Securing the Front End database

[Guest]

Hello all,

First of all, I am still new to securing the database. What I want to do is
I want to secure my front end database from unauthorized people getting into
the database. Yesterday I was playing around with the User-Level Security
Wizard. As the results, I got a mdw, bak and shortcut of my Front End file.
Before I ask a few questions on what I confuse, I would like share with you a
little bit of what I do.

I make changes from time to time to the front end database. Then I email it
to the users. The BE is saved in the network. These are my questions:

1. Whenever I need to make changes to the FE, do I make changes on the
actual FE (or shortcut)?
2. If I do make changes to the actual FE, will the shortcut be reflected?
3. After I make changes, do I email the shortcut or actual FE to the users?
4. Where do I save the mdw file? Is it in the network where I have the BE?
5. In the future, if I want to add a new user, how do I go about adding?

Thanks.

 

[Guest]

AccessHelp,

1. Whenever I need to make changes to the FE, do I make changes on the actual >FE

YES, but you need to use the shortcut and log in as Admin.

2. If I do make changes to the actual FE, will the shortcut be reflected?

YES, the shortcut loads the changed FE file.

3. After I make changes, do I email the shortcut or actual FE to the users?

NEITHER. Once the FE is updated the changes will be seen by all users
provided the FE is on a shared network drive.

4. Where do I save the mdw file? Is it in the network where I have the BE?
YES

5. In the future, if I want to add a new user, how do I go about adding?

Tools, Security, User and Group Accounts, Users

NOTE:
If your FE is setup correctly then no one should be able to open that file
by double-clicking on it. If you double-click your FE and it opens without
any warning messages then something is very wrong, it is not secured.

For help on securing your FE look here: http://www.jmwild.com/security02.htm

-Alias

 

[Guest]

Hi Alias,

Thanks for your help. I follow your steps, and there are something that I
didn't quite understand. Please see below.

1. The database that I secure is linked to 3 other databases. When I
secure that database, the other 3 databases are automatically secured too.
Why, and how do I unsecure the other 3?
2. When I went thru the steps from the link that you gave me, I didn't get
the step 21 where you get an option of having a shortcut to the secure
database.
3. Also after I went thru all 32 steps, why do I need to go thru the steps
below to join the default System.mdw file? Then if I do that, I would not
able to the database at all. Why would I want to do that?
4. Now my FE database (and other 3 linked to the FE) are protected. When I
click on the FE (and the other 3), the database will open and prompt me for a
user name and password. Is it secure now?
5. I assigned one of the users to Full Data Access, Read, and Update.
After I tried to get into the database with that user, why did I able to get
into the design and change and create the design an object?

I know I have asked a lot of questions. I really appreciate you for helping
me.

 

[Joan Wild]

1. The database that I secure is linked to 3 other databases. When I
secure that database, the other 3 databases are automatically secured
too. Why, and how do I unsecure the other 3?

They are not secured. When you created a new workgroup file, Access made it
the default one to use in all sessions. The workgroup file is tied to the
session, not the database. Since your default mdw is the secure mdw you
used to secure database 1, and it is now the default, you'll be prompted for
username/password for every session of Access.

Use the workgroup administrator to rejoin system.mdw. This is the workgroup
that ships with Access. Access always uses a workgroup file, whether you
implement security or not.

2. When I went thru the steps from the link that you gave me, I
didn't get the step 21 where you get an option of having a shortcut
to the secure database.

That's not really an option. You want to remain joined by default to
system.mdw. Access will use that for all sessions. When you create a
desktop shortcut, it will use the /wrkgrp switch which will over-ride the
default and use the specified mdw file *for that session*. Opening Access
any other way will use the system.mdw and no login will be required.

3. Also after I went thru all 32 steps, why do I need to go thru the
steps below to join the default System.mdw file? Then if I do that,
I would not able to the database at all. Why would I want to do that?

See above.

4. Now my FE database (and other 3 linked to the FE) are protected.
When I click on the FE (and the other 3), the database will open and
prompt me for a user name and password. Is it secure now?

A good test is to rejoin system.mdw and then try to open these databases by
double-clicking on the file in Windows Explorer. You should not be able to
even open them.

5. I assigned one of the users to Full Data Access, Read, and Update.
After I tried to get into the database with that user, why did I able
to get into the design and change and create the design an object?

You can open the mdb and go to Tools, Security, User and Group permissions
and verify the permissions that this group has. I don't believe the Full
Data Access group prevents the creation of new objects. You may want to
uncheck their 'modify design' permissions though. Remember that when you
are looking at permissions, you want to look at 'group' permissions, not
user permissions.

 

[Guest]

Joan,

Thanks. I have a few more questions.

1. Do I create a shortcut of my FE and join the shortcut FE to the Database
Security.mdw that I created? And I rejoin the actual FE to the default
System.mdw?
2. So if I do step 1, I will not able to open the actual FE. Therefore,
how do I make changes to the actual FE? Will it also lock the BE?

I am confused. What I do is, I make changes to the FE from time to time.
Then I email the FE to the users for them to use. Now I am trying to secure
the database from unauthorized people get into the database. If you would,
please share with me step-by-step on implementing the whole thing.

Thanks very much.

 

[Joan Wild]

Open Access and go to Tools, Security, Workgroup Administrator.
It will tell you what your current default mdw file is. It should be
system.mdw (the one that ships with Access). It usually is located in the
windows system folder, but that depends on the Operating System. You could
search for it first - Start, Search.

If you are not already joined to this mdw, then click on Join and join it.

Now create a desktop shortcut. It will have the following in the target:
"path to msaccess.exe" "path to FE" /wrkgrp "path to Database Security.mdw"
You'll need to substitute the correct paths in the above.

When you need to make changes to this secure mdb, use the desktop shortcut
to open it. For all other non-secured mdb files, just open Access and it'll
use the standard system.mdw file.

 

[Guest]

Hi Joan,

I really appreciate you for helping me. I think I am almost there. Please
help. This is what I have currently.

I changed the target of the shortcut to the string that you told me. Then I
sent it to the users. When the users click on it from their local drive, it
will prompt them for the login info. The shortcut is pointed to the same FE
on the shared drive. The only problem I see is when more than one user tries
to use, would it let them use since it pointed to the same FE?

As far as the actual FE and other databases, they have rejoined to the
generic System.mdw, so now they are not prompted for a login info. However,
when I click on the FE in Windows Explorer, it opens. I thought it should
not open? Am I missing something?

Again, Thanks very much. Please help.

 

[Joan Wild]

I changed the target of the shortcut to the string that you told me.
Then I sent it to the users. When the users click on it from their
local drive, it will prompt them for the login info. The shortcut is
pointed to the same FE on the shared drive. The only problem I see
is when more than one user tries to use, would it let them use since
it pointed to the same FE?

Yes it will work, however you shouldn't have each user opening the same copy
of the FE. You should give a copy of it to each user that they put on their
local computer. It will still contain the linked tables (linked to the
backend on the server).

As far as the actual FE and other databases, they have rejoined to the
generic System.mdw, so now they are not prompted for a login info.
However, when I click on the FE in Windows Explorer, it opens. I
thought it should not open? Am I missing something?

Yes. That is a good test to see if you implemented security properly. You
should not be able to even open the file, while using system.mdw (and that
is what you are doing - you are joined by default to system.mdw and opening
the mdb in WE would use this default and you shouldn't succeed).

You've missed a step somewhere.

 

[Guest]

Thanks Joan. I don't really know where I missed. I will look into it again.
Do you happen to know where?

 

[Joan Wild]

Security is complex, and so it is difficult for me to know what step you
missed.

One of the following?
You copied system.mdw and renamed it, rather than creating a new workgroup
file using the workgroup administrator.

The Users Group still has permission to Open/run the database object. They
should have *NO* permissions on any object.

The Admin User still owns the database object (and perhaps others).