security levels

[nathan]

Hi
I have developed a system which will be used over a
network. I want to secure my system so that the users
cannot edit it but I can.
I dont know however how to disable the taskbars on the
form though. Furthermore how could you disable them for
one person and not for another.
Thanks for any and all your help.

Nathan

 

[Lynn Trapp]

Check out the Security FAQ document available for download from Microsoft.
There is a link to it on the Security page of my website.

 

[Joseph Meehan]

I suggest you start by reading
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793

Access security is a great feature, but it is, by nature a complex product
with a very steep learning curve. Properly used it offers very safe
versatile protection and control. However a simple mistake can lock
everyone including God out.

Practice on some copies to make sure you know what you are doing.

 

[fflei]

However a simple mistake can lock
everyone including God out.

Is there any way of putting things right after God has been locked out? All
the info seems to be about recovering by making new workgroups - is there a
way of getting rid of them all and getting back to the default unsecured
state of things?

Practice on some copies to make sure you know what you are doing.

The problem with that is that the security doesn't just apply to any
particular database, but to Access and therefore to every subsequent one.

I have just successfully put my database onto the network, and then the
network manager decided there should be greater security .... unfortunately
he used my laptop with a local copy of Access and I can't do a thing. Can
you help? Please?

fflei

 

[fflei]

there

You would need to log in using the correct workgroup file as a member of the
Admins group. There are steps outlined in the security FAQ you can follow
to unsecure a database. Essentially, you give all permissions to the Users
Group for all objects. You then would open Access using the default
system.mdw workgroup, create a new database and import all objects from your
database.

Thanks for this, Joan.

I think I have got to the bottom of what he did - he set passwords for one
admin and one user group, but he hadn't logged in as those people and had
therefore changed the password twice for the default admin.... does that
make sense? I eventually got in with my ID and the user's password.

one.

Usually, when you create a new workgroup file, it becomes the default
workgroup file to use for all sessions of Access - that appears to be what's
happened to you. You don't mention the version of Access, but use the
workgroup administrator (Start, run, wrkgadm.exe in 97/2000; Tools,
security, workgroup administrator in 2002), to rejoin the system.mdw that
ships with Access. It is usually located in the system folder on your
computer.

Yes, I was starting to panic when I read other messages about running
wrkgadm.exe and couldn't find it anywhere on the HD - I've got Access 2002.

What also happens, I have discovered, is that Access puts one of those mdw
files in Documents and Settings/[user]/Application Data/Microsoft/Access. Am
I right in thinking that the .mdw file there takes precedence over the one
in the system folder? You can't delete it and leave nothing there, because
Access will look for it when you try to run the database, but if you
overwrote it with a copy of the one in the system folder, would Access
accept it?

Someone else in a similar thread refers to learning about Access security as
a 'steep learning curve' ...... you're telling me! Talk about a baptism by
fire! Thanks again for the help.

fflei

 

[fflei]

I know of nothing you can do that will secure a database that was not
secured to begin with.

You're right - I discovered that. I think I had so many 'practice' ones I'd
lost track of what was what.....

I don't know of anyway of getting into a "secured" Access Database if
you screw up and loose the password. That is why I always suggest extreme
care when securing one. So far I have never had a problem of locking myself
out.

If you loose the workgroup, then you better have the information (the
code) for any user you want to re-create or you will not be able to. (again
as far as I know). You must be careful about this and I know of no after
the fact fixes.

If you are in that situation, I wish you the best and how someone can
help you.

Thanks - I have solved the problem - see below.

I am not at all sure exactly what has happened here. The only thing I
can guess from your statement is that you may no longer have rights to
create a new file (or maybe edit it) on the LAN. You network manager
should not have access to change any Access security settings, unless he was
given those rights under Access Security.

As I explained to Joan, the passwords had been set up wrongly in the first
place so that instead of assigning a different one to each person, one
person had had their password changed. Relief all round - it had been a long
day!

Lesson number one is: beware of enthusiastic helpers! He came to solve a pro
blem with my access to the network (I don't work there, just consult from
time to time) and decided to render further assistance. I wanted to do some
more work on the front end when I got home and couldn't get into it.....

fflei

 

[Joan Wild]

I think I have got to the bottom of what he did - he set passwords for one
admin and one user group, but he hadn't logged in as those people and had
therefore changed the password twice for the default admin.... does that
make sense? I eventually got in with my ID and the user's password.

Did he do this in the default system.mdw file? Or did he create a new
workgroup and set passwords in it? A critical difference. By the way you
can't set a password for a group, only users.

In the standard system.mdw file that ships with Access, there are two groups
(Users and Admins) and one user (Admin). Every session of Access uses a
workgroup file. It silently logs you in as the Admin user which by default
will own all databases and objects in them. When you create a new workgroup
file to secure your database with, one of the steps is to set a password for
the Admin user. This is what causes the login dialog to appear - you no
longer will be silently logged in as Admin.

What also happens, I have discovered, is that Access puts one of those mdw
files in Documents and Settings/[user]/Application Data/Microsoft/Access. Am
I right in thinking that the .mdw file there takes precedence over the one
in the system folder? You can't delete it and leave nothing there, because
Access will look for it when you try to run the database, but if you
overwrote it with a copy of the one in the system folder, would Access
accept it?

When you install Access, the system.mdw file is put in the windows system
folder. If that file is deleted or moved, then Access will automatically
create a new system.mdw file and yes, place it in the current user's
application data...folder.

You can have many mdw files on your computer. The one that is used by
default is the one that is specified when you run the workgroup
administrator.

 

[fflei]

Did he do this in the default system.mdw file? Or did he create a new
workgroup and set passwords in it?

As far as I can tell, the default file. I have returned it to its original
state and will set up a new one (after the front end has been backed up!)

A critical difference. By the way you
can't set a password for a group, only users.

Yes, thanks for pointing this out. Loose use of language on my part - it
will be a few people who will use the same ID and password because the chaos
which will ensue if they can't help each other out doesn't bear thinking

In the standard system.mdw file that ships with Access, there are two groups
(Users and Admins) and one user (Admin). Every session of Access uses a
workgroup file. It silently logs you in as the Admin user which by default
will own all databases and objects in them. When you create a new workgroup
file to secure your database with, one of the steps is to set a password for
the Admin user. This is what causes the login dialog to appear - you no
longer will be silently logged in as Admin.

What also happens, I have discovered, is that Access puts one of those mdw
files in Documents and Settings/[user]/Application

Data/Microsoft/Access.

Am
I right in thinking that the .mdw file there takes precedence over the one
in the system folder? You can't delete it and leave nothing there, because
Access will look for it when you try to run the database, but if you
overwrote it with a copy of the one in the system folder, would Access
accept it?

When you install Access, the system.mdw file is put in the windows system
folder. If that file is deleted or moved, then Access will automatically
create a new system.mdw file and yes, place it in the current user's
application data...folder.

You can have many mdw files on your computer. The one that is used by
default is the one that is specified when you run the workgroup
administrator.

Thank you - much clearer now! I have one more question though - when you set
up a work group or a new user, it asks for a unique ID and offers a
gobbledygook one: is this something a user would ever have to remember in
normal use? Or is it a unique coded identifier for the .mdw file? I realize
(now) that it would be required if you had to rebuild the group settings, so
presumably it is echoed in the database itself somewhere, but it's not part
of the normal logging on process is it?

Actually..... two questions. I can see why you don't recommend the wizard -
far too easy to lock everyone out, but it does have the advantage of
allowing you to print out all the information about IDs and passwords, or at
least print it to file. Is there any other way of getting this if you don't
use the wizard, or is it a question of jotting it all down in notepad or
something as you go?

Er.. three questions! ... hope I am not presuming.... I'm going to have to
set this all up again, so I have to get it right. When setting it up, I have
to log on as each user in turn in order to set the password and then log out
and log in again as the next one? I also need to secure the back end, and
this should be done the same way?

fflei

 

[Joan Wild]

Thank you - much clearer now! I have one more question though - when you set
up a work group or a new user, it asks for a unique ID and offers a
gobbledygook one: is this something a user would ever have to remember in
normal use? Or is it a unique coded identifier for the .mdw file? I realize
(now) that it would be required if you had to rebuild the group settings, so
presumably it is echoed in the database itself somewhere, but it's not part
of the normal logging on process is it?

Correct. You would only need this if you ever needed to recreate the mdw.

Actually..... two questions. I can see why you don't recommend the wizard -
far too easy to lock everyone out, but it does have the advantage of
allowing you to print out all the information about IDs and passwords, or at
least print it to file. Is there any other way of getting this if you don't
use the wizard, or is it a question of jotting it all down in notepad or
something as you go?

Write it down, yes.

Er.. three questions! ... hope I am not presuming.... I'm going to have to
set this all up again, so I have to get it right. When setting it up, I have
to log on as each user in turn in order to set the password and then log out
and log in again as the next one?

Yes, that's probably the simplest. You could also use code to determine if
a user has set their password - if it's blank give them a warning message.

I also need to secure the back end, and
this should be done the same way?

You would ensure thatyou are joined to the same mdw that you secured the
frontend with. Then secure it. You don't want to secure it using a
different mdw file.

 

[fflei]

Joan, thank you for your clear, unambiguous, assistance.

fflei