1 chapter 13 securing an access application. 13 chapter objectives learn about the elements of...

1Chapter 13Chapter 13

Securing an Access Application

Securing an Access Application

13Chapter ObjectivesChapter Objectives

• Learn about the elements of security

• Explore application-level security

• Use user-level security

13The Elements of SecurityThe Elements of Security

• Security Refers to the protection of an application from

unauthorized use

• Authorization Specifies who can access and update different

objects in the application

13The Elements of SecurityThe Elements of Security

• Application-level security Makes it difficult for unauthorized users to

view the contents of the application

• User-level security Gives different users different permissions for

various objects that comprise an application

• Permission Ability to perform an action on an object

13Stripping Source CodeStripping Source Code

• .mde file Compiled database file that cannot be modified,

even though it is smaller and runs more quickly

• Advantages of .mde file Can be distributed, but users cannot view or

change the application’s objects Protects a developer’s investment in the

application

13 Data Encryption and Decryption

Data Encryption and Decryption

• Encryption Conversion of data from one representation into

anotherNew representation is coded so that it cannot be

easily understood

• Decryption Reverses the process of encryption

13 Data Encryption and Decryption

Data Encryption and Decryption

• Security measures supplied by Access apply only to Access Encryption will make the data more difficult to

read

• To read encrypted files: You must possess processes and the decoding

key necessary to decrypt the files

13 Creating a Database Password

Creating a Database Password

• Database password Simplest way to prevent unauthorized access to

an Access application Can be set in the Set Database Password dialog

box

• You can’t set a database password if user-level security has been defined for your database and you do not have Administer permission for the database

13User-Level SecurityUser-Level Security

• User account An object that represents a user (or developer)

of an Access application

• PID Case-sensitive string that can hold between 4

and 20 characters Used in combination with the user name to

create a 128-bit machine-readable number

13User-Level SecurityUser-Level Security

• Workgroup Set of accounts that tend to access the same set of

Access applications

• Accounts in the workgroup share the same workgroup information file Have the .mdw extension Access reads file information when it starts Contains information about the users in a workgroup

13User-Level SecurityUser-Level Security

• Workgroup identifier (WID) Uniquely identifies a workgroup Case-sensitive string that can hold between 4

and 20 characters

• Owner of an object Special user who always has full permissions

on the object Identified by the user name and PID

13User-Level SecurityUser-Level Security

• Group Named collection of user accounts that share

the same set of permissions on an application’s objects

• Permissions Privilege

13 Creating and Joining Workgroups

Creating and Joining Workgroups

• Workgroups are created and managed through the Microsoft Access Workgroup Administrator Workgroup Administrator

Application separate from AccessFile name Wrkgadm.exe

• When a new workgroup is joined, the old workgroup is no longer considered active

13User Accounts and PasswordsUser Accounts and Passwords

• Admins group Group account that retains full permissions on all

databases created when the workgroup was active

• Users group Group account that contains all user accounts

• Secure workgroup A workgroup that prompts for a user name and

password

13Creating a New User AccountCreating a New User Account

Figure 13-2 Entering a user

13Creating a New User AccountCreating a New User Account

• Access applications use the user name and PID to determine the identity of the current user

• Users can assign themselves a password when a database is open by using the Change Logon Password tab of the User and Group Accounts dialog box

13Creating a New User AccountCreating a New User Account

Figure 13-3 Change Logon Password tab

13Workgroup DynamicsWorkgroup Dynamics

• Workgroups do not share information including user name and password A user account and password must be created

for each workgroup that a particular user must use

• You can modify passwords and create new users within VBA

13Users and Their GroupsUsers and Their Groups

• Groups with the same group name and PID, regardless of workgroup, receive the same permissions on a particular application

• When an application supports a large number of users, permissions should be managed through groups Easier to assign permissions to a few groups

than to each individual user

13Users and Their GroupsUsers and Their Groups

• You can create or delete groups in the Group tab of the User and Group Accounts dialog box

Figure 13-4 Entering a new group

13 Adding and Removing Users To and From Groups

Adding and Removing Users To and From Groups

• Creating users and groups is less cumbersome under the ADO model than the DAO model Append the new user to the Users collection or

new group to the Groups collection

• A reciprocal relationship exists between the objects in a user’s Groups collection and the objects in the group’s Users collection

13 Adding and Removing Users To and From Groups

Adding and Removing Users To and From Groups

Figure 13-6 Relationship between security-related objects in collections

13 Using and Assigning Permissions

Using and Assigning Permissions

• Permissions can be assigned to: All database objects Database Individual users Groups of users

All members of the group have the same permissions

13 Using and Assigning Permissions

Using and Assigning Permissions

• Permissions can be assigned through the User and Group Permissions dialog box

Figure 13-7 User and Group Permissions dialog box

13 Assigning Permissions Through User and Group Permissions

Dialog Box

Assigning Permissions Through User and Group Permissions

Dialog Box

• With OwnerAccess Option declaration Used when the developer would like the user to

update data in a table, but does not want the user to view the details of the table’s design

When possessed by a query, a user can run the query as long as the owner of the query has the appropriate permissions

13 Setting and Using Permissions in VBA

Setting and Using Permissions in VBA

• Access stores information related to Permissions in properties of the Container and Document objects Containers collection

Located inside a database objectA container exists for every type of object used in

an Access applicationContains a document collection,which also exists

for every object

13 Setting and Using Permissions in VBA

Setting and Using Permissions in VBA

• SetPermissions method Sets a value that establishes the permissions for the user

or group identified by the Group or User object

• GetPermissions method Retrieves permissions once they have been set

• Bitwise arithmetic Involves a bit-by-bit comparison of identically

positioned bits in two numeric expressions

13 Owner and Admins Group Security Problems

Owner and Admins Group Security Problems

• User-level security is not complete until you have considered the special capabilities of Admins group members and owners

• Owners of an object always have the ability to assign themselves full permissions on the object

• If an application was created in an unsecured environment, the Admin account is the owner of all objects

13 Owner and Admins Group Security Problems

Owner and Admins Group Security Problems

Table 13-1 Permissions granted to users

13 Owner and Admins Group Security Problems

Owner and Admins Group Security Problems

• Important implications of these relationships: Admin account should not own any object in a

secure application Workgroup used to create an application should

not be distributed as part of the application

• Developers can restrict the permissions of the Admin account and Admin group

13 Changing Object Ownership and Creating a Secure Application

Changing Object Ownership and Creating a Secure Application

• Object owner User who creates an Access object Always has full permissions applicable to an

object

• Administer permission Exists regardless of whether the user is a

member of the Admins group or whether an account in the Admins group attempts to change owner’s permission

13 Changing Object Ownership and Creating a Secure Application

Changing Object Ownership and Creating a Secure Application

• If an object is not a database, it’s ownership may be changed through the Change Owner tab on the User and Group Permissions dialog box

Figure 13-8 Change Owner tab

13Changing Object OwnershipChanging Object Ownership

• Owners of a database always have the right to open the database

• To change the ownership of an entire database: Import the database into Access while you are

logged on using the account of the new owner

13Changing Object OwnershipChanging Object Ownership

Figure 13-9 Import Objects dialog box

13 Changing Database Ownership and Securing an Application

Changing Database Ownership and Securing an Application

• The import database technique is one way to secure an unsecured application Allows ownership of all objects, including the

database, to be transferred from an unsecured database

13 The User-Level Security Wizard

The User-Level Security Wizard

• User-Level Security Wizard WILL: Create a new database Import all the objects from the old database Remove all permissions from the Users group Encrypt the new database

• Application’s performance will be degraded slightly because it now uses an encrypted database

13 Preparing a Workgroup for Distribution

Preparing a Workgroup for Distribution

• Each computer that runs an Access application must have access to: The application files The workgroup information file

The Access default workgroup information file is used to run an application or

The developer will distribute a workgroup information file

13Chapter SummaryChapter Summary

• Security can be provided at both the application and the user levels

• Application-level security has the same effect on all users of a particular Access database file

• Database files can be encrypted and assigned a password

13Chapter SummaryChapter Summary

• User-level security Provides different types of security for different

users

• Key to understanding how user-level security is implemented is to understand the relationships between workgroups, groups, users, owners, and permissions

13Chapter SummaryChapter Summary

• Admins members can always modify their own permissions when the workgroup that created an Access application is active

• Owners can modify their own permissions no matter which workgroup is active

• Security features can be implemented through Access menus and VBA