ABC Blocks


Database and Website Design, Development, and Deployment--All in the Service of Your Mission

Access Security is a big topic, but the Microsoft FAQ on Access Security will teach you almost everything you need to know to effectively secure your Access database. It's a dense document, and, unless you're superhuman, you will have to read through it three or four times to get it. Really. But it's worth it. If you're having trouble securing a database, there is something in this document that you do not understand.

The above document contains instructions for securing an Access database. Many people complain that these instructions are not complete, or are inaccurate. In fact, they do cover everything, but some of the steps are more thoroughly documented than others, and this may cause some users difficulty. AlphaBet City Dataworks has created a document that more thoroughly documents the process of securing a database, and also a document that you can use to store the security information you'll need if you ever have to rebuild your workgroup file.

Before securing your database, it is good to understand a bit about how the Access Security model works. In essence, when you open a database, Access checks the username and password you supplied against a workgroup file, which stores user and group accounts and passwords. If you are not asked to supply a username and password, access has determined that the workgroup file being used does not have a password assigned to the default admin account--it uses "admin" and "" as the username and password, in this case. If the username and password supplied are determined to be OK, the database is opened. From that point on, every time you open a database object, Access checks a portion of the database to see whether you have, by virtue of your username and the user groups to which you belong, permission to use the object.

When you assign permissions in an Access database, it is important that you assign permissions to user groups, not individual user accounts. This way, any time an employee leaves you can delete their user account without fear of losing any security settings. And when the replacement shows up, you can easily create a new user account and add that user to the necessary groups, to get the permissions needed.

You cannot delete the Admin user or the admins or users groups. But it is important that you revoke all permissions from these groups. Not doing this will leave your database open to hacking by simply replacing the mdw file with a copy of the default mdw file supplied by Microsoft.

Every user account has a PID and password. Every user group has a PID. PIDs are not passwords, they are keys that Access uses to generate the account or group.

This should go without saying, but backups are critical. Do not be lazy about it. Failing to make a backup could cost you a lot of your time, or, if you're really unlucky, a lot of mine. Make backups. Test your backups. Zip them so you are not tempted to use them.