views:

1475

answers:

5

What is the simplest way to allow one user write access and everyone else read-only access to a MS Access database on a local network?

I trust my users, but unfortunately Access saves changes to data as soon as the row of a table is deselected. Accidental keystrokes are saved without the user asking for the changes to be saved.

+1  A: 

This is the cheeky answer, but if you need better security, seriously consider upgrading to a more robust RDBMS.

Christian Oudard
I thought Access was intended to be a simple database for an individual's desktop, not a multi-user enterprise solution. If it was, there wouldn't have been no reason for SQL Server.
duffymo
I thought so too, but I often see Word documents and spreadsheets shared on a network, and most people treat Access the same.
Liam
sadly true, i had to write a multi user access db at one place because they wouldnt give us SQL server. it was painful to say the least
Neil Aitken
@Neil: SQL Server Express (or MSDE from the past) would have solved the problem.
HardCode
+3  A: 

The easiest way would be to use share permissions. Grant write access to a group and put the users who must write to the database in that group. Put everyone else in a read group. This assumes you have a Windows domain, of course.

Here is a site that has some information on securing Access databases. It deals with Access 2000, there may be more options for newer versions.

Dave Swersky
A very common reason for problems in accessing an Access database is that not all users have full permissions on the directory.
Remou
Actually, they don't need full permissions -- only everything *but* DELETE permission. That will mean the LDB file won't be deleted, but that doesn't matter. That's the way Jet before version 3.0 worked by default.
David-W-Fenton
Thanks, putting the .mdb file in a shared folder where only one user has full permissions and the others have only read permission seems to work nicely.
Liam
A: 

Fact is, there is NO functional security for an access database.

The link below sells software that will 'recover' your access database Even if it has a a password.

It is a good thing they exist. Their program saved one of my customer's butts once when their previous programmer died and no one else had the password. Thanks to this program we could not get in and no data was lost.

http://www.stellarinfo.com/access-recovery.htm

And before you even think it, No, I do not work for them.

CurtTampa
The db password is indeed not an especially secure device. This doesn't mean that there's "no functional security." Prior to 2007, the user-security model was robust. I suspect the Stellar Info tool would not work on pre-2007 user-security and I don't see support listed for the 2007 version.
John Mo
+3  A: 

Some thoughts on controlling user rights to a Jet data store:

  1. if you really want to lock things down, you'll never manage it with Jet, as it's inherently vulnerable because the user has to have WRITE access to the MDB file.

  2. if you are content with controlling rights to the data in your front-end application, you could provide different front ends (one for WRITE users and one for READ-ONLY).

  3. if you're not using ACCDB format, you can use Jet user-level security. It's a surprisingly complicated technology if you really want to lock down access to the data -- you have to follow all the instructions in the Jet Security White Paper to the letter, or your data will be open to anyone with the standard Jet workgroup file. And even once you're done, it is crackable (though not without spending $$$ to buy cracking software). BTW, database passwords before Access 2007 were completely useless and easily cracked. Access 2007 enhances the security by raising the level of data encryption, but a database password causes lots of issues and doesn't allow you to have more than one level of access (unless you provide two different front ends with different passwords -- cf. #2).

  4. if you just want to use Jet ULS to control access in your front end, you can add your users to groups and then check the group membership in your front-end UI objects (i.e., forms), and give WRITE permission to the users who are in the user group that provides that level of access. The easiest way to do this, assuming you have more READ-ONLY users than those with WRITE permission is to have the READ-ONLY users log on as the default admin user (i.e., you do nothing for their setup), and have the WRITE users log on as a user in the group with WRITE permission. In other words, if they aren't logged on as user "admin", they have full WRITE access.

  5. another alternative is to use NTFS security groups. API code for that is found on the Access Web, but it does require a Windows administrator to implement for you. Again, you would be limiting access in your front end application, rather than actually restricting user rights in the back-end MDB.

Only Jet ULS actually allows you to prevent a READ-ONLY user (who hasn't cracked your workgroup file) from editing your data. All users have to have network access to your back-end MDB, but you can make it hard for them to get to the data even without jumping through the hoops in implementing Jet ULS. Here are some steps to do that (and yes, all of these are a form of "security by obscurity" and will only slow down a READ-ONLY user determined to hack your back end):

  1. Right click each table in your back end and turn on the HIDDEN attribute. This can also be done in code (see SetHiddenAttribute in Help). Naturally, if the end user sets their Access options to display hidden tables, this won't do anything. But most end users don't know about that, and if your users are running your app in the runtime, they won't have the option.

  2. Change the back-end database's Startup Properties to not display the database window and to not use special keys. You can find code for setting the startup properties in the Help topic for "AllowBypassKey".

  3. In your back-end, create a macro named AutoExec with one command, Quit. With special keys disabled, there is no way to prevent the execution of this macro, and as soon as the user attempts to open the back end (even if they hold down the SHIFT key, i.e., the standard keystroke for bypassing all startup routines), the database (and the instance of Access) will close.

Now, all of these things can be undone by someone who knows what they are doing. If you gave me a back end with these things implemented, I'd be in it in about 5 minutes, simply by running code in another Access database to change all these startup properties to give me access.

But your end users likely don't have that level of expertise. Any such user who does probably ought to be a WRITE user, no? :)

Yes, of course -- all of these things are easily hackable by anyone who knows how. But it's also easy to break into your house in seconds for the person with the right tools. That doesn't mean you don't lock the doors, even though it's not bulletproof protection from burglary.

Another consideration is that if you provide your users only the Access runtime instead of full Access, they won't be able to undo any of these settings in your back-end MDB.

Last of all:

Security is not solely a technical issue -- most of it is, in fact, a people problem. In order for people to do their work, you have to trust them to a certain extent in giving them access to your data. There is no technical solution to the problem of the untrustworthy system administrator, for instance, and the only way to fully protect your data is to not give them any access to it at all.

David-W-Fenton
@David Thanks for your input! I have clarified my question as I think we need a simpler solution
Liam
A: 

I think it is possible using an ODBC connection to use Access as an interface to almost any database. For example, I have successfully configured a SQL Server 2008 Express Edition database with 2 users, one read/write and one read-only. I have been able to connect to the database from Access by opening an ODBC data source. So a user can have the Office-based report-generating and mail-merging functionality they are familiar with. But with any database server you wish.

Liam
Yes, you'll definitely want to opt for SQL Server Express over an .MDB backend. Good choice!
HardCode

related questions