The 10 Steps Summarized |
|
|
|
(Primary Source Security FAQ Document from Microsoft. This is NOT intended to replace the Security FAQ document, but is a different way of looking at the implementation of Access Security. Thanks also go to Sandra Daigle for links provided in Step 10.) |
|
|
|
1. Create a NEW workgroup information file (if you are using the Security Wizard it will create this for you and it will be named secured.mdw, but you may give it whatever name you want). |
|
1.1. Use the Workgroup Administrator program (wrkgadm.exe) to create the file (this is an external program in Access 2000 and earlier, but is found in the Access User Interface (Tools > Security) in Access 2002. |
|
1.2. Be sure to write down the Name, Organization, and WorkGroup ID that you use when creating this file because you can use them to reconstruct the file if it is ever lost or corrupted. |
|
2. The Workgroup Administrator will automatically switch you to the new workgroup on your computer. Remember that membership in a given workgroup is specific to each local computer. |
|
2.1. Start Access |
|
2.2. Open any database |
|
3. You will be logged on under the user name Admin. |
|
3.1. Go to Tools > Security > User Group Accounts |
|
3.2. Click the Change Logon Password Tab |
|
3.3. Since the Admin user’s password is currently blank, you must leave the first box blank |
|
3.4. Create a new password for the Admin User |
|
3.5. This will cause Access to begin prompting you for a User Name and Password the next time you start Access. |
|
4. Create a new user that will be the account you use to secure the database. |
|
4.1. Add this new user to the Admins group |
|
4.2. Be sure to write down the name and PID in case you ever need to recreate the workgroup information file. |
|
4.3. NOTE: The PID is NOT the users password. A new user’s password is ALWAYS blank until the user logs on and changes it. |
|
5. Quit Access and log back on as the new user you created in Step 4 |
|
5.1. Remember that the password for this account is blank |
|
5.2. Create a new password for this user following the procedure outlined in Step 3 above. |
|
6. Remove the Admin user from the Admins group. |
|
6.1. Doing this will make the Admin user to be a member of the Users group only. |
|
6.2. The Admin user does not have any built in administrative privileges. They exist solely by virtue of membership in the Admins group, which has administer privileges to the database. |
|
7. Open the database that you want to secure and run the Security Wizard. |
|
7.1. Select the objects that you want to secure (probably all of them) |
|
7.2. The wizard will create a new database owned by your new user. |
|
7.3. It will also remove all permissions from the Admin user and the Users group and encrypt the database. |
|
7.4. NOTE: The Access 2000 wizard will only create a copy of the original database. |
|
7.5. NOTE: In Access 2000 not all permissions to open the database will be removed from the Admin user and the Users group. You will need to do this manually. |
|
8. Open the new database and create Custom Groups. |
|
8.1. Every user is required to be a member of the Users group. |
|
8.2. Only grant permissions to the Users group that you want EVERYONE to have. |
|
8.3. Members of the Admins group have irrevocable power to administer database objects. |
|
9. Create your users and assign them to the appropriate groups created in Step 8. |
|
9.1. Do NOT Assign permissions directly to users because that is extremely difficult to administer |
|
9.2. Users inherit permissions from the groups they are members of. |
|
9.3. Users that are a member of multiple groups will have all permissions granted to ANY of those groups. |
|
10. Make sure that ALL permissions to ALL objects in the database is removed from the Users Group. |
|
10.1. This is especially true for Open/Run permissions to the database. |
|
10.2. The Access 97 Wizard does NOT do this automatically. The Access 2000 Wizard appears to, but it is possible to use the default workgroup information file to open a secured database. The cure is to create a new, empty database while logged on as a member of the Admins group and import all the objects from the secured database. You will then need to set the proper permissions. Michael Kaplan (basScriptJetSecurity) and Sandra Daigle (DB Utilities 1.0) have created modules to move security from one database to another, of the same structure, that you may want to use. |
|
|