would need to know how to re-enable it.

I have made a backup of the db. My first concern is what do you use as a
logon? Do you use the same password needed to logonto the network? If not,
how does Access recognize the user?

Access has its own user-level security. It isn't integrated with network login names at all.

I have many questions but this security must be done on several dbs. Can you
direct me to some "how-tos"?

Security FAQ
http://support.microsoft.com/?id=207793

Security Whitepaper
http://support.microsoft.com/?id=148555

Although the whitepaper is old, it contains information to help you understand security.

I've also outlined the detailed steps at
www.jmwild.com/AccessSecurity.htm

 

[Danu]

Thank you, Joan. I've printed most of the material and will start
highlighting and experimenting!