1 chapter 13 securing an access application. 13 chapter objectives learn about the elements of...
TRANSCRIPT
1Chapter 13Chapter 13
Securing an Access Application
Securing an Access Application
13Chapter ObjectivesChapter Objectives
• Learn about the elements of security
• Explore application-level security
• Use user-level security
13The Elements of SecurityThe Elements of Security
• Security Refers to the protection of an application from
unauthorized use
• Authorization Specifies who can access and update different
objects in the application
13The Elements of SecurityThe Elements of Security
• Application-level security Makes it difficult for unauthorized users to
view the contents of the application
• User-level security Gives different users different permissions for
various objects that comprise an application
• Permission Ability to perform an action on an object
13Stripping Source CodeStripping Source Code
• .mde file Compiled database file that cannot be modified,
even though it is smaller and runs more quickly
• Advantages of .mde file Can be distributed, but users cannot view or
change the application’s objects Protects a developer’s investment in the
application
13 Data Encryption and Decryption
Data Encryption and Decryption
• Encryption Conversion of data from one representation into
anotherNew representation is coded so that it cannot be
easily understood
• Decryption Reverses the process of encryption
13 Data Encryption and Decryption
Data Encryption and Decryption
• Security measures supplied by Access apply only to Access Encryption will make the data more difficult to
read
• To read encrypted files: You must possess processes and the decoding
key necessary to decrypt the files
13 Creating a Database Password
Creating a Database Password
• Database password Simplest way to prevent unauthorized access to
an Access application Can be set in the Set Database Password dialog
box
• You can’t set a database password if user-level security has been defined for your database and you do not have Administer permission for the database
13User-Level SecurityUser-Level Security
• User account An object that represents a user (or developer)
of an Access application
• PID Case-sensitive string that can hold between 4
and 20 characters Used in combination with the user name to
create a 128-bit machine-readable number
13User-Level SecurityUser-Level Security
• Workgroup Set of accounts that tend to access the same set of
Access applications
• Accounts in the workgroup share the same workgroup information file Have the .mdw extension Access reads file information when it starts Contains information about the users in a workgroup
13User-Level SecurityUser-Level Security
• Workgroup identifier (WID) Uniquely identifies a workgroup Case-sensitive string that can hold between 4
and 20 characters
• Owner of an object Special user who always has full permissions
on the object Identified by the user name and PID
13User-Level SecurityUser-Level Security
• Group Named collection of user accounts that share
the same set of permissions on an application’s objects
• Permissions Privilege
13 Creating and Joining Workgroups
Creating and Joining Workgroups
• Workgroups are created and managed through the Microsoft Access Workgroup Administrator Workgroup Administrator
Application separate from AccessFile name Wrkgadm.exe
• When a new workgroup is joined, the old workgroup is no longer considered active
13User Accounts and PasswordsUser Accounts and Passwords
• Admins group Group account that retains full permissions on all
databases created when the workgroup was active
• Users group Group account that contains all user accounts
• Secure workgroup A workgroup that prompts for a user name and
password
13Creating a New User AccountCreating a New User Account
Figure 13-2 Entering a user
13Creating a New User AccountCreating a New User Account
• Access applications use the user name and PID to determine the identity of the current user
• Users can assign themselves a password when a database is open by using the Change Logon Password tab of the User and Group Accounts dialog box
13Creating a New User AccountCreating a New User Account
Figure 13-3 Change Logon Password tab
13Workgroup DynamicsWorkgroup Dynamics
• Workgroups do not share information including user name and password A user account and password must be created
for each workgroup that a particular user must use
• You can modify passwords and create new users within VBA
13Users and Their GroupsUsers and Their Groups
• Groups with the same group name and PID, regardless of workgroup, receive the same permissions on a particular application
• When an application supports a large number of users, permissions should be managed through groups Easier to assign permissions to a few groups
than to each individual user
13Users and Their GroupsUsers and Their Groups
• You can create or delete groups in the Group tab of the User and Group Accounts dialog box
Figure 13-4 Entering a new group
13 Adding and Removing Users To and From Groups
Adding and Removing Users To and From Groups
• Creating users and groups is less cumbersome under the ADO model than the DAO model Append the new user to the Users collection or
new group to the Groups collection
• A reciprocal relationship exists between the objects in a user’s Groups collection and the objects in the group’s Users collection
13 Adding and Removing Users To and From Groups
Adding and Removing Users To and From Groups
Figure 13-6 Relationship between security-related objects in collections
13 Using and Assigning Permissions
Using and Assigning Permissions
• Permissions can be assigned to: All database objects Database Individual users Groups of users
All members of the group have the same permissions
13 Using and Assigning Permissions
Using and Assigning Permissions
• Permissions can be assigned through the User and Group Permissions dialog box
Figure 13-7 User and Group Permissions dialog box
13 Assigning Permissions Through User and Group Permissions
Dialog Box
Assigning Permissions Through User and Group Permissions
Dialog Box
• With OwnerAccess Option declaration Used when the developer would like the user to
update data in a table, but does not want the user to view the details of the table’s design
When possessed by a query, a user can run the query as long as the owner of the query has the appropriate permissions
13 Setting and Using Permissions in VBA
Setting and Using Permissions in VBA
• Access stores information related to Permissions in properties of the Container and Document objects Containers collection
Located inside a database objectA container exists for every type of object used in
an Access applicationContains a document collection,which also exists
for every object
13 Setting and Using Permissions in VBA
Setting and Using Permissions in VBA
• SetPermissions method Sets a value that establishes the permissions for the user
or group identified by the Group or User object
• GetPermissions method Retrieves permissions once they have been set
• Bitwise arithmetic Involves a bit-by-bit comparison of identically
positioned bits in two numeric expressions
13 Owner and Admins Group Security Problems
Owner and Admins Group Security Problems
• User-level security is not complete until you have considered the special capabilities of Admins group members and owners
• Owners of an object always have the ability to assign themselves full permissions on the object
• If an application was created in an unsecured environment, the Admin account is the owner of all objects
13 Owner and Admins Group Security Problems
Owner and Admins Group Security Problems
Table 13-1 Permissions granted to users
13 Owner and Admins Group Security Problems
Owner and Admins Group Security Problems
• Important implications of these relationships: Admin account should not own any object in a
secure application Workgroup used to create an application should
not be distributed as part of the application
• Developers can restrict the permissions of the Admin account and Admin group
13 Changing Object Ownership and Creating a Secure Application
Changing Object Ownership and Creating a Secure Application
• Object owner User who creates an Access object Always has full permissions applicable to an
object
• Administer permission Exists regardless of whether the user is a
member of the Admins group or whether an account in the Admins group attempts to change owner’s permission
13 Changing Object Ownership and Creating a Secure Application
Changing Object Ownership and Creating a Secure Application
• If an object is not a database, it’s ownership may be changed through the Change Owner tab on the User and Group Permissions dialog box
Figure 13-8 Change Owner tab
13Changing Object OwnershipChanging Object Ownership
• Owners of a database always have the right to open the database
• To change the ownership of an entire database: Import the database into Access while you are
logged on using the account of the new owner
13Changing Object OwnershipChanging Object Ownership
Figure 13-9 Import Objects dialog box
13 Changing Database Ownership and Securing an Application
Changing Database Ownership and Securing an Application
• The import database technique is one way to secure an unsecured application Allows ownership of all objects, including the
database, to be transferred from an unsecured database
13 The User-Level Security Wizard
The User-Level Security Wizard
• User-Level Security Wizard WILL: Create a new database Import all the objects from the old database Remove all permissions from the Users group Encrypt the new database
• Application’s performance will be degraded slightly because it now uses an encrypted database
13 Preparing a Workgroup for Distribution
Preparing a Workgroup for Distribution
• Each computer that runs an Access application must have access to: The application files The workgroup information file
The Access default workgroup information file is used to run an application or
The developer will distribute a workgroup information file
13Chapter SummaryChapter Summary
• Security can be provided at both the application and the user levels
• Application-level security has the same effect on all users of a particular Access database file
• Database files can be encrypted and assigned a password
13Chapter SummaryChapter Summary
• User-level security Provides different types of security for different
users
• Key to understanding how user-level security is implemented is to understand the relationships between workgroups, groups, users, owners, and permissions
13Chapter SummaryChapter Summary
• Admins members can always modify their own permissions when the workgroup that created an Access application is active
• Owners can modify their own permissions no matter which workgroup is active
• Security features can be implemented through Access menus and VBA