Setting up users and passwords

[SH]

Hi

I'm working on Access 2000 DB, in a multi-users environment.
The first form when the users access the DB is the logon form, which will
capture the logged on user name and put it in the user name field then asks
for a password.

What I need to do it 2 things:
1- After the user enters the password, and click OK, I want it to go and
search in a UserName table to see if the user name is there first and then
check the password if it's correct or no, then display a proper message or
let him in.

2- If I used User-level security, can I get users with certain permissions
to add new users in the future and set there passwords, or no?

Any help is highly appreciated

SH

 

[Graham Mandeno]

Hi SH

Don't store your usernames and passwords in a table - it will never be
sufficiently secure. You should secure the database properly using
user-level security (ULS)and let Access look after the usernames and
passwords and permissions.

There are some important steps to follow:

Step 1: Carefully read the Access Security FAQ, which you will find at
http://support.microsoft.com/support/access/content/secfaq.asp

Step 2: Read it again

Step 3: Print it out and sleep with it under your pillow

Step 4: Read it again, every day for a week

Step 5: Secure your database

I often set up a UserInfo table, keyed by Username, in addition to ULS to
store other user-specific data such as full names, departments, phone
numbers, etc, but this should never be used for passwords and permissions.

To add/delete/modify users, the current user must be a member of the Admins
group in the current workgroup file. It's possible to set this up so that
the Admins group can administer users, but *not* the permissions on objects
in your database. This is described in FAQ #33.

 

[Jeff Conrad]

I'm working on Access 2000 DB, in a multi-users environment.
The first form when the users access the DB is the logon form, which will
capture the logged on user name and put it in the user name field then asks
for a password.

What I need to do it 2 things:
1- After the user enters the password, and click OK, I want it to go and
search in a UserName table to see if the user name is there first and then
check the password if it's correct or no, then display a proper message or
let him in.

2- If I used User-level security, can I get users with certain permissions
to add new users in the future and set there passwords, or no?

In addition to Graham's excellent advice, I would recommend all of the
following reading material for User Level Security:

Access User-Level Security:

Security FAQ (the Security Bible):
http://support.microsoft.com/?kbid=207793

Jack Macdonald's Security Document:
http://www.geocities.com/jacksonmacd/AJMAccessSecurity.pdf

Lynn Trapp's Ten Security Steps:
http://www.ltcomputerdesigns.com/Security.htm

Joan Wild's Tips:
http://www.jmwild.com/security02.htm

The Security Whitepaper is also worth reading:
http://support.microsoft.com/?id=148555

Keith Wilby's Instructions (See step-by-step link)
http://www.keithwilby.com/

Other Good Information:
http://www.access-experts.com/default.aspx?selection=TutorialSecurity&sm=18

Other Microsoft KB articles of interest:

Description of how to help protect a Access 2000 database:
http://support.microsoft.com/?id=254372

Description of the role of workgroup information files in Access security:
ACC97: http://support.microsoft.com/?id=303941
ACC2000: http://support.microsoft.com/?id=305541
ACC2002/2003: http://support.microsoft.com/?id=305542

Exploring Microsoft Access Security:
http://msdn.microsoft.com/library/d...s/dnacc2k2/html/odc_AcSecurity.asp?frame=true

 

[Rob Oldfield]

Just agreeing with Graham and Jeff. If you rely on tables and password
matching type stuff then you have no security. You might as well rely on
the power of prayer to stop anyone doing anything bad in your db.