<<

. 13
( 14)



>>

You must open the database exclusively in order to set the database password. To open the
Note
database exclusively, select the Open Exclusive button from the Open pull-down menu in
the lower-right corner of the Open dialog box, as shown in Figure 22-2.




Figure 22-2: Opening a database in exclusive mode.

2. Select Tools_Security_Set Database Password (refer to Figure 22-1).
3. In the Password field, type the password that you want to use to secure the database
(see Figure 22-3). For this example, use the password bible. Access does not display
the password; rather, it shows an asterisk ( * ) for each letter.




Figure 22-3: Creating a database password is the simplest way to secure your database.
Part III ¦ Beyond Mastery: Initiative Within Office
520

4. In the Verify field, type the password again. This security measure ensures that you
don™t mistype the password (because you can™t see the characters that you type) and
mistakenly prevent everyone, including you, from accessing the database.


For maximum security, when entering a password, you should follow standard password
Tip
naming conventions. That is, you should make the password a combination of letters and
numbers that won™t represent any easily known or deduced combination. People often un-
wisely use a birthday, their name, their address number, or a loved one™s name, which are all
poor choices for passwords because another person could deduce them fairly easily. On the
other hand, you shouldn™t make the password so difficult to remember that you and others
accessing the database will have to write it down to use it. A written password is a useless
password.

5. Click OK to save the password.

Caution
You can™t synchronize replicated databases that have database passwords. If you plan to use
Jet™s replication features and you need database security, you must use user-level security.

After you save the database password, any user who attempts to open the database must
enter the password. Although this method controls who can access the database, it doesn™t
control what users are allowed to do with the objects and data after they have opened the
database. To control objects, you need to fully implement Jet™s user-level security, which is
discussed in the following section.

After a database has been protected with a database-level password, you must supply the
Note
password when linking to any of its tables. This password is stored in the definition of the link to
the table.

To remove a database password, follow these steps:
1. In Access, open the secure database exclusively. You must open the database
exclusively to be able to remove the database password.
2. Select Tools_Security_Unset Database Password. This menu option replaced the
option labeled Set Database Password before the database password was set.
3. In the Password field, type the password of the database (see Figure 22-4).
4. Click OK to unset the password.




Figure 22-4: You can remove a database password by entering the password in the
Unset Database Password dialog box.
Chapter 22 ¦ Adding Security to Access Applications 521

If you remove a database password from an Access database, users are no longer required to
enter a password to access the database unless you have enabled user-level security.

Any user who knows the database password has the ability to change or remove the database
password. You can prevent this situation by removing the Administer permissions from the
Note
database for all users except the database administrator. This is discussed in more detail later
in this chapter.


Microsoft Access stores the database password in an unencrypted form. If you have sensitive
Caution data, this can compromise the security of the password-protected database. In situations where
data security is critical, you should consider defining user-level security to control access to
sensitive data. User-level security is covered in depth later in this chapter.



Using Visual Basic to Set A Password
You also can set a database password using Visual Basic code. The following code changes the
database password of the currently opened database:
Public Sub ChangeDatabasePassword()
On Error GoTo ChangeDatabasePasswordErr
Dim szOldPassword As String, szNewPassword As String
Dim db As Database
Set db = CurrentDb
szOldPassword = “”
szNewPassword = “shazam”
db.NewPassword szOldPassword, szNewPassword
Exit Sub
ChangeDatabasePasswordErr:
MsgBox Err & “: “ & Err.Description
Exit Sub
End Sub
If no database password is set, you pass a zero-length string (“”) as the old password parameter. If
a database password is assigned and you want to remove the password, pass the database
password as the old password parameter and pass a zero-length string (“”) as the new password.




Using the /runtime Option
If you™re not concerned with protecting your application but simply want to prevent users
from mistakenly breaking your application by modifying or deleting objects, you can force
your application to be run in Access™s runtime mode. When a database is opened in Access™
Part III ¦ Beyond Mastery: Initiative Within Office
522

runtime mode, all the interface elements that allow changes to objects are hidden from the
user. In fact, while in runtime mode, it is impossible for a user to access the Database
window. When using the runtime option, you must ensure that your application has a startup
form that gives users access to whatever objects that you want them to be able to access.
Normally this is the main menu or main switchboard of your application.

You must purchase and install the Microsoft Visual Studio Tools for the Microsoft Office
Note System to use the /runtime switch. This suite of tools includes a runtime version of Access that
allows you to distribute a royalty-free licensed copy of your Access 2003 applications to users,
whether they have Access on their machine or not.


To assign a form as a startup form, open the database that you want to use, choose Tools_Startup
Tip
and select the form that you want to be the startup form from the Display Form/Page drop-down
list. Startup forms are covered more in-depth in the following section.

To create a shortcut to start your application in Access™s runtime mode, follow these steps,
using the Chap34Start.mdb database:
1. Go to the subdirectory that contains Microsoft Access (MSACCESS.exe).

Note
On most computers, the MSACCESS.EXE file is located in the “C:\Program Files\Microsoft
Office\OFFICE11\” folder.

2. Highlight the Microsoft Access program and select File_Create Shortcut, or right-
click on the program file and select Create Shortcut from the menu-on-demand.
Windows creates a shortcut in the same directory, naming it “Shortcut to
Msaccess.exe.”
3. Right-click the newly created shortcut, select Properties from the menu, and then
click the Shortcut tab when the Properties dialog box opens.
4. In the Target: field, append the following parameters to the path of
MSACCESS.EXE (program): A space, the full path name and filename of the
database to open in runtime mode, another space, and then /runtime.
For example, the following command line starts Access and opens the
Chap34Start.mdb database in runtime mode on our computers:
“C:\Program Files\Microsoft Office\OFFICE11\MSAccess.exe”
“C:\Access 2003 Access Auto Auctions\Chap34Start.mdb” /runtime



The path to MSAcess.exe should have already been in the Target: field. Note that Windows
Note automatically places the path and filename for MSAccess.exe in quotation marks. The /
runtime switch should not be enclosed in quotes. If you enclose the /runtime switch in quotes,
an error occurs when you attempt to execute the shortcut.
Chapter 22 ¦ Adding Security to Access Applications 523

5. After you have specified the path and filename, placing the /runtime switch at the
end of the Target: field, you can optionally remove the path name in the Start in:
field.
Figure 22-5 shows how the Shortcut properties should look at this point.




Figure 22-5: Modifying the Target: and Start in: fields of the shortcut by using the /
runtime switch of Access 2003.

6. After the fields have been updated, click the Apply button to process the changes
and save the shortcut.
7. Finally, you can rename the shortcut icon to any name that you want and move it
from the current directory to another directory, or even to the desktop. After you
have created the shortcut, you can distribute or re-create the same shortcut for each
user installation.

Tip If your database has a password associated with it, the user will still be prompted to enter the
password prior to opening the database.


Using a Database™s Startup Options
A slightly less secure alternative to using the /runtime option is to set a database™s startup
options. This alternative is not a complete solution for situations where tight security is
paramount. Figure 22-6 shows the Startup options dialog box. To access the Startup options
dialog box, select Tools_Startup.
Part III ¦ Beyond Mastery: Initiative Within Office
524




Figure 22-6: Using the Startup options dialog box provides another option for securing
an application.

By making the appropriate specifications in the Startup options dialog box, you can do the
following:
. Assign a title to the application.
. Assign an Application Icon to the application.
. Assign a form or data access page to immediately run when the database is open.
. Prevent the Database window (container) from being displayed.
. Prevent the status bar from being displayed.
. Designate a menu bar to be used on startup of your application.
. Designate a shortcut menu to be used on startup of your application.
. Prevent Access™s built-in menus (full menus) from being displayed.
. Prevent Access™s built-in shortcut menus from being displayed.
. Prevent Access™s built-in toolbars from being displayed.
. Prevent users from modifying toolbars (toolbar/menu changes).
. Prevent users from using Access™s special keys to display the Database window,
display the immediate window, display the VB window, or pause execution.
To designate the frmSwitchboard form as the default form to open whenever the
Chap34Start.mdb database opens, follow these steps:
1. Open the Chap34Start.mdb database and select Tools_Startup to open the Startup
dialog box.
2. Click in the Display Form/Page: field and select the frmSwitchboard form from the
pull-down list (refer to Figure 22-6).
3. Click OK.
Chapter 22 ¦ Adding Security to Access Applications 525

After you have assigned a form to open automatically, you can also specify that the
Database window or status bar not be displayed to give even greater security to your
application. By selecting these two items, when the user clicks the Close button on the
startup form, the database window (container) will not display. By using a database
password and the Startup options, you can assign minimum security to the database and
your application.


The user can bypass the Startup options by simply holding down the Shift key while opening
Caution
the database. However, if you assign a database password, users will still be required to
enter the password in order to use the database.


Using the Jet User-Level Security Model
Most often when security is required, setting a database password and run-time options is
simply not enough.
When you need more security, you can use Access user profiles that are implemented by the
user-level/object permissions security of Jet 4.0. The Jet Database Engine offers additional
levels of customization and security for your application. When using Jet level security, you
need to complete the following series of functions:
1. Select or create a workgroup database.
2. Define the workgroup database™s security groups.
3. Create the users of the workgroup database.
4. Define permissions for each user and security group.
5. Enable security by setting an Admin user password.


What Is Jet and a User Profile?
When you create a Microsoft Access database (.mdb or .mde), Access uses an internal program to
create and work with the database and its objects. Microsoft calls this internal program the Jet
Database Engine. Its purpose is to retrieve and store data in user and system databases. Some
people refer to the Jet engine as a data manager that the database system is built upon. Jet only
works with Access databases ” it doesn™t work with other ODBC databases, such as SQL Server,
Oracle, and others. The current version of Jet is 4.0 (also in Access 2000 and 2002). When you
installed Access, the installation program created several registry settings for the Jet engine. You
can use the Registry Editor to examine and even change these settings for Access. However, we
highly recommend that you do not change the setting in the Microsoft Windows registry.
Using Jet, you can build an Access user profile that is comprised of a special set of Window™s
registry keys, which will override the standard Access and Jet database engine settings.
Part III ¦ Beyond Mastery: Initiative Within Office
526


Enabling security
Jet database security is always on. Whenever a new workgroup database is created, an
Admin user is automatically created within the workgroup. This Admin user has no
password assigned to it. When the Admin password is blank, Access assumes that any user
attempting to open the database is the Admin user, and that this user is automatically logged
in to the database as the Admin user. To force Access (Jet) to ask for a valid user name and
password to log in to the database (see Figure 22-7), you simply need to create a password
for the Admin user. (Creating passwords is discussed later in this section.) To disable
security, simply clear the Admin user™s password. The security permissions that you have
designed are still in effect, but Access doesn™t ask for a user name and password ” it logs
on all users as the Admin user with whatever permissions were assigned to the Admin user.
Be careful about clearing the Admin user™s password when you have modified the
permissions of your users.




Figure 22-7: When security is enabled, Jet forces all users to enter a valid user name
and password to use the secured database.


Any changes that you make to security won™t take effect until you restart Access. If you have
Tip cleared the Admin password only to find that some or all of the Admin user™s permissions have
been revoked, open the database and create a password for the Admin user. Then exit Access
and restart Access (not the database). When you restart Access, you are prompted to enter a
user name and password.


Working with workgroups
A workgroup is a collection of users, user groups, and object permissions. You can use a
single workgroup file for all of your databases, or you can use different workgroups for
different databases. The method that you use depends on the level of security that you need.
If you give Administrative rights to users of some databases but not to users of other
databases, you need to distribute separate workgroup files with each database. Access
always uses a workgroup file when you open it. By default, this workgroup file is the
SYSTEM.MDW workgroup file. This file comes with Access 2003.
Chapter 22 ¦ Adding Security to Access Applications 527


Creating a new workgroup
You can create new workgroups or join existing workgroups by using the Workgroup
Administrator program that comes with Access 2003 (see Figure 22-8). To begin creating a
new workgroup, select Tools_Security from the Access menu.




Figure 22-8: Using the Workgroup Administrator to create new workgroups and to join
existing workgroups.


You should completely close down Access after creating new workgroups or joining existing
Note
workgroups. When you use the Workgroup Administrator to join a workgroup, that workgroup is
not actually used until the next time you start Access.

To create a new workgroup file, follow these steps:
1. Start Access (with or without a database), select Tools_Security, and then select
Workgroup Administrator.
2. Select the Create button in the Workgroup Administrator dialog box to display the
Workgroup Owner Information dialog box.
The workgroup that you create is identified by three components: Name, Organization, and
Workgroup ID (see Figure 22-9).


In order to re-create the workgroup file in the event that it becomes corrupt or deleted, you
Caution need all three pieces of information. For this reason, to ensure that no other user can
create your workgroup and access your secured database, you should supply a unique,
random string for the Workgroup ID. Someone may possibly guess the name and organi-
zation used in your workgroup file if he or she knows who you are, but to guess all three
items ” especially if you create a random, unique ID ” is almost impossible.
Part III ¦ Beyond Mastery: Initiative Within Office
528




Figure 22-9: Workgroups are identified by these three key pieces of information. A
workgroup can™t be re-created without all three of these items.

3. When you are satisfied with your entries, select OK to display the Workgroup
Information File dialog box.
4. Enter a name for the new workgroup file, and select OK to save it (see Figure 22-
10). If you enter a filename that already exists, like SYSTEM.MDW, you will
receive a confirmation box requesting that you confirm replacing the existing file.




Figure 22-10: Assigning a filename for the new workgroup.

5. The Workgroup Administrator displays a confirmation dialog box (see Figure 22-11)
containing the information that you entered for the new workgroup and explains the
importance of writing down and storing the information. If you are satisfied with
your entries, select OK to save your workgroup. If you want to change anything,
click the Change button to return to Step 3.
Chapter 22 ¦ Adding Security to Access Applications 529




Figure 22-11: Confirming the information for the new workgroup.

When you select the OK button in the Confirm Workgroup Information dialog box,
a message displays to inform you that you have created the workgroup information
file correctly.


In order to ensure that you can recover from the loss of your workgroup file, you should
Tip immediately make a copy of the workgroup file. In addition, you should write down the three
pieces of information that you used to create the workgroup file, exactly as they were en-
tered, in the event that you have to re-create the workgroup file from scratch. Store both the
backup file copy and the written information in a secure place.

Joining an existing workgroup
When you create a new workgroup, Access automatically joins the new workgroup. If you
don™t want to use the new workgroup right away, or if at any time you need to use a
workgroup other than the current workgroup, you can use the Workgroup Administrator to
join another workgroup.
To join an existing workgroup, follow these steps:
1. Activate the Workgroup Administrator program from the Tools_Security menu.
2. The Workgroup Administrator dialog box displays the current workgroup (refer
back to Figure 22-10). Click the Join button to select a workgroup file. If you aren™t
sure of the filename, click the Browse button to display a File dialog box in which to
locate the workgroup file.
3. A prompt displays so that you can confirm or cancel joining the workgroup. Select
OK and then select Exit to close the Workgroup Administrator.
Part III ¦ Beyond Mastery: Initiative Within Office
530


Working with users
Every time a user opens an Access (Jet) database, Jet must identify the user opening the
database. In Access, security is always enabled ” regardless of whether or not you have
explicitly created a workgroup for your database. If you have not defined a workgroup, Jet
assumes that any user who opens the database is the Admin user. When a new workgroup is
created, Access automatically creates a default user named Admin. The Admin user
automatically receives full permissions to all objects in the database. Obviously, when you
secure a database, you don™t want everyone to be able to open the database with full
permissions on all objects, so you must create additional users for the workgroup.

Adding and deleting user accounts
To add, delete, and edit user information, you use the User and Group Accounts dialog box
(see Figure 22-12). To open the User and Group Accounts dialog box, select
Tools_Security_User and Group Accounts ¦ from the Access menu. The Users tab of the
User and Group Accounts dialog box consists of two sections: User and Group Membership.
You use the User section to create and maintain user names and passwords. You use the
Group Membership section to assign users to user groups. Assigning users to groups is
discussed in detail later in this chapter.




Figure 22-12: Creating and maintaining users in the User and Group Accounts dialog
box.

To fully secure your database with users and groups, you should generally follow
these steps:
Chapter 22 ¦ Adding Security to Access Applications 531

1. Create a new user.
2. Add the new user to the Admins group.
3. Remove the Admin user from the Admins group.
4. Assign all object ownerships to the new user.
When you create a user, you supply the user name and a personal identifier. Jet then
combines these two items and processes them in a special algorithm, producing a unique
security ID (SID). It is this SID that Jet uses to recognize users. In order to re-create a user
in the workgroup, you need to know the user name and the personal ID (PID) that was used
to create the user. Consequently, you should always write down and store all names and
PIDs of users that you create in a safe place.
To create a new user in a workgroup, follow these steps:
1. Open the database Chap34Start.mdb.
2. Select Tools_Security_User and Group Accounts to display the User and Group
Accounts dialog box.
3. Select the New button in the User section to display the New User/Group dialog box
(see Figure 22-13).




Figure 22-13: Jet combines the User Name and Personal ID to create a unique SID for
the user.

4. Enter the name Student1 for the Name, and enter a unique Personal ID of 1234.
(You can enter any appropriate information into these two fields, if you don™t want
to use these example names.) Write this information down and store it in a safe
place; you will need it if you have to re-create the user in the workgroup.
5. Select OK to save the new user.
After you have created the new user, Student1, you can assign Group Memberships and/or a
password for the user. Notice that Student1 is automatically a member of the Users group.
Any new member must at least belong to this group. You can make Student1 a member of
the Admins group by simply selecting the Add button in the Group Membership section.
Part III ¦ Beyond Mastery: Initiative Within Office
532


To fully secure your database, you must remove all permissions for the Admin user, found
Caution
under the Tools_Security_User and Group Permissions menu. (Defining Group Permis-
sions is covered later in this chapter.) All Admin users share the same SID in all workgroups,
on all machines. If you don™t remove the permissions for the Admin user, an unauthorized user
using a different workgroup can open the database as the Admin user with all permissions of
the Admin user. The Admin user can™t be deleted, so the Admin user account needs to be
adjusted accordingly.

If you want to delete the user Student1 that you just created, follow these steps:
1. Select Tools_Security_User and Group Accounts to display the User and Group
Accounts dialog box.
2. From the User Name drop-down list, select the User Student1.
3. Click the Delete button to delete the selected user.

Creating and changing user passwords
Any user who is a member of the Admins group can remove a password from any user
account. A user who is a not a member of the Admins group can change his or her own
password. However, a user who is not a member of the Admins group cannot change or
create a password for any other user.

When Access opens and a password has been assigned to any user, the Logon Dialog box
displays (refer back to Figure 22-7).
Caution

If no passwords are assigned to any of the users, however, Access will automatically open,
using the Admin user. This means that any additional users that you create in Security will not
be able to set a password. To correct this, you will need to create a password for the Admin
user. Then exit from Access and restart Access, logging on as the user whose password you
want to change.

To create or change the Admin password, follow these steps:
1. Open the database Chap34Start.mdb.
2. Select Tools_Security_User and Group Accounts.

Caution
Make sure that the user name selected is Admin (not Student1 that you created earlier).

3. Click the Change Logon Password tab (see Figure 22-14).
Chapter 22 ¦ Adding Security to Access Applications 533




Figure 22-14: The Change Logon Password tab of the User and Group Accounts dialog
box. Notice that the name is “Admin” and can™t be changed.

4. Because no password has been assigned to Admin, leave the Old Password field
blank.


If you are logging on as the Admin user after you have assigned a password, or if a pass-
Tip
word exists for the user that you logged on as, enter it in the Old Password field. If no
password is assigned to the user, leave the Old Password field blank.

5. Move to the New Password field and enter the new password Admin (or any other
password that you want to assign ” remember that Access™s security is case-
sensitive) in the New Password field. Access won™t show you the word that you are
typing; rather, it shows an asterisk for each character that you type.
6. Move to the Verify field and enter the new password Admin again. (Again,
remember that Access™s security is case-sensitive.) Each character is replaced with
an asterisk.
7. Click the Apply button to save the new password for the Admin user.
8. Click OK to close the User and Group Accounts dialog box.

After you have created a password for the user, you will have to exit from Access and restart
Tip
Access for the changes to take effect. Simply closing the database and opening it again won™t
activate the security changes (such as assigning a password to Admin) that you made.
Tip
The Logon dialog box will not display if no passwords have been set for any users.
Part III ¦ Beyond Mastery: Initiative Within Office
534


Tip
Users can™t create or change passwords for other users, regardless of their permission settings.

Any user who is a member of Admins can clear the password of another user, so that user can
Tip
log on if he or she has forgotten his or her password.

To change another person™s password, you will have to start Access and open the database
by logging on as the user whose password you want to change.

Working with groups
Groups are collections of users. A user may belong to one or more groups. You use groups
to organize multiple users together who will be granted the same object permission
privileges. You can then define object permissions to the group once, versus having to assign
them individually for each user. When you create a new user, you simply add the user to the
group that has the object permission privileges that the new user should have.
For example, you may have a number of users in a credit department and in a sales
department. If you want to allow all of these users to look at a customer™s credit history but
restrict the sales staff to viewing only basic customer information, you have the following
options:
. Create an individual user account for each user in each department and assign object
permissions for each user.
. Allow all users in the credit department to log on as one user, and allow all users in
the sales department to log on as a different user. You can then restrict the object
permissions for each of these two users.
. Create an individual user account for each user in each department, and create a
group account for each department. You can then make the permissions assignments
for each of the two groups and place each user into his or her respective group to
inherit the group™s permissions.
Although creating a unique user account and assigning specific permissions to each user is a
valid scenario, it is an administrator™s nightmare. If policy dictates that one of the
departments needs to have permissions added or revoked, the change has to be made to each
of the users™ accounts in that department.
The second method is straightforward and simple but presents many problems. If a user
transfers from one department to another, he knows the user names and passwords for both
departments and may be able to retrieve data that he is no longer authorized to view. In
addition, if an employee leaves, the user name and password need to be changed, and each
user of the workgroup has to be made aware of the change. In a multi-user environment,
creating a unique user account for each user and then grouping them accordingly is a much
better solution.
With the third option, the change can be made to the department group once, and all users
inherit the new permission settings.
Chapter 22 ¦ Adding Security to Access Applications 535


Adding and deleting groups
Just as Access automatically creates an Admin user in all new workgroups, it also
automatically creates two groups: Users and Admins. Every user account in the system
belongs to the Users group; you can™t remove a user from the Users group. The Admins
group is the all-powerful, super-user group. Users of the Admins group have the ability to
add and delete user and group accounts, as well as to assign and remove permissions for any
object for any user or group in the workgroup. In addition, a member of the Admins group
has the ability to remove other user accounts from the Admins group. For this reason, you
need to carefully consider which users you allow to be a member of the Admins group. The
Admins group and the Users group are permanent groups; they can never be deleted.

Access doesn™t enable you to remove all users from the Admins group; one user must belong to
Tip
the Admins group at all times (the default is the user named Admin). If you were allowed to
remove all users from the Admins group, you could set up security so tight that you would never
be able to bypass it yourself! In general, when securing a database, you should place only one
user and one backup user in the Admins group.


Unlike the Admin user™s SID, which is identical in every Access workgroup, the Admins group™s
Note
SIDs are not identical from workgroup to workgroup, so unauthorized users using a workgroup
other than the one that you used to define security can™t access your database as a member of
the Admins group. The Users group™s SIDs are the same throughout all workgroups, however,
so you need to remove all permissions for the Users group. If you don™t remove permissions
from the Users group, any user in any workgroup can open your database with the Users
group™s permissions.

To create a new group named Sales, follow these steps:
1. Open Access and then open the Chap34Start.mdb database and log in with the
Admin user name and Admin password. Then select Tools_Security_User and
Group Accounts to display the User and Group Accounts dialog box.
2. Select the Groups tab.
3. Select the New button to display the New User/Group dialog box (see Figure 22-15).
Part III ¦ Beyond Mastery: Initiative Within Office
536




Figure 22-15: Jet uses the group name and personal identifier to create a unique SID for
a group, just as it does for user accounts.

4. Just as you do to create users, enter the group name Sales and a personal ID of
Dept405. (If you aren™t following along with this example, you can enter your own
group name and personal ID.) Also, just as before, write down this information and
put it in a safe place because you will need it if you ever need to re-create the group.
5. Select OK to save the new group.
6. After this is complete, you can select OK in the User and Group Accounts dialog
box to save your work.
If, at a later time, you want to delete the Sales group that you just created, follow these steps:
1. Select Tools_Security_User and Group Accounts ¦ to display the User and
Group Accounts dialog box.
2. Select the Groups tab (refer to Figure 22-15).
3. From the drop-down list, select the Sales group to delete.
4. Select the Delete button to delete the selected group.

Assigning and removing group members
Assigning users to and removing users from groups is a simple process. You use the Users
tab on the User and Group Accounts dialog box to add to and remove users from a group.
You may place any user in any group, and a user may belong to more than one group. You
cannot remove a user from the Users group nor can you remove all users from the Admins
group ” you must always have at least one user in the Admins group.
To add the user Student1 to the new group Sales, follow these steps:
1. Open Chap34Start. Select Tools_Security_User and Group Accounts to display
the User and Group Accounts dialog box.
Chapter 22 ¦ Adding Security to Access Applications 537

2. From the User Name drop-down list, select the user Student1 to modify her group
assignments.
3. To assign the user Student1 to the group Sales, select the Sales group in the
Available Groups list and select the Add button (see Figure 22-16). The Sales group
displays in the Member Of list.




Figure 22-16: Assigning users to groups makes controlling object permissions much
easier for the system administrator.

4. Select OK to save the new group assignments.
To remove the user Student1 from the group Sales, follow these steps:
1. Select Tools_Security_User and Group Accounts to display the User and Group
Accounts dialog box.

Caution
Make sure that the user name selected is Student1 (not Admin).

2. Select the group Sales in the Member Of list and select the Remove button. The
Sales group no longer displays in the Member Of list.
3. Select OK to save the new group assignments.
4. Because Jet uses the same SIDs for all Admin user accounts throughout all
workgroups, you always need to remove the Admin user from the Admins group
when securing a database. Figure 22-16 shows that the user Student1 has been added
to the Sales group. Notice that Student1 is a member of two groups: Users and Sales.
Before leaving this section, assign Student1 to the Admins group so that you can use
this example later in this chapter.
The only remaining task is to set the appropriate object permissions for the Users and Sales
groups.
Part III ¦ Beyond Mastery: Initiative Within Office
538


Securing objects by using permissions
After you have defined your users and groups, you must determine the appropriate object
permissions for each group. Permissions control who can view data, update data, add data,
and work with objects in Design view. Permissions are the heart of the Jet security system
and can be set only by a member of the Admins group, by the owner of the object (see the
next section), or by any user who has Administrator permission for an object.

Setting an object™s owner
Every object in the database has an owner. The owner is a user account in the workgroup
that is designated to always have Administrator rights to the object. Administrator rights
override the permissions defined for the logged-on user or defined for any of the user™s
groups. You can designate one user to be the owner of all the objects in a database, or you
can assign an owner to individual objects.
Access queries require special consideration when assigning owners to objects. When
creating a query, you can set the Run Permissions property of the query to either User™s or
Owner™s (see Figure 22-17). When a password is defined for a workgroup, Run Permissions
is automatically set to User™s. Setting Run Permissions to User™s limits the users of the query
to viewing only the data that their security permissions permit. If you want to enable users to
view or modify data for which they do not have permissions, you can set the Run
Permissions property to Owner™s. When the query is run with the Owner™s permissions
(WITH OWNERACCESS OPTION in an SQL statement), users inherit the permissions of
the owner of the query. These permissions are applicable only to the query and not to the
entire database.




Figure 22-17: Setting a query™s Run Permissions determines which users can run the
query or modify the query.
Chapter 22 ¦ Adding Security to Access Applications 539


When a query™s Run Permissions property is set to Owner™s, only the owner can make changes
Tip
to the query. If this restriction poses a problem, you may want to set the owner of the query to a
group rather than to a user account. Note that only the owner of an OwnerAccess query can
change the query™s owner.

Note
If you haven™t assigned passwords to Admin or other users, the user is automatically assumed
to be Admin and the query™s Run Permissions property is set to Owner™s.

To change the owner of any object in the database, follow these steps:
1. Select Tools_Security_User and Group Permissions to display the User and Group
Permissions dialog box.
2. Select the Change Owner tab (see Figure 22-18).




Figure 22-18: Transferring ownership of one or more tables from the Admin user to the
Sales group.

3. Select the object (or objects) whose ownership you want to transfer. You can select
the type of objects to display by changing the Object Type field.
4. Select the user or group that you want to make the owner of the selected object. To
select a group name, first select the List: Groups radio button.
5. Select the Change Owner button to change the object™s owner to the selected
user or group.
Part III ¦ Beyond Mastery: Initiative Within Office
540



Each object in a database has an owner. The database itself also has an owner. You can
Note
view the owner of the database by selecting Database from the Object Type drop-down list.
You can™t change an object™s owner by using Access™s interface. The only way to change a
database™s owner is to log on as the user that you want to make the owner of the database,
create a new database, and then import the original database into the new database by
using the File_Get External Data_Import menu option. When you import a database, the
current user is assigned as the new owner of the database and all of its database objects.
This is essentially what the Security Wizard (discussed later in this chapter) does for you.

Setting object permissions
Object permissions are the heart of Jet security. You can set one or more object
permissions at a time for a user or group. When assigning permissions, you must keep in
mind that some permissions automatically imply other permissions. For example, if you
assign a user Read Data permission for a table, the Read Design permission is also granted
because a table™s design must be available to access the data. A more complex example is
assigning permission for Insert Data ” this automatically grants permission for Read Data
and Read Design.
An object™s permission assignments are persistent until one of the following conditions
occurs:
. A member of the Admins group changes the object™s permissions.
. The object is saved with a new name by using the Save As command from the File
menu.
. The object is cut and pasted in the Database window.
. The object is imported or exported.
If any of the preceding actions occurs, all permissions for the manipulated object are lost
and you will need to reassign them. When you perform any of these actions, you are actually
creating a new object. Access assigns default permissions for each object type.
There are two ways that permissions can be granted to a user:
. Explicit permissions are permissions that are granted directly to a user. When you
manually assign a permission to a user, no other user™s permissions are affected.
. Implicit permissions are permissions that are granted to a group. All users belong-
ing to a group inherit the permissions of that group.


Because permissions can be assigned implicitly and because some permissions grant
Note
other permissions (Insert Data, Read Data, and Read Design permissions), users may be
able to grant themselves permissions that they do not currently have. Because of this
possibility, you must plan carefully when assigning permissions to groups of users and to
individual users.
Chapter 22 ¦ Adding Security to Access Applications 541

To assign or revoke a user™s permissions for an object, follow these steps:
1. Select Tools_Security_User and Group Permissions ¦ to display the User and
Group Permissions dialog box. Select the Permissions tab.
2. In the Object Type drop-down list, select the type of object whose permissions you
want to change.
3. In the User/Group Name list box, select the user or group account that you want to
modify. To see a list of all Groups, click the List: radio button in the Name section.
4. In the Object Name list box, select the object (or objects) that you want to modify.
5. In the Permissions grouping section, select or unselect the permissions check boxes
for the object(s).
6. Select Apply to save the permission assignments.
Remember that Admin user SIDs are identical throughout all workgroups. So after you
assign Administer permissions to a specific user, you need to remove all permissions for the
Admin user in order to secure your database. Figure 22-19 shows the Admin user™s
permissions being revoked for all tables in the database. Notice that all checkboxes have
been cleared for all tables. Clearing the checkboxes prevents an Admin user from doing
anything with table objects. You must repeat the process for each Object type until the
Admin user has no permissions for any object.




Figure 22-19: Removing all permissions for the Admin user is critical
to securing your database.
Part III ¦ Beyond Mastery: Initiative Within Office
542


Setting default object permissions
You can create default permission assignments for each type of object in a database. These
default permissions are assigned when you create new objects in the database. You set the
default permissions just as you set them for any other object™s permissions. You select the
user or group to assign the default permissions, but you do not select a specific object name.
Instead, select the first item in the Object Name list that is enclosed in <> and begins with
“New.” When you select the Object Type Table, for example, you select <New Tables/
Queries> in the Object Name list. When you assign permissions for users and groups to
these <New> items, the permissions are used as defaults for all new objects of that type.

When removing default permissions for table objects, make sure that users have the necessary
Caution
permissions to create new tables. Otherwise, users will not be able to execute make-table
queries.

Setting database permissions
Just as objects in a database have permissions, the database itself also has its own permis-
sions. Selecting Database from the Object Type drop-down list will display the database
permissions that can be modified (see Figure 22-20). The database permissions enable you
to control who has administrative rights to the entire database, who can open the database
exclusively (locking out other users), and who can open or run the database.




Figure 22-20: Assigning permissions for the entire database.


Securing your database for distribution: A basic approach
If you are securing a database for distribution, setting up detailed security for multiple users
for all the objects in your database may not be important to you. Often, the only concern
with shipping a secured database is protecting your development investment by securing the
design of the application™s objects and code. If you need this type of protection, you can
distribute your application as an .MDE file (see the section “Protecting Visual Basic Code”).
Chapter 22 ¦ Adding Security to Access Applications 543

Another method is to follow these steps:
1. Create a workgroup to distribute with your database.
2. Remove the Admin user from the Admins group.
3. Remove all permissions for the Users group.
4. Remove all design permissions for the Admin user for all objects in the database.
5. Do not supply a password for the Admin user.
Remember that if you do not specify a password for the Admin user, Access will log on all
users as the Admin user. Because the Admin user has no rights to the design of any object,
users cannot access objects or code in Design view.
Table 22-1 summarizes the permissions that you can assign.

Table 22-1
Summary of Assignable Permissions
Permission Permits a User To Applies To
Open/Run Open a database, form, or report, Databases, forms,
or run a macro. reports, and macros

Open Exclusive Open a database with exclusive access. Databases only

Read Design View objects in Design view. Tables, queries, forms,
macros, and modules

Modify Design View and change the design of objects, Tables, queries, forms,
macros, and modules or delete them.

Administer For databases, set database password, Databases, tables,
replicate a database, and change start-up queries, forms, reports,
properties. For database objects, have full macros, and modules
access to objects and data, including
the ability to assign permissions.

Read Data View data. Tables and queries

Update Data View and modify but not insert or delete data. Tables and queries

Insert Data View and insert but not modify or delete data. Tables and queries

Delete Data View and delete but not modify or insert data. Tables and queries
Part III ¦ Beyond Mastery: Initiative Within Office
544


Using the Access Security Wizard
Access includes the Security Wizard tool to assist you in securing your database. The
Security Wizard makes it easy for you to select the objects to secure. It then creates a new
database containing secured versions of the selected objects. The Security Wizard assigns
the currently logged-in user as the owner of the objects in the new database and removes all
permissions from the Users group for those objects. The original database is not modified in
any way. Only members of the Admins group and the user who ran the Security Wizard
have access to the secured objects in the new database.

When you use the Security Wizard, make sure that you are logged in as the user that you want
Tip
to become the new database™s owner. You must already belong to the Admins group and you
cannot log in as Admin. If you log in as Admin, Access will report an error when you attempt to
run the Security Wizard. If you receive this error, simply log in as another Admins group user.

To start the Security Wizard, log into the database as a user who is a member of the Admins
group. Then select Tools_Security_User-Level Security Wizard.
Follow these steps to create and open the AAASecureWizard database.

Note
These steps assume that you have created the user Student1 and assigned the user to the
Admins group.

1. Exit Access and open the folder that contains Chap34Start.mdb. Copy this file and
name the new copy AAASecureWizard.mdb.
2. Start Access and open the AAASecureWizard database. When Access attempts to
open the database, the Logon dialog box displays. The Logon dialog box displays
automatically because the AAASecureWizard database inherited its permissions
from the original database (Chap34Start).
3. Enter Student1 in the Name field and select OK. (The user Student1 has no assigned
password.) Access opens the AAASecureWizard database.
4. Select Tools_Security_User-Level Security Wizard from the menu to start
the wizard.
The wizard displays a message advising you that you will need to use the existing
workgroup information file, or it can create a new one for the current open database (see
Figure 22-21). Select Create a new workgroup information file and click the Next button.
Chapter 22 ¦ Adding Security to Access Applications 545




Figure 22-21: The Security Wizard helps jump-start your security implementation.

When you select Create a new workgroup information file, the next screen, shown in Figure
22-22, asks you for the filename for the new file, a Workgroup ID number (WID) ” which
you should write down and save, and optionally, your name and company.




Figure 22-22: Assigning a unique WID and name to new workgroup information file.
Part III ¦ Beyond Mastery: Initiative Within Office
546

When the new workgroup information file screen appears, it automatically assigns a random
20-character string of numbers and letters to the WID (Workgroup ID) field. You can change
this WID to any value.
As Figure 22-22 shows, you can choose to make this the new default workgroup file for all
databases (not recommended), or have Access create a shortcut to use this file only for this
database (default). Selecting the option to create a shortcut associates this file with only one
database. Click the Next button to display the next screen of the wizard.
The next screen of the wizard, shown in Figure 22-23, lets you select the objects to secure.
By default, the wizard secures all objects in the database. If you deselect an object type
(such as Tables or Forms), none of the objects of that type are exported to the secured
database. If you do not want to restrict security permissions for a set of objects but still want
those objects included in the new secured database, be sure to select the objects in the
wizard. Later on, modify the user and group permissions for those objects in the new
secured database. When you are satisfied with your object selections, select the Next button
to continue.




Figure 22-23: Selecting the objects to secure.

The next screen of the wizard, shown in Figure 22-24, asks you to create an optional
security group account for a series of group actions. These include:
. Backup Operators: Can open the database exclusively for backing up and compact-
ing.
. Full Data Users: Can edit data, but not alter design.
Chapter 22 ¦ Adding Security to Access Applications 547

. Full Permissions: Has full permissions for all database objects, but can™t assign
permissions.
. New Data Users: Can read and insert data only (no edits or deletions).
. Project Designers: Can edit data and objects, and alter tables or relationships.
. Read-Only Users: Can read data only.
. Update Data Users: Can read and update, but can™t insert or delete data or alter
design of objects.
Check all of the optional security groups displayed in the wizard screen. After you have
selected all groups, select the Next button to continue.




Figure 22-24: Additional optional security groups for the database.

Notice that the next page of the wizard, shown in Figure 22-25, lets you choose to grant
permissions to the Users group (the default is no permissions). By selecting Yes, you are
able to assign rights to all object types in the database. Figure 22-25 shows this page with
the Yes option selected. However, you should select the default choice: No ” the Users
group should not have any permissions. Select the Next button to continue to the next
wizard screen.
Part III ¦ Beyond Mastery: Initiative Within Office
548




Figure 22-25: Choosing whether or not to assign permissions to the Users group.


If you decide to grant any permissions to the Users group, you should be aware that anyone
Caution
with a copy of Access will have the same permissions that you assign to this group. Essentially,
you are exposing the database to a security breach if you assign rights to this group.

The next page, shown in Figure 22-26, lets you add users to the workgroup information file.
To add a user, enter the name and password information in the appropriate fields and select
the Add a New User button.




Figure 22-26: Adding users and passwords to the workgroup information file.
Chapter 22 ¦ Adding Security to Access Applications 549

As Figure 22-26 shows, you can also remove users from the list by simply selecting their
name from the list box on the left and selecting the Delete User from the List button. Select
the Next button to continue.
The next wizard screen to display, shown in Figure 22-27, enables you to assign users to
groups in your workgroup information file. If you added optional groups from the previous
page (as shown in Figure 22-24), you can assign a user to any of these groups by checking
the appropriate check box. To assign rights to a user, simply select the user from the drop-
down list and then assign that user to groups using the check boxes. By default, all users,
except the person creating the wizard, are assigned to new groups. Click the Next button to
continue on to the next screen.




Figure 22-27: Adding users to groups for group rights.

The last page of the wizard displays, as shown in Figure 22-28. In this screen, the Security
Wizard asks you to provide a name for the old, and now unsecure, database. The default
name is the same name as the current database with the extension .bak. Select the Finish
button to finish creating the new secure database.
Part III ¦ Beyond Mastery: Initiative Within Office
550




Figure 22-28: In the Final wizard screen, the Security Wizard asks you to assign a name
for the old database.

Technically, the Security Wizard doesn™t make any modifications to the current database;
rather, it makes a backup copy by using the name that you specify and creates an entirely
new database with secured objects. However, the new database is given the name of the
original database.

Caution
When you distribute your secured application, be sure to distribute the database that the
Security Wizard created for you.

When the Security Wizard has finished creating the new database, it generates a report
called One-Step Security Wizard Report, as shown in Figure 22-29. The report contains all of
the settings used to create the users and groups in the workgroup information file. You
should keep this information. You will need it if you ever have the need to re-create the
workgroup file.
Chapter 22 ¦ Adding Security to Access Applications 551




Figure 22-29: Choosing whether or not to assign permissions to the Users group.


If you click the Finish button and Access finds any problems, it won™t create the security data-
base or the backup that you requested. Generally, you will get this error if you have created the
Caution
database and logged on as a user that secured the table and then re-logged on as another user
to secure it. This wizard works best with databases that have not had any previously defined
security.

Generally, making a copy of the original database and working with the secured database is
a good idea. If you make changes to the original database, you will need to run the Security
Wizard again to create a secured version of the database. In addition, making a copy of the
original database and then removing it from development helps prevent accidentally
distributing the unsecured database.


Encrypting a Database
When security is of utmost importance, one final step that you need to take is to encrypt the
database. Although it takes a great deal of skill (far more than the average computer user ”
or developer ” possesses), it is possible to view the structure of an unencrypted database. A
skilled hacker may use this information to reconstruct SIDs and gain full access to your
secured database.
Part III ¦ Beyond Mastery: Initiative Within Office
552

Encrypting a database makes using such tools to gain any useful information about the
database virtually impossible. Only the database owner or a member of the Admins group
(or a really good computer hacker) can encrypt or decrypt a database.
To encrypt a database, follow these steps:
1. Open Access, but do not open a database. Select Tools_Security_Encrypt/Decrypt
Database (see Figure 22-30).




Figure 22-30: Encrypting a database helps secure it from highly skilled hackers.

2. Select the database to encrypt from the Encrypt/Decrypt dialog box.
3. Provide a name for the new encrypted database.
Access doesn™t modify the original database when it encrypts it. Rather, Access creates a
clone of the database and encrypts the clone. Just like when using the Security Wizard, you
should make a backup copy of the original database and store it somewhere safe to prevent
accidentally distributing the unencrypted database. Remember that in a world of rapidly
changing data, your backup will rapidly become out of date.
When encrypting a database, however, be aware of the following drawbacks:
. Encrypted databases don™t compress from their original size when used with
compression programs, such as WINZIP or the ODE Setup Wizard. Encryption
modifies the way that the data is stored on the hard drive so compression utilities
have no effect.
. Encrypted databases suffer some performance degradation (up to 15 percent).
Depending on the size of your database and the speed of your computer, this
degradation may be imperceptible.
Chapter 22 ¦ Adding Security to Access Applications 553



Encryption is performed in addition to securing a database. A secure database is one that is
Note
secured using users, groups, and permissions. Simply encrypting a database does nothing
to secure the database for general Access users.


Decrypting a Database
You can decrypt a previously encrypted database. To decrypt a database, simply follow these
steps (which are similar to the encrypting process):
1. Start Access but do not open a database. Select Tools_Security_Encrypt/Decrypt
Database.
2. Select the database to decrypt from the Encrypt/Decrypt dialog box.
3. Provide a name for the new decrypted database.


Protecting Visual Basic Code
Although setting user-level security allows you to restrict access to tables, forms, and reports
in your database, it does not prevent access to the Visual Basic code stored in modules. You
control access to the Visual Basic code in your application by creating a password for the
Visual Basic project that you want to protect. When you set a database password for a
project, users are prompted to enter the password each time they attempt to view the Visual
Basic code in the database.

A Visual Basic project refers to the set of standard and class modules (the code behind forms
Note
and reports) that are part of your Access database (.mdb) or Access project (.adp).

1. Open any standard module in the database. For this example, open the
basSalesFunctions modules in Chap34Start.mdb. When you open the
basSalesFunctions module, the Visual Basic Editor displays.
2. In the Visual Basic Editor, select Tools_Access Auto Auctions Properties. The
Access Auto Auctions ” Project Properties dialog box displays.
3. Select the Protection tab in the Project Properties dialog box. Check the option
labeled “Lock project for viewing.”
4. In the Password field, type the password that you want to use to secure the project
(see Figure 22-31). For this example, use the password bible. Access does not
display the password; rather, it shows an asterisk ( * ) for each letter.
Part III ¦ Beyond Mastery: Initiative Within Office
554




Figure 22-31: Creating a project password restricts users from viewing the application™s
Visual Basic code.

5. In the Confirm Password field, type the password again. This security measure
ensures that you don™t mistype the password (because you can™t see the characters
that you type) and mistakenly prevent everyone, including you, from accessing the
database.
6. Click OK to save the password.
After you save and close the project, any user who attempts to view the application™s
Visual Basic code must enter the password. Access prompts for the project password only
once per session.
A more secure method of securing your application™s code, forms, and reports is to distribute
your database as an .MDE file. When you save your database as an .MDE file, Access
compiles all code modules (including form modules), removes all editable source code, and
compacts the database. The new .MDE file contains no source code but continues to work
because it contains a compiled copy of all of your code. Not only is this a great way to
secure your source code, it also enables you to distribute databases that are smaller (because
they contain no source code) and always keep their modules in a compiled state.


Preventing Virus Infections
Implementing a good user-level security scheme will protect your database from
unauthorized access to the information or objects in your database. User-level security does
not, however, protect the physical database file from malicious macro virus attacks.
You probably have had experience at some point with a virus attack on your computer. Or
most likely, you know someone who has. It goes without saying that it is imperative to
install and run a virus scanning utility on your workstation. Even though you may be
religious about keeping your virus scanner up to date, new viruses crop up all the time.
Chapter 22 ¦ Adding Security to Access Applications 555

Therefore, you have to be proactive about protecting your applications and sensitive data
from exposure to these kinds of attacks.
When you run forms, reports, queries, macros, data access pages, and Visual Basic code in
your application, Microsoft Office Access 2003 uses the Microsoft Jet Expression Service to
scan the commands these objects execute to make sure that these commands are safe. Unsafe
commands could allow a malicious user to hack into your hard drive or other resource in
your environment. A malicious user could possibly delete files from your hard drive, alter
the computer™s configuration, or generally create all kinds of havoc in your workstation or
even throughout your network environment.
The Microsoft Jet Expression Service checks its list of unsafe commands. When Access
encounters one of the unsafe commands, it can block the command from execution. To tell
Access to block these potentially unsafe commands, you must enable sandbox mode.

To review the list of unsafe commands, search Access help for “About Microsoft Jet Expression
Tip
Service sandbox mode.”


Enabling sandbox mode
Sandbox mode allows Access to block any of the commands in the unsafe list it encounters
when running forms, reports, queries, macros, data access pages, and Visual Basic code. To
enable sandbox mode, follow these steps:
1. Open Access, but do not open a database. Select Tools_Macro_Security. The
Security dialog box displays, as shown in Figure 22-32.
2. In the Security dialog box, select the High or Medium option.
3. Select the OK button to close the Security dialog box.
4. Restart Access to apply the security change.




Figure 22-32: Enabling sandbox mode.
Part III ¦ Beyond Mastery: Initiative Within Office
556


Note
When you enable sandbox mode, it applies to all Access users on the workstation.

The Security dialog box provides three levels of macro security:
. High: Macros must be digitally signed. Unsigned macros will not run. The status of
the macro™s digital signature is validated for digitally signed macros.
. Medium: The status of the macro™s digital signature is validated for digitally signed
macros. For unsigned macros, a prompt displays advising the user to enable the
macro or to cancel opening the database.
. Low: Macros are not checked for digital signatures and no warning displays for
unsigned macros.
A digital signature is an encrypted secure file that accompanies a macro or document. It
confirms that the author is a trusted source for the macro or document. A digital signature is
contained in a digital certificate. You, or your organization™s IT department, can obtain a
digital certificate through a commercial certification authority, like VeriSign, Inc. Search
www.msdn.com for “Microsoft Root Certificate Program Members” to obtain information
on how to obtain a digital certificate.
If you are sure of the integrity of your database, you can select the Low security setting.
Digital signatures are generally implemented within large organizations that are willing to
fund the added expense of purchasing and keeping digital signatures up to date. For most
applications, however, you will probably use the Low setting.
If you or your organization has acquired a digital certificate, you can use it to digitally sign
your Access project. To digitally sign your Access project, follow these steps:
1. Open the Access database to digitally sign. Select Tools_Macro_Visual Basic
Editor from the Access menu. The Visual Basic Editor opens.
2. Select Tools_Digital Signature from the Visual Basic Editor menu. The Digital
Signature dialog box displays, as shown in Figure 22-33.




Figure 22-33: Digitally signing an Access project.

3. Select Choose. The Select Certificate dialog box displays, as shown in Figure 22-34.
Chapter 22 ¦ Adding Security to Access Applications 557




Figure 22-34: Choosing a digital certificate.

4. Select the certificate to add to the Access project. Then select OK to close the Select
Certificate dialog box.
5. Select OK to close the Digital Signature dialog box and save the security setting.

Do not sign your Access project until the application has been thoroughly tested and you do not
Note
expect to make any further changes to it. Modifying any of the code in the project will invalidate
the digital signature.

Tip
To prevent users from making unauthorized changes to the code in your project, be sure to lock
the project and apply a project password.

With a full understanding of the Jet security model and how to manage it, you can create
databases that protect your development investment and your users™ data.
¦ ¦ ¦
23 CHAPTER



Adding
FrontPage Web
Components . . . .

In This Chapter

Exploring FrontPage
Web components

T his chapter introduces FrontPage Web Components, a.k.a.
Web components that
FrontPage components, a.k.a. Web components, and a.k.a.
require FrontPage
just plain ol™ components. These handy features allow you to do
extensions
everything from generate and automatically update a table of
contents, to create hover buttons that change when a visitor
Inserting a time stamp
moves over them with a cursor.

Activating a hit counter
Adding FrontPage Web Components
Creating hover buttons
Many of the Web components add interactivity to your site. These and marquees
interactive elements respond to the actions of visitors. For
example, a hit counter responds to a visit by changing the number Working with Web
of visitors displayed, and search boxes respond to a visitor™s components in forms
query with a list of matching pages.
Working with images
Prior to FrontPage 98, FrontPage components were called
Providing search boxes
WebBots. Now we are in the new millennium, and Microsoft still
Note
for visitors
uses WebBots in the HTML codes for FrontPage components.
As you add components to your page, you can click the HTML
. . . .
tab to see the WebBot terminology in place.


Defining and using components
FrontPage components are actually small programs that are
embedded in FrontPage. You don™t need to know how Web
components work to use them, but you should be aware of two
particular attributes of components:
Part III ¦ Beyond Mastery: Initiative within Office
560

. Web components enable you to use preprogrammed elements that normally require a
scripting language to create.
. Many (roughly half) of the Web components work only after your Web is published
to a Web server with FrontPage extensions.

We™ll explore the implications of having (or not having) access to a server with FrontPage exten-
Note
sions throughout this chapter, both in relation to using components in general, and in relation to
specific components.


Web components are programs
Web components are prefabricated programming modules that you can customize and insert
into your Web pages. When you add a Web component to your Web page, FrontPage inserts
HTML tags that reference it, much as HTML is used to reference a graphic, a sound file, or
a Java applet.
Customization of components is done through HTML attributes in the component tag.
Figure 23-1 shows an example of the HTML used to point to a component. In this case, you
can see WebBot tags for a Navigation component.




Figure 23-1 HTML for a component
Chapter 23 ¦ Adding FrontPage Web Components 561

If FrontPage components are little programs, where the heck are these programs stored?
That depends. Components that require FrontPage server extensions are stashed on Web
servers, and simply called by the code that FrontPage inserts into your page. No connection
to a FrontPage Web server? In that case, these components won™t work.
While about half of the FrontPage components rely on FrontPage server extensions to
work, other components (like the Photo Gallery) generate JavaScript code. All recent
version browsers (going back to version 4) support JavaScript, and so the programming
support for these components is essentially in a visitor™s own Web browser. Still other
components (like hover buttons or the Banner Ad Manager) generate Java programs,
which are saved to your Web.

Many Web components require FrontPage
server extensions
The following FrontPage components work only when your site is published to a Web server
with FrontPage server extensions:
. Web Search
. Hit Counter
. Top 10 List
. List View
. Document Library View
If you aren™t publishing your Web to a server armed with FrontPage extensions, you can
disable the components that require extensions by selecting Tools _ Page Options, and
clicking the Authoring tab. Then, use the FrontPage and SharePoint technologies drop-down
menu to select “custom” or “none” in order to use selected or no FrontPage components. x.
After you do that, only those components that do not require FrontPage extensions will
display. When you choose Insert _ Navigation, the rest of the components are grayed out,
as shown in Figure 23-2.




Figure 23-2 Hit counters components require FrontPage extensions.
Part III ¦ Beyond Mastery: Initiative within Office
562

If you are saving your Web to a disk folder (a disk-based Web), the FrontPage server
extension requiring Web components will be grayed out automatically.


Developing on a Disk but Developing for a Server?
Suppose you are developing your Web site using a drive-based Web or a server that doesn™t have
FrontPage extensions, but you plan eventually to publish your Web to a server that does have
FrontPage extensions. If you are using a server without FrontPage extensions, you can still install
(non-working) components. In this scenario, do not disable components. You can still place them on
Web pages ” you just can™t test them or use them in a Web site until you publish to a FrontPage-
friendly Web server with FrontPage extensions.
On the other hand, if you are developing your site using a disk-based Web, but eventually plan to
publish it to a server with FrontPage extensions, you have to turn on the features that require
FrontPage server extensions. Do this by choosing Tools _ Page Options, and selecting the Enabled
with FrontPage Server Extensions check box in the Compatibility tab of the Page Options dialog
box. In this scenario, you are fooling FrontPage, telling it that your site is published to a FrontPage
Web. Remember, some components won™t work until you actually publish your site to a FrontPage
server.


Because components require FrontPage-enabled servers, they are less portable than standard
CGI applications or Java applets and are more akin to other Microsoft technologies, such as
Active Server Pages (ASP), that are limited to servers supported by Microsoft. But, if you
have access to a FrontPage-enabled Web server, the ease with which you can add compo-
nents makes using them hard to resist.
If you don™t plan to publish your Web site to a FrontPage server and you are inclined to do
your own scripting and programming, you can jump ahead to Part V of this book, which
introduces other programming components that you can use to create many of the same
functions (with perhaps a bit more labor on your part).

Many components don™t require FrontPage extensions
If you are creating a Web for a server without FrontPage extensions, you can use the
components identified in Table 23-1. Some of these components simply generate HTML
code. Others generate Java applets, and others create JavaScript.
Chapter 23 ¦ Adding FrontPage Web Components 563


Table 23-1
Coding and Scripting for Various Web Components
Component Type of Script or Coding
Hover buttons Java applets

Marquees HTML

Banner Ad Manager Java applets

Photo Gallery JavaScript

Included Content HTML

Link Bars HTML

Table of Contents HTML

Commercial components Remote sites linked through HTML
(bCentral, Expedia, MSN,
and so on)

Advanced Controls Various scripting languages



Some components require SharePoint servers
As if all this wasn™t complicated enough, some Web components are only functional
when you are publishing a Web to the SharePoint server that comes with Office XP.
SharePoint servers are designed with built-in intranet tools, like bulletin boards, up-
loaded document libraries, and customizable interfaces. You can use the SharePoint
server as-is, out of the box, on your intranet (or Internet). Or, you can customize a
SharePoint server by editing pages in FrontPage and adding lists and other features
proprietary to the SharePoint server.

The SharePoint server files (called SharePoint Team Services)
This chapter takes a quick look at the components that require SharePoint servers. However,
its focus is on publishing FrontPage Web on Office 2003™s SharePoint server, as well as the
lists and other special features available for this server.
Part III ¦ Beyond Mastery: Initiative within Office
564


Spreadsheet Components
Spreadsheet Web components (Office Spreadsheet, Office Chart, and Office Pivot Table) are
actually embedded pieces of Microsoft Excel.
The main deal with these components is that they allow visitors to your Web site to see and interact
with elements of a spreadsheet. To do this, visitors must have Excel installed, or download pro-
grams that function as a kind of limited Excel viewer.
As we go to press, Microsoft has not yet released a public domain downloadable Excel viewer for
Excel 2003. However, downloadable viewers for older versions of Excel are available at
http://office.microsoft.com/Downloads/.
Web site visitors who use a downloaded viewer will not have full functionality for spreadsheet

<<

. 13
( 14)



>>