Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security (Chapter 10)

Published byJoseph Powell Modified over 6 years ago

Similar presentations

Presentation on theme: "Database Security (Chapter 10)"— Presentation transcript:

1 Database Security (Chapter 10)
Peter Rob and Elie Semaan Databases: Design, Development, and Deployment Using Microsoft Access Second Edition

2 Database Security Making the database secure is usually one of the major concerns to company managers. In this chapter, you’ll learn several ways in which Access tools can be used to help secure database applications.

3 Basic Security Options
Because database security requirements are as varied as their applications, there are many different security options. For example: Using the developer edition of Access, you can create a runtime version of your Access database. This option allows you to run your database on a PC without requiring Access to be installed and the user cannot make changes to your objects. Within this runtime version of the database, you can then design the security system to fit the end user needs. The security system may be as uncomplicated as database password protection. Or it may include the full array of database administration security tools.

4 Basic Security Options (Cont)
2. You can create two Access databases, one classified as a back-end database and one as a front-end database. The back-end database is the database that contains the basic components of the database architecture such as the data dictionary, the tables, and the relationships between those tables. The front-end database contains the applications – such as queries, forms, and reports -- that enable end users to access and manipulate the data. The back-end database tables may be password protected, or they may be protected with a full array of database administration security tools.

5 Basic Security Options (Cont)
The front-end database uses the back-end database’s tables as linked tables. As the name implies, linked tables are tables in one database that are connected (linked) to applications that are located in another database. We will show you in this chapter how such links are created. The front-end database may have its own array of security measures.

6 Basic Security Options(Cont)
2. Separating the front-end and back-end databases enables you to use relational databases other than Access as the back-end database. For example, you can use an Oracle, an IBM DB2, or a Microsoft SQL Server database as the back-end database, and then link the tables in the back-end database to the front-end database through ODBC (Open Database Connectivity) drivers. Such back-end databases have far more sophisticated security tools than Access. Unless you have proper authorization that specifies the full use of the back-end tables, you cannot make changes to the linked tables via the front-end database.

7 Basic Security Options(Cont)
3. You can compile the Access database applications with an MDE file extension, rather than with an MDB file extension. A database with an MDE file extension compiles your VBA (Visual Basic for Applications) code to ensure that they cannot be viewed or edited. The MDE database will run exactly like an MDB database, but the applications -- such as forms and reports -- are more secure in an MDE database.

8 Basic Security Options(Cont)
3. Creating an MDE file does not require the creation of special authorizations to use the database. If you create an MDE file, Access will compact the destination file, remove all VBA source code, and save the database with an MDE extension. After saving your MDB database as an MDE database, you are no longer able to modify your forms, reports, or modules. However, you can still modify macros, queries, relationships, and tables.

9 Basic Security Options(Cont)
4. Using the AutoExec macro or the Startup option to run or to disable Access special keys may be useful. However, this security option yields only minimal security, because a savvy user can easily bypass the AutoExec macro or the Startup option by holding the Shift key while opening the application. On the other hand, to prevent an end user from holding the Shift key, you can create a module using VBA code to disable the Shift key bypass when the database is opened.

10 Basic Security Options(Cont)
Although you should know what security options are available, many of these options are well outside the scope of this book. Therefore, we will not cover the use the MS Access developer edition to create stand-alone applications, nor will we cover linking to Oracle, IBM DB2, or Microsoft SQL Server databases through the use of ODBC. For the same reason, we will not use the MDE option, nor will we use VB code. Therefore, we will limit our discussion to three ways in which the standard Access edition allows you to secure your database:

11 Basic Security Options(Cont)
Secure a database through the use of a password while logging on. Create a database security using the User-Level Security Wizard. Create back-end and front-end databases.

12 Database Administration: Basic Security Components
- To create a database security environment to be managed by a database administrator, you must first know what the security components and actions are. Therefore, the following vocabulary is important. (The Access Security Wizard requires you to define and use these components, so you must know what they are!)

13 Database Administration: Basic Security Components (Cont)
An object is any component of the database. That is, an object may be a table, query, form, report, macro, or a module in the database. A permission is the right to use an object. Note that the word permission may be used as a noun in the database context. Two types of permissions exist: An explicit permission is one that is granted to an individual user. An explicit permission assigned to one user will not affect any other user(s). An implicit permission is one that is granted to a specified group of users. Therefore, all users within that group have the same permission.

14 Database Administration: Basic Security Components (Cont)
An operation is any action that changes a database object. For example, operations include data updating, appending, or deleting. Operations also include modifying a table, query, form, report, macro, or module. The Admins workgroup, known as Admins in the Access security environment, is the administrative unit that contains the database system’s administrator (Admin). The following points are worth emphasizing:

15 Database Administration: Basic Security Components (Cont)
Because the Admins workgroup must be managed by an Admin, the Admin is the default member in the Admins workgroup when that workgroup is created. The Admins workgroup is the core of the security system. Therefore, you cannot have a database administrative function without the Admins workgroup.

16 Database Administration: Basic Security Components (Cont)
The Admin manages the database security environment. Given this management function, the Admin is given full permissions on all objects in the databases by default. Because the security environment cannot be managed without the Admin, the Admin cannot be removed from the workgroup. The Admin is responsible for assigning any permission(s). A permission may or may not include the right to perform an operation on an object in the application.

17 Database Administration: Basic Security Components (Cont)
Each Admins workgroup must have at least one user, and all users in this Admins work group have the same rights as the Admin. A User is a person whom the Admin allows to use a specified object or a set of objects. The Admin assigns a specific set of permissions to use one or more objects to each user. Therefore, the Admin must create the user account and a set of permissions to use certain objects. When any user logs on, (s)he can assign a password to his or her user ID and (s)he must supply the password whenever (s)he opens the secure application. The Admin account is the default user account. The user must be a member of a group – even if the user is the only member of that group.

18 Database Administration: Basic Security Components (Cont)
A Group is a database administrative unit that is composed of one or more users. The Admin can create a group account, assign permissions to a group, and then add users to the group. For example, organizational units such as accounting or marketing may become groups, and the employees in those departments will become the system’s users. Permissions assigned to a group are inherited by all of the members of that group.

19 Database Administration: Basic Security Components (Cont)
The Users group is the default group created by Access. Access adds all users to this group. Therefore, if you want to secure an object, make sure you don’t give this group a full permission to that object.

20 The .ldb file (Cont) The .ldb file is a small file, created by Access, which contains basic database administrative data.

21 The .ldb file (Cont) The .ldb file contains the user name in its first 32 bytes and the database security information in its second 32 bytes. The database administrator may use the information contained in the .ldb file to track all database users through their logon ID or through their computer name. The .ldb file also contains locking information. As its name implies, a lock is a device that prevents the use of an object. For example, if one user is performing operations on the EMPLOYEE table, a lock on that table would prevent another user from using that table until the lock is released.

22 The .ldb file (Cont) When the last user closes the database normally, the .ldb file is deleted. However, if the database is corrupted, the .ldb file is not deleted when the database is closed. Instead, the .ldb file contents are used by the DBMS when it repairs the database.

23 The .ldb file (Cont) Access helps manage the multi-user database environment by using a so-called jet-locking protocol. A protocol is a set of rules that governs a procedure or an action. The jet-locking protocol is named to reflect the fact that it is a set of rules created and enforced by the Access Jet Database Engine. The Access Jet Database Engine is the software that powers the DBMS. This database engine automatically creates a lock whenever a database table is opened in a shared database environment. The lock is released when the last user closes the database normally, that is, without corrupting the database.

24 The .ldb file (Cont) The locking protocol is, from the end user’s point of view, simple and straightforward. For example, suppose you have opened a table in its design view. As long as you have the table open, the protocol stored in the .ldb file prevents another end user from modifying that table. Access will produce a message box (see Figure 10.10) to tell the second end user that the table is not available.

25 The Workgroup Files The Workgroup file stores information about the groups, the users, and the user passwords. When you launch a database, the workgroup associated with Access determines the permission on all the objects and data in the database.

26 The Workgroup Files (Cont)
The Access Jet Database Engine is used to store and retrieve all data and objects from the workgroup information file. Therefore, when users start Access, it automatically maintains a link to the workgroup file in which the database security information is stored. The default name for the workgroup is System.mdw. However, you may use any valid name with an extension of .mdw to identify the workgroup file.

27 The Workgroup Files (Cont)
When Access was installed, it automatically created a workgroup file. Because the Access-created default workgroup files are identical in every Access installation, we strongly suggest that you create your own workgroup file or that you update the existing workgroup file to fit your specific requirements. You may define different levels and types of security for each workgroup file.

28 The Workgroup Files (Cont)
To make sure that only database administrators can create workgroups, a unique workgroup identification (WID) must be created. This WID must be supplied whenever a new workgroup file is created.

29 User and Group Accounts
The Access security system is based on user-level security, rather than on share-level security. The user-level security allows the logon user to access all objects based on the permission(s) given to that user. The share-level security subjects the user to a more restrictive environment that is based on an ID and a password. For example, a user might have one ID and a password to only read the EMPLOYEE table and another ID and a password to update the table. Each time the user wants to update the EMPLOYEE table, (s)he must supply the required ID and a password that matches that ID. Clearly, the share-level security option yields a more secure database.

30 Managing the User Groups
The Users group is an Access default account. Therefore, when you add a new user, the system automatically assigns the user to the Users group account. The Users group account cannot be deleted and it cannot be removed from the Member Of: window shown in Figures and 10.27a. To assign a password to a user, start Access to get the Logon dialog box in Figure (We’re assuming that you have already created all appropriate security accounts.) In the name field, enter the user’s name and leave the password blank. Next open the User and Group Accounts dialog box shown in Figure If you log on as Admin, all tabs are available. If you log on as a User, only the Users and Change Logon Password tabs will be available.

31 Permissions Permission Allows the user to …. Is used for Open/Run
Open a database, form or report or run a macro Databases, forms, reports, macros Open/Exclusive Open the database exclusively Databases Read/Design Open and look at any object in its design view All objects Modify/Design View, change, and delete objects Administer Full access and assign permissions All objects and the security system Read Data View data Tables and queries Update Data View and change data without insert or delete Insert Data View and add data without modify or delete Delete Data View and delete data without modify or add

32 Assigning Permissions
You can logon as an Admin and assign permissions to different groups and users, but it is easier and more reliable to use the User-Admin Security Wizard to perform these tasks. After the wizard has created the basic security structures, you can logon as an Admin to create your own groups, to assign users to those groups, and to assign permissions to groups and to users within those groups. To show you the full array of administrative functions, we will show you how to: Use the User-level Security Wizard to create a secure database. Log on as an Admin to create new groups and assign users to the groups. Assign permissions to the groups and user accounts you created in step 2.

33 Encrypting and Decrypting Databases
The Encrypt/Decrypt option produces an additional security blanket to ensure that only Access can open the database. For example, given an encrypted Access database, an Excel end user will not be able to access an encrypted Access database. The Encrypt/Decrypt option is particularly useful at the network level. Encryption decreases the performance of the database by about fifteen percent and it also prevents the database from being compressed.

34 Segmenting the Database
You can add an additional measure of security by separating the database into two components: the database back end and the database front end. The back end contains the tables and relationships, while the front end contains all the end-user applications, that is, the queries, forms, reports, macros, and modules. The database front end can then use the back-end database tables as attached tables. The database back-end/front-end segmenting makes it possible to create a security system that requires unauthorized users to breach two sets of security walls. In addition, a front-end failure will leave the back end intact. Similarly, a back-end failure will leave the front end intact. Therefore, segmenting the database will add a measure of safety to the database operations.

35 Segmenting the Database (Cont)
Database segmenting has additional advantages. The use of a database back end and its corresponding front end enables developers to change the front-end applications without affecting the back end database. For example, suppose that you are developing a database for a company. The company management has requested a change to the database applications– but it will not be feasible to accept an extended database down time, because the database is crucial to the company’s operations.

36 Segmenting the Database (Cont)
If the database is segmented, you can make changes to the front end database and replace it when you are ready -- without losing data and without requiring an extended down time. Also, because applications other than Access often use the same data stored in the database back end, database segmenting makes the end-user applications environment more flexible. For example, if database tables are used as the data source for Microsoft Excel, there is no need to expose the Access queries, macros, and other application objects to the Excel applications.

37 Segmenting the Database (Cont)
One particularly desirable effect of database segmenting is that such segmenting makes it possible to use a different RDBMS as the database back-end, thus increasing the flexibility of the Access applications development environment. In fact, because Access applications development is so easy and flexible, Access may be used as a front-end to the back-end SQL Server databases.

38 The END

Download ppt "Database Security (Chapter 10)"

Similar presentations

1 All Powder Board and Ski Microsoft Access Workbook Chapter 10: Database Administration Jerry Post Copyright © 2007.

1 All Powder Board and Ski Microsoft Access Workbook Chapter 10: Database Administration Jerry Post Copyright © 2007.
1 Chapter 13 Securing an Access Application. 13 Chapter Objectives Learn about the elements of security Explore application-level security Use user-level.

1 Chapter 13 Securing an Access Application. 13 Chapter Objectives Learn about the elements of security Explore application-level security Use user-level.
With Microsoft Access 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.

With Microsoft Access 2010© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.
ACCESS SECURITY THE TOOLS PROVIDED BY MICROSOFT TO PROTECT YOUR WORK MUCH OF THE INFORMATION CONTAINED IN THIS PRESENTATION COMES FROM THE MICROSOFT SECURITY.

ACCESS SECURITY THE TOOLS PROVIDED BY MICROSOFT TO PROTECT YOUR WORK MUCH OF THE INFORMATION CONTAINED IN THIS PRESENTATION COMES FROM THE MICROSOFT SECURITY.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Compile MS Access Pertemuan 18 Matakuliah: F0712 / Lab MS Access Tahun: 2007.

Compile MS Access Pertemuan 18 Matakuliah: F0712 / Lab MS Access Tahun: 2007.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.

Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.
Microsoft Access Database software. What is a database? … a database is an organized collection of data. A collection of data of similar information compiled.

Microsoft Access Database software. What is a database? … a database is an organized collection of data. A collection of data of similar information compiled.
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.
MS Access Advanced Instructor: Vicki Weidler Assistant:

MS Access Advanced Instructor: Vicki Weidler Assistant:
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
CHAPTER 9 DATABASE MANAGEMENT © Prepared By: Razif Razali.

CHAPTER 9 DATABASE MANAGEMENT © Prepared By: Razif Razali.

Similar presentations

Ads by Google