Overview of Access security (MDB)

 Note   The information in this topic applies only to a Microsoft Access database (.mdb).

There are different strategies for controlling the level of access to your Microsoft Access database (Microsoft Access database: A collection of data and objects (such as tables, queries, or forms) that is related to a particular topic or purpose.) and its objects. These strategies are briefly described below, and are roughly arranged by level of security.

ShowEncoding/decoding

The simplest method of protection is to encode the database. Encoding a database compacts the database file and helps protect it from being read by a word processor. Encoding a database that employs no security measures has no effect, because anybody can open the database and gain full access to all objects in the database. Encoding is particularly useful when you transmit a database electronically, or when your store it on floppy disk, tape, or compact disc.

Before you can encode or decode a Microsoft Access database, you must be either the owner (owner: When security is being used, the user account that has control over a database or database object. By default, the user account that created a database or database object is the owner.) of the database or, if the database employs security measures, a member of the Admins group (Admins group: The system administrator's group account, which retains full permissions on all databases used by a workgroup. The Setup program automatically adds the default Admin user account to the Admins group.) of the workgroup information file (workgroup information file: A file that Access reads at startup that contains information about the users in a workgroup. This information includes users' account names, their passwords, and the groups of which they are members.) that contains the accounts used to help protect the database. You must also be able to open the database in exclusive (exclusive: A mode of access to data in a database that is shared over a network. When you open a database in exclusive mode, you prevent others from opening the database.) mode, which means you must have Open/Run and Open Exclusive permissions (permissions: A set of attributes that specifies what kind of access a user has to data or objects in a database.).

Decoding a database reverses the encoding.

ShowShow or hide objects in the Database window

Another method of helping to protect the objects in your database from casual users is to hide the objects in the Database window. This method of protection provides the least security, because it is relatively simple to show any hidden objects.

ShowUsing startup options

You use the startup options to specify settings such as a startup form, which opens automatically when your database opens, and your database application title and icon. You can also hide the Database window, and set your own switchboard form. In a new database, the startup properties do not exist until a user makes a change to the default settings in the Startup dialog box.

ShowWith a password

Another simple method of providing security is to set a password for opening the Microsoft Access database. Once a password is set, a dialog box that requests the password will be displayed whenever the database is opened. Only users who type the correct password will be allowed to open the database. Once a database is open, all of its objects are available to the user (unless other types of security have already been defined, as described later in this topic). For a database that is shared among a small group of users or on a single computer, setting a password is often all that is required.

Microsoft Access stores the database password in an unencrypted form. If this will compromise the security of the password-protected database, you should not use a database password to protect the database. Instead, you should define user-level security to help control access to sensitive data in that database.

Do not use a database password if you will be replicating (database replication: The process of creating two or more special copies (replicas) of an Access database. Replicas can be synchronized, changes made to data in one replica, or design changes made in the Design Master, are sent to other replicas.) a database. Replicated databases can't be synchronized (synchronization: The process of updating two members of a replica set by exchanging all updated records and objects in each member. Two replica set members are synchronized when the changes in each have been applied to the other.) if database passwords are defined.

ShowWith user-level security

The most flexible and extensive method of implementing security measures for a database is called user-level security (user-level security: When using user-level security in an Access database, a database administrator or an object's owner can grant individual users or groups of users specific permissions to tables, queries, forms, reports, and macros.). With user-level security, you can establish different levels of access to sensitive data and objects in your database. To use a database with user-level security, users type a password when they start Microsoft Access. Access reads a workgroup information file (workgroup information file: A file that Access reads at startup that contains information about the users in a workgroup. This information includes users' account names, their passwords, and the groups of which they are members.), where each user is identified by a unique identification code. The level of access and the objects that a user has access to are established based on this identification code and password.

Although setting up user-level security on most databases can be a daunting task, the User-Level Security Wizard makes it easy to quickly help protect your Access database in a one-step process. Furthermore, by implementing common security schemes, the User-Level Security Wizard minimizes and may even eliminate the need to use the Security command from the Tools menu.

After running the User-Level Security Wizard, you can create your own groups of users, and assign or remove permissions (permissions: A set of attributes that specifies what kind of access a user has to data or objects in a database.) for various users or groups of users for a database and its existing tables, queries, forms, reports, and macros. You can also set the default permissions that Microsoft Access assigns for any new tables, queries, forms, reports, and macros that are created in a database. Permissions are granted to groups and users to regulate how they are allowed to work with each table, query, form, report, and macro in a database.

ShowUsing digital signatures

For information how digital signatures help protect your data by preventing the execution of potentially harmful code, see About digital signatures.

ShowBy enabling sandbox mode

For information how sandbox mode helps protect your data by preventing the evaluation of unsafe expressions, see About Microsoft Jet Expression Service sandbox mode.

ShowPreventing users from replicating a database, setting passwords, or setting startup options

In a multiuser environment, there are many situations where you might need to employ security measures for your database. You might want to prevent users from replicating (replication: The process of copying a database so that two or more copies can exchange updates of data or replicated objects. This exchange is called synchronization.) a database. Replicating a database allows a user to make a copy of a shared database, and also adds fields and makes other changes to the current database. You might want to prevent users from setting a database password, because if they do, no other user will be able open the database without providing that password. You might also want to keep users from changing startup properties that specify features such as custom menus, custom toolbars (toolbar: A bar with buttons and options that you use to carry out commands. To display a toolbar, press ALT and then SHIFT+F10.), or the startup form.

If a shared database doesn't have user-level security (user-level security: When using user-level security in an Access database, a database administrator or an object's owner can grant individual users or groups of users specific permissions to tables, queries, forms, reports, and macros.) defined, you can't prevent a user from making any of these changes. When user-level security is defined, a user or group must have Administer permissions (permissions: A set of attributes that specifies what kind of access a user has to data or objects in a database.) for the database to replicate a database, set a database password, or change its startup properties. Only members of the Admins group (Admins group: The system administrator's group account, which retains full permissions on all databases used by a workgroup. The Setup program automatically adds the default Admin user account to the Admins group.) of the current workgroup (workgroup: A group of users in a multiuser environment who share data and the same workgroup information file.) have Administer permissions.

If a user or group currently has Administer permissions for a database, removing that permission will prevent the user or group from making any of these changes. If you need to allow a user or group to perform any of these tasks, you can assign the Administer permissions to that user or group. You can't control access to these three tasks independently.

ShowSecuring Microsoft Visual Basic for Applications (VBA) Code

There are two different ways you can help protect Microsoft Visual Basic for Applications (VBA) (Visual Basic for Applications (VBA): A macro-language version of Microsoft Visual Basic that is used to program Windows applications and is included with several Microsoft applications.) code in standard modules (module: A collection of declarations, statements, and procedures stored together as one named unit. There are two types of modules: standard modules and class modules.) and class modules (class module: A module that can contain the definition for a new object. Each instance of a class creates a new object. Procedures defined in the module become properties and methods of the object. Class modules can exist alone or with forms and reports.) (such as code behind forms and reports).

You can help protect your code with a password, which you enter once per session. The password helps prevent unauthorized users from editing, cutting, pasting, copying, exporting, and deleting VBA code.

When your VBA code is error-free and working correctly, you can remove it from your database by saving it as an MDE file. This helps protect the intellectual property of your code.

ShowSecuring data access pages

Data access pages (data access page: A Web page, published from Access, that has a connection to a database. In a data access page, you can view, add to, edit, and manipulate the data stored in the database. A page can also include data from other sources, such as Excel.) are HTML (HTML: The standard markup language used for documents on the World Wide Web. HTML uses tags to indicate how Web browsers should display page elements such as text and graphics and how to respond to user actions.) pages that contain references to the data in a Microsoft Access file (Microsoft Access file: A database or project file. In Access 2007, database objects and data are stored in .accdb files. Earlier versions use.mdb files. An Access project file doesn't contain data, and is used to connect to a SQL Server database.). However, the data access pages aren't actually stored in the Access file; they are stored as HTML files, either in the local file system, in a folder on a network share, or on an HTTP (HTTP: Internet protocol that delivers information on the World Wide Web. Makes it possible for a user with a client program to enter a URL (or click a hyperlink) and retrieve text, graphics, sound, and other digital information from a Web server.) server. For this reason, Microsoft Access has no control over the security of data access page files. To help protect the data access page, you must employ security measures for its link and HTML file by using the file system security of the computer where you have stored these files. To help protect the data accessed by the page, you must either employ security measures for the database that the page is connected to or configure Microsoft Internet Explorer security settings to prevent unauthorized access.

 Note   Before you distribute the database or data access page, you should remove any personal information that may be stored in the file. See Remove personal information from an Access file or page for more information.

 
 
Applies to:
Access 2003