410 likes | 550 Vues
Chapter 13. Securing an Access Application. Chapter Objectives. Learn about the elements of security Explore application-level security Use user-level security. The Elements of Security. Security Refers to the protection of an application from unauthorized use Authorization
E N D
Chapter 13 Securing an Access Application
Chapter Objectives • Learn about the elements of security • Explore application-level security • Use user-level security
The Elements of Security • Security • Refers to the protection of an application from unauthorized use • Authorization • Specifies who can access and update different objects in the application
The Elements of Security • Application-level security • Makes it difficult for unauthorized users to view the contents of the application • User-level security • Gives different users different permissions for various objects that comprise an application • Permission • Ability to perform an action on an object
Stripping Source Code • .mde file • Compiled database file that cannot be modified, even though it is smaller and runs more quickly • Advantages of .mde file • Can be distributed, but users cannot view or change the application’s objects • Protects a developer’s investment in the application
Data Encryption and Decryption • Encryption • Conversion of data from one representation into another • New representation is coded so that it cannot be easily understood • Decryption • Reverses the process of encryption
Data Encryption and Decryption • Security measures supplied by Access apply only to Access • Encryption will make the data more difficult to read • To read encrypted files: • You must possess processes and the decoding key necessary to decrypt the files
Creating a Database Password • Database password • Simplest way to prevent unauthorized access to an Access application • Can be set in the Set Database Password dialog box • You can’t set a database password if user-level security has been defined for your database and you do not have Administer permission for the database
User-Level Security • User account • An object that represents a user (or developer) of an Access application • PID • Case-sensitive string that can hold between 4 and 20 characters • Used in combination with the user name to create a 128-bit machine-readable number
User-Level Security • Workgroup • Set of accounts that tend to access the same set of Access applications • Accounts in the workgroup share the same workgroup information file • Have the .mdw extension • Access reads file information when it starts • Contains information about the users in a workgroup
User-Level Security • Workgroup identifier (WID) • Uniquely identifies a workgroup • Case-sensitive string that can hold between 4 and 20 characters • Owner of an object • Special user who always has full permissions on the object • Identified by the user name and PID
User-Level Security • Group • Named collection of user accounts that share the same set of permissions on an application’s objects • Permissions • Privilege
Creating and Joining Workgroups • Workgroups are created and managed through the Microsoft Access Workgroup Administrator • Workgroup Administrator • Application separate from Access • File name Wrkgadm.exe • When a new workgroup isjoined, the old workgroup is no longer considered active
User Accounts and Passwords • Admins group • Group account that retains full permissions on all databases created when the workgroup was active • Users group • Group account that contains all user accounts • Secure workgroup • A workgroup that prompts for a user name and password
Creating a New User Account Figure 13-2 Entering a user
Creating a New User Account • Access applications use the user name and PID to determine the identity of the current user • Users can assign themselves a password when a database is open by using the Change Logon Password tab of the User and Group Accounts dialog box
Creating a New User Account Figure 13-3 Change Logon Password tab
Workgroup Dynamics • Workgroups do not share information including user name and password • A user account and password must be created for each workgroup that a particular user must use • You can modify passwords and create new users within VBA
Users and Their Groups • Groups with the same group name and PID, regardless of workgroup, receive the same permissions on a particular application • When an application supports a large number of users, permissions should be managed through groups • Easier to assign permissions to a few groups than to each individual user
Users and Their Groups • You can create or delete groups in the Group tab of the User and Group Accounts dialog box Figure 13-4 Entering a new group
Adding and Removing Users To and From Groups • Creating users and groups is less cumbersome under the ADO model than the DAO model • Append the new user to the Users collection or new group to the Groups collection • A reciprocal relationship exists between the objects in a user’s Groups collection and the objects in the group’s Users collection
Adding and Removing Users To and From Groups Figure 13-6 Relationship between security-related objects in collections
Using and Assigning Permissions • Permissions can be assigned to: • All database objects • Database • Individual users • Groups of users • All members of the group have the same permissions
Using and Assigning Permissions • Permissions can be assigned through the User and Group Permissions dialog box Figure 13-7 User and Group Permissions dialog box
Assigning Permissions Through User and Group Permissions Dialog Box • With OwnerAccess Option declaration • Used when the developer would like the user to update data in a table, but does not want the user to view the details of the table’s design • When possessed by a query, a user can run the query as long as the owner of the query has the appropriate permissions
Setting and Using Permissions in VBA • Access stores information related to Permissions in properties of the Container and Document objects • Containers collection • Located inside a database object • A container exists for every type of object used in an Access application • Contains a document collection,which also exists for every object
Setting and Using Permissions in VBA • SetPermissions method • Sets a value that establishes the permissions for the user or group identified by the Group or User object • GetPermissions method • Retrieves permissions once they have been set • Bitwise arithmetic • Involves a bit-by-bit comparison of identically positioned bits in two numeric expressions
Owner and Admins Group Security Problems • User-level security is not complete until you have considered the special capabilities of Admins group members and owners • Owners of an object always have the ability to assign themselves full permissions on the object • If an application was created in an unsecured environment, the Admin account is the owner of all objects
Owner and Admins Group Security Problems Table 13-1 Permissions granted to users
Owner and Admins Group Security Problems • Important implications of these relationships: • Admin account should not own any object in a secure application • Workgroup used to create an application should not be distributed as part of the application • Developers can restrict the permissions of the Admin account and Admin group
Changing Object Ownership and Creating a Secure Application • Object owner • User who creates an Access object • Always has full permissions applicable to an object • Administer permission • Exists regardless of whether the user is a member of the Admins group or whether an account in the Admins group attempts to change owner’s permission
Changing Object Ownership and Creating a Secure Application • If an object is not a database, it’s ownership may be changed through the Change Owner tab on the User and Group Permissions dialog box Figure 13-8 Change Owner tab
Changing Object Ownership • Owners of a database always have the right to open the database • To change the ownership of an entire database: • Import the database into Access while you are logged on using the account of the new owner
Changing Object Ownership Figure 13-9 Import Objects dialog box
Changing Database Ownership and Securing an Application • The import database technique is one way to secure an unsecured application • Allows ownership of all objects, including the database, to be transferred from an unsecured database
The User-Level Security Wizard • User-Level Security Wizard WILL: • Create a new database • Import all the objects from the old database • Remove all permissions from the Users group • Encrypt the new database • Application’s performance will be degraded slightly because it now uses an encrypted database
Preparing a Workgroup for Distribution • Each computer that runs an Access application must have access to: • The application files • The workgroup information file • The Access default workgroup information file is used to run an application or • The developer will distribute a workgroup information file
Chapter Summary • Security can be provided at both the application and the user levels • Application-level security has the same effect on all users of a particular Access database file • Database files can be encrypted and assigned a password
Chapter Summary • User-level security • Provides different types of security for different users • Key to understanding how user-level security is implemented is to understand the relationships between workgroups, groups, users, owners, and permissions
Chapter Summary • Admins members can always modify their own permissions when the workgroup that created an Access application is active • Owners can modify their own permissions no matter which workgroup is active • Security features can be implemented through Access menus and VBA