Security on Objects issue

[Tony_VBACoder]

I have applied security to my Access 2002 database and
have run into some security related message boxes and
wanted to know why I am getting these.

I have a user named "Homer Simpson" and he is assigned to
the Group "Read-Only Users". In the "User and Group
Permissions" dialog box, this group has NO permissions
checked (all options are unchecked) for the "<New Forms>"
object. However, for each form object in the "Object
Name" list, I have given this group only "Open/Run"
permission so that the users can only open the forms.

Now, when "Homer Simpson" logs into the application and
decides to try and create a NEW form from the database
window, he first gets the following message box:

"You do not have exclusive access to the database at this
time. If you proceed to make changes, you may not be able
to save them later."

If he clicks on OK, the "New Form" wizard dialog box
appears and he is able to go through and create a Form,
just as if he has permission to do so (which he doesn't).
However, when he goes to save this new form, he is
presented with the following message box and his form does
not save:

"You do not have exclusive access to the database. Your
design changes cannot be saved at this time. Do you want
to close without saving your changes?"

My First question is, why is this user even able to create
a Form when I set the permission on the "<New Forms>"
object to be NOTHING?

Second question: If Homer Simpson selects a Form from the
Database window and clicks on the "Design" button, he is
presented with the following 2 message boxes:

"You do not have exclusive access to the database at this
time. If you proceed to make changes, you may not be able
to save them later."

If he clicks the Cancel button, this message box goes
away. However, if he clicks the OK button, he is
presented with another message box:

"You dont have permission to read 'frmMyForm.'. To read
this object, you must have Read Design permission for it.
For more information on permissions and who can set them,
click Help."

Why is he getting this 2nd message box, and is there a way
of just having the 1st message box displayed? The 1st
message box should be sufficient.

 

[Joan Wild]

You have two different issues here...more....

I have a user named "Homer Simpson" and he is assigned to
the Group "Read-Only Users". In the "User and Group
Permissions" dialog box, this group has NO permissions
checked (all options are unchecked) for the "<New Forms>"
object. However, for each form object in the "Object
Name" list, I have given this group only "Open/Run"
permission so that the users can only open the forms.

Now, when "Homer Simpson" logs into the application and
decides to try and create a NEW form from the database
window, he first gets the following message box:

"You do not have exclusive access to the database at this
time. If you proceed to make changes, you may not be able
to save them later."

This isn't related to the user level security. Starting with version 2000,
users need exclusive access to the mdb in order to make design changes (has
nothing to do with security).

If he clicks on OK, the "New Form" wizard dialog box
appears and he is able to go through and create a Form,
just as if he has permission to do so (which he doesn't).

But he does. The permission you set on <New Forms> does not affect
'whether' he can create new forms, but rather dictates the permission he
will have on newly created forms. Even that is academic, because he will
own the new object, and as such have full permission on it. It is useful
though to set this as it will apply to non-owners.

However, when he goes to save this new form, he is
presented with the following message box and his form does
not save:

"You do not have exclusive access to the database. Your
design changes cannot be saved at this time. Do you want
to close without saving your changes?"

Again, it's the exclusive access issue - nothing to do with security.

My First question is, why is this user even able to create
a Form when I set the permission on the "<New Forms>"
object to be NOTHING?

As above, you misunderstand the permission on <New Forms>. There is sample
code in the security FAQ you can use to deny them permission to create new
objects.
http://support.microsoft.com/?id=207793

Second question: If Homer Simpson selects a Form from the
Database window and clicks on the "Design" button, he is
presented with the following 2 message boxes:

"You dont have permission to read 'frmMyForm.'. To read
this object, you must have Read Design permission for it.
For more information on permissions and who can set them,
click Help."

Why is he getting this 2nd message box,

Because you gave him only Open/Run permissions; not Read Design nor Modify
Design.

and is there a way
of just having the 1st message box displayed? The 1st
message box should be sufficient.

They shouldn't even be able to see the database window:

Create custom menus/toolbars for use throughout your application.
Create a startup form (a main menu form if you have one) that is opened on
startup.
Use the features in Tools, Startup to
set the startup form
set your default menu (the custom one you made)
disable all the checkboxes about allowing built in menus, toolbars,
changes etc.
hide the db window (ensure the custom menu you create does not
include the Windows, Unhide item
Uncheck the allow special keys (this will disable the F11 key, among
others)

If you need to bypass these startup features, you can hold the shift key
down while you open the db. If you feel that your users may use this to
bypass your settings, you can disable the shift key bypass - there's an
example in help for doing this(look for AllowBypassKey) or at
http://www.mvps.org/access/modules/mdl0011.htm
and
http://www.mvps.org/access/general/gen0040.htm

You can also create a MDE from your database, which will prevent changes to
forms, reports and modules (If you do this, be certain to keep your original
mdb in case you need to make changes).