Predefined Microsoft Access Security Accounts

This help information from Access 97 was so useful that I decided to include it in on the web site. This information became obscured in Access 2000 or later help files.

A Microsoft Access workgroup information file contains the following predefined accounts.

Admin The default user account. This account is exactly the same for every copy of Microsoft Access and other applications that can use the Microsoft Jet database engine, such as Microsoft Visual Basic for Applications and Microsoft Excel. In my book, I call this the anonymous account because a user can always join a workgroup that has this account enabled as a member of the Admins group.

Admins The administrator's group account. This account is unique to each workgroup information file. By default, the Admin user is in the Admins group. There must be at least one user in the Admins group at all times.

Users The group account comprising all user accounts. Microsoft Access automatically adds user accounts to the Users group when a member of the Admins group creates them. This account itself is the same for any workgroup information file, but it contains only user accounts created by members of the Admins group of that workgroup. By default, this account has full permissions on all newly-created objects. The only way to remove a user account from the Users group is for a member of the Admins group to delete that user. In my book, I call this the anonymous group as it is always there and the Admin user is always a member of it.

Always On Security

In effect, security in Microsoft Access is always "on." Until you activate the logon procedure for a workgroup, Microsoft Access invisibly logs on all users at startup using the default Admin user account with a blank password. Behind the scenes, Microsoft Access uses the Admin account as the administrator account for the workgroup, as well as the owner of any databases and objects created.

Administrators and owners are important because they have permissions that can't be taken away:

· Administrators (members of the Admins group), can always get full permissions for objects created in the workgroup.
· An account that owns an object can always get full permissions for that object.
· An account that owns a database can always open the database.

Because the Admin user account is exactly the same for every copy of Microsoft Access, the first steps in securing your database are to define administrator and owner user accounts (or use a single user account as both the administrator and owner account), and then to remove the Admin user account from the Admins group. Otherwise, anyone with a copy of Microsoft Access can log on to your workgroup using the Admin account and have full permissions for the workgroup's objects.

For example, to secure a database named Orders you could create your own OrdersAdmin and OrdersOwner user accounts, and then add passwords to these accounts.

You can assign as many user accounts as you want to the Admins group, but only one user account can own the database itself ¾ the user account that is active when the database is created, or when ownership is transferred by creating a new database and importing all of a database's objects into it. However, group accounts can own objects within a database.

Important

· The accounts you create for users of the database must be stored in the workgroup information file that those users will join when they use the database. If you're using a different file to create the database, change the file before creating the accounts.
· Make sure to create a unique password for your administrator and owner user accounts. A user who can log on using the administrator account can always get full permissions for any objects created in the workgroup. A user who can log on using an owner account can always get full permissions for the objects owned by that user.

Organizing users in groups of users makes it easier to manage a secure database. With this strategy, rather than assign permissions to each user for each object in your database, you assign permissions to a few groups, and then add users to the appropriate group. When users log on to Microsoft Access, they inherit the permissions from any groups they belong to. Only user accounts can log on to Microsoft Access; you can't log on using a group account.

For example, you could secure an Orders database by creating a Managers group for managers, a Sales Reps group for sales representatives, and a Staff group for staff employees. You can assign the least restrictive set of permissions to the Managers group, a more restrictive set of permissions to the Sales Reps group, and the most restrictive set of permissions to the Staff group. When you create a user account for a new employee, you add that account to the appropriate group. The employee then has the permissions associated with that group.

After you create user and group accounts, you can view the relationships between them by clicking User And Group Accounts on the Security submenu (Tools menu), and then clicking the Print Users And Groups button. Microsoft Access prints a report of the accounts in the workgroup, showing the groups to which each user belongs and the users that belong to each group.

Related Pages On This Site

Microsoft Access Passwords, Workgroups and ADO
Using The Workgroup Users Security Wizard
Samples of Developer Workgroup Security Manipulation
Samples of Data Security and Database Passwords
Samples of Menu and Toolbar Protection

Click on the following button to jump to the next page in the document loop.

Links >>>  Home | Search | Workbench | Orders | Newsletter | Access Security | Access professionals