Learn Microsoft Access Advanced Programming Techniques, Tips and Tricks.

Group Account Permissions with VBA

We have learned how to remove all permissions from all Objects for Users Group Account as all Users belongs to this default Group Account and inherits permissions, if available, besides other Group Accounts each user belongs to. If you have not gone through the earlier Articles on Microsoft Access Security with VBA, you may take a look at the following links before continuing:

Last week we were talking about removing all permissions for a particular Group Account. Now, we will learn how to assign different set of permissions for each set of Objects: Tables, Queries, Formsand other Objects for a particular Group Account. When done, all Users belongs to this particular Group Account will be allowed restricted access to all Objects.

For Tables/Queries the Users cannot make design changes but they can view the Table Structure or Query Design. Users can Add/Edit/Delete Recordsto Tables.

Users can Open Run Forms and Reportsbut cannot view or make Design Changes.

Macroscan be run but cannot view or make change to the Design.

The VBA Routine given below is run for an external Database and sets permissions for the given User-Group Account in the active Workgroup Information File.

Remember, the User-Names, Passwords and User-Group Accounts are maintained in the Workgroup Information File but permission settings stays with the Databases. So, you can say Microsoft Access Security is a two part combination Lock/Key.

  1. Copy and paste the following VBA Code into a Standard Module of your Database.
    Public Function SetPermission2Grp(ByVal DatabaseName As String, ByVal GroupName As String) As Boolean
    '-------------------------------------------------------------------------
    'Author : a.p.r. pillai
    'Date   : March-2010
    'Purpose: To Assign Security Permissions to Objects
    '       : for a particular Security Group Account
    '       : in an external Database.
    'Note   : The Security Group Account must be present
    '       : in the active Workgroup Information File
    '       :'Remarks: All Rights Reserved by www.msaccesstips.com
    '-------------------------------------------------------------------------
    Dim wsp As Workspace, db As Database, ctr As Container, doc As Document
    Dim ctrName As String, docName As String
    Dim L4 As String
    Const OBJSFULL = &HD01FE
    Const dbOpenRun = 2
    Const FrmRptOpenRun = 256
    Const MacOpenRun = 8
    Const TblQryExcludingModifyAdmin = 244 'All permissions Exluding Modify & Administr
    'Assign Permissions to Group Account
    On Error GoTo SetPermission2Grp_Err
    Set wsp = DBEngine.Workspaces(0)
    Set db = wsp.OpenDatabase(DatabaseName)
    wsp.Groups.Refresh
    For Each ctr In db.Containers
    ctrName = ctr.Name
    ctr.UserName = GroupName
    Select Case ctrName
    Case "Databases"
    For Each doc In ctr.Documents
             docName = doc.Name
             doc.UserName = GroupName
             Select Case docName
               Case "MSysDb"
                 'Set Open/Run Permissions to Database Object
                  doc.Permissions = doc.Permissions Or dbOpenRun
             End Select
          Next doc
       Case "Forms"
        'Set Open/Run Permissions to Forms Container
          ctr.Permissions = ctr.Permissions Or FrmRptOpenRun
          ctr.Inherit = True
          For Each doc In ctr.Documents
             docName = doc.Name
             doc.UserName = GroupName
             'Set Open/Run Permissions to Each Form
            doc.Permissions = doc.Permissions Or FrmRptOpenRun
          Next doc
       Case "Reports"
        'Set Open/Run Permissions to Reports Container
          ctr.Permissions = ctr.Permissions Or FrmRptOpenRun
          ctr.Inherit = True
          For Each doc In ctr.Documents
             docName = doc.Name
             doc.UserName = GroupName
             'Set Open/Run Permissions to Each Report
             doc.Permissions = doc.Permissions Or FrmRptOpenRun
          Next doc
       Case "Scripts"
         'Set Open/Run Permissions to Macros Container
          ctr.Permissions = ctr.Permissions Or MacOpenRun
          ctr.Inherit = True
          For Each doc In ctr.Documents
             docName = doc.Name
            doc.UserName = GroupName
             'Set Open/Run Permissions to Each Macro
             doc.Permissions = doc.Permissions Or MacOpenRun
          Next doc
       Case "Tables"
          '1. Assigns Full Permissions to Tables & Queries
          ctr.Permissions = ctr.Permissions Or OBJSFULL
          ctr.Inherit = True
          For Each doc In ctr.Documents
            docName = doc.Name
            doc.UserName = GroupName
             L4 = Left$(docName, 4)
           'Exclude System Objects
            If L4 = "MSys" Or L4 = "~sq_" Then
              GoTo nextloop
            End If
            '2. Remove Modify and Administrator permissions
            doc.Permissions = doc.Permissions Or TblQryExcludingModifyAdmin
    nextloop:
          Next doc
      End Select
    Next
     ctrSetPermission2Grp = false
    SetPermission2Grp_Exit:
    Set db = Nothing
    Set wsp = Nothing
    Exit Function
    SetPermission2Grp_Err:
    MsgBox Err & ": " & Err.Description, , "SetPermission2Grp"
    SetPermission2Grp = True
    Resume SetPermission2Grp_Exit
    End Function
  2. To test the Program create a copy of any Database and find a Group Account that is not assigned with permissions for the target database.
  3. Press Alt+F11 to open the VBA Editing Window, if you have already closed it.
  4. Press Ctrl+G to open the Debug Window.
  5. Type the following Statement in the Debug Window and press Enter Key to Run the Code and assign permissions to the selected Group Account in the Test Database: SetPermission2Grp "C:\My Documents\TestData.mdb", "FAGRP"
  6. Replace the Pathname of the Database and the Security Group Account Name with your own.
  7. After running the Code open the Test Database and check the Permission Settings of the Group Account you have specified as parameter.

Note: You may Run the Program from a Command Button Click after assigning the Database Pathname and Security Group Account Name in Text Boxes.

Share:

Users Group and Permissions

When you create a new Workgroup Information File, as part of the Microsoft Access Security implementation, it is important that the following two steps you follow immediately after creating the new Workgroup Information File (.mdw) file on priority basis:

  1. Create a new Administrator UserID (say myAdmin or whatever name you like) for you and join yourself as a member of the Admins Group Account.
  2. Remove the default Admin User Account from the Admins Group. If this is not done then your database is not secured and anybody can open and use it when MS-Office Software is re-installed.

From now on you must use the new UserID myAdmin to login as Administrator of the Databases that uses this new common Workgroup Information File.

One more thing, the databases that you create after login with the new User Name myAdmin, this User Account will be the Owner of those Databases and other Objects within it.

Remember the Owner of the Database has full authority on all Objects including Administrative Authority (like a member of the Admins Group) to assign permissions to Database Objects and to transfer Ownership of Objects to other Users as well. When the ownership of a particular Object is given to an ordinary User, he has full authority on that object to Run, Modify or Delete that object.

You must implement Object-wise access rights to User Groups before you install your Project for public use. This is done manually from Tools - ->Security - ->User and Group Permissions . . .

This procedure also has a first priority step, like the above two steps I have mentioned about the Workgroup Information File. That is to remove All Permissions of all Objects for the Users Group Account. Without this step whatever permission settings you assign to the Objects (Forms, Report and so on) will have no effect and Users will have full authority for Design Changes or whatever they want to do with them.

This is done manually and takes some time to go through all groups of Objects to remove all permissions of Users Group Account. Since, this step is required for all new Projects I thought it is better to automate it and here it is for you to try it out. This program is written purely on my own experience with the VBA based procedures and you may use it at your own risk

  1. Copy and paste the following Program into a Standard Module and save it.
    Public Function DefaultUsersGrp(ByVal DatabasePathName As String) As Boolean
    '----------------------------------------------------------------------------
    'Author : a.p.r. pillai
    'Date     : March-2010
    'Purpose: Remove All Permissions from Users Group Security Account
    'All Rights Reserved by www.msaccesstips.com
    '----------------------------------------------------------------------------
    Dim wsp As Workspace, db As Database, ctr As Container
    Dim GroupName As String, doc As Document
    Dim L4 As String
    
    Const DB_FULLNO = &H60000
    Const OBJS_FULLNO = &H2FE01
    
    'Remove All Permissions on Containers & documents
    'for USERS Group
    
    On Error GoTo DefaultUsersGrp_Err
    
    Set wsp = DBEngine.Workspaces(0)
    Set db = wsp.OpenDatabase(DatabasePathName)
    
    wsp.Groups.Refresh
    GroupName = "Users"
    
    Set ctr = db.Containers("Databases")
    Set doc = ctr.Documents("MSysDb")
    doc.UserName = GroupNamedoc.Permissions = DB_FULLNO
    
    Set ctr = db.Containers("Tables")
    GoSub SetPermission
    
    Set ctr = db.Containers("Forms")
    GoSub SetPermission
    
    Set ctr = db.Containers("Reports")
    GoSub SetPermission
    
    Set ctr = db.Containers("Scripts")
    GoSub SetPermission
    
    Set ctr = db.Containers("Modules")
    GoSub SetPermission
    DefaultUsers_Grp = False
    
    DefaultUsers_Grp_Exit:
       Set db = Nothing
       Set wsp = Nothing
    Exit Function
    
    SetPermission:
    For Each doc In ctr.Documents
        doc.UserName = GroupName
        If ctr.Name = "Tables" Then
            L4 = Left$(docName, 4)
            If L4 = "MSys" Or L4 = "~sq_" Then
              GoTo nextloopxxx
            End If
        End If
        doc.Permissions = OBJS_FULLNO
    nextloopxxx:
    NextReturn
    
    DefaultUsersGrp_Err:
    MsgBox Err & ": " & Err.Description
    DefaultUsersGrp = True
    Resume DefaultUsersGrp_Exit
    End Function
  2. Remember this Program is run for an external Database that you would like to remove All Permissions of all Objects for the Users Group Account.
  3. Before you run this Program, open the Database that you are targeting and check the current permission settings of all Objects for the Users Group Account. Try the program on a copy of the original Database you are targeting.
  4. Open the Database with the above Code, if you have closed it.
  5. Press Alt+F11 to display the VBA Editing Window and press Ctrl+G to display the Debug Window.
  6. Type the following and press Enter Key:

    DefaultUsersGrp "C:\My Documents\myTest.mdb"

  7. Replace the database Pathname in quotes with your own database name.

    You may run the Program from a Command Button Click Event Procedure from a Form.

  8. Open your Test Database and check the current status of the permissions settings of Users Group Account. The check marks from all the permission options you will find disappeared.
Share:

Create Security Group Account with VBA

Last week we have learned how to create a Microsoft Access Security User Account(SMITHJOHN) with VBA and learned how to join him as a member of the default Group Account Users. The Users and Admins Group Accounts are already present in the default Workgroup Information File (Sytem.mdw) or in the new Workgroup Information File that you create separately.

If we need to group Users under different categories (like MANAGERS, SUPERVISORS, DATA ENTRY OPERATORS, EDITORS and so on) so that their access rights to different objects can be defined differently at group level and any number of Users can be joined to these groups. Once we clearly define group level access rights all Users joined to that group will inherit the privileges assigned to that Group.

One User can be joined to more than one Group as well. A sample image of the User and Group Accounts control is given below and we will examine how the User SMITHJOHN's Security credentials are appearing in the Control.

In the User Name control SMITHJOHN is selected. The Group Account name Users is appearing under the label Member of indicating that he belongs to that Group Account only. If you look under the Available Group List you can see that the Users Group Account is appearing there also. Unlike the Users Group Account other Group Accounts shown there are created manually for different Group of Users.

If we want to make the User SMITHJOHN as a member of the VEHGRP then all we have to do is to select the VEHGRP under the Available Groups List and click on the Add>> Command Button to copy that name into the Member of: List. Whatever Access Privileges we have assigned to the VEHGRP will be automatically available to the selected User in the User Name control above.

At the end part of last week's main program CreateUser() the following code segment is doing exactly what we did manually in the above paragraph:

. . .
   With wsp
     Set tempGrp = .Users(UsrName).CreateGroup("Users")
         .Users(UsrName).Groups.Append tempGrp
         .Users.Refresh
   End With

But, to do that first we must create the Group Account VEHGRP by going through the same procedure like creating a new User Account from the Groups Tab on the Control above. So, the VEHGRP Account was created at some point of time earlier.

Here, we will learn:

  1. How to create a Microsoft Access Security Group Account MANAGER with VBA.
  2. How to join the User SMITHJOHN to the MANAGER Group Account with VBA.

NB: The User and Group Accounts are not case sensitive. Here they are given in Upper Case for legibility only.

The following Program creates the MANAGER Group Account in the Available Groups List:

Public Function CreateUserGrp()
'---------------------------------------------------------------------
'Creating a Security Group Account
'Author : a.p.r. pillai
'Date   : March-2010
'All Rights Reserved by www.msaccesstips.com
'---------------------------------------------------------------------
Dim newGrp As Group, wsp As Workspace
Dim tempGrp As Group
Dim grpName As String, grpID As String

On Error Resume Next

Set wsp = DBEngine.Workspaces(0)

    grpName = "MANAGER"
    grpID = "MGR13579"

With wsp
    Set newGrp = .CreateGroup(grpName, grpID)
               .Groups.Append newGrp

    If Err = 3390 Then
      MsgBox "Group Name : " & grpName & vbCr & vbCr & "Group PID     : " & grpID & vbCr & vbCr & "Account Name already Exists..! "
      Err.Clear
    End If

      .Groups.Refresh
End With

End Function
  1. Copy and Paste the above program into a Standard Module.
  2. Click somewhere in the middle of the Code and press F5 Key to Run the Code and to create the MANAGER Group Account.
  3. You may select Tools - -> Security - -> User and Group Accounts . . . (from the Database Window).
  4. Select SMITHJOHN in the User Name List.
  5. Check for the name MANAGER in the Available Groups List and you will find it there.

But, the User SMITHJOHN is not yet added to the MANAGER Group Account and this is where we need to add the code-segment, given at the top of this page, to the main program.

The revised VBA Code given below to create the MANAGER Group Account and to add the User SMITHJOHN to this Group Account.

Public Function CreateUserGrp()
'---------------------------------------------------------------------
'Creating a Security Group Account
'Author : a.p.r. pillai
'Date   : March-2010
'All Rights Reserved by www.msaccesstips.com
'---------------------------------------------------------------------
Dim newGrp As Group, wsp As Workspace
Dim tempGrp As Group
Dim grpName As String, grpID As String

On Error Resume Next

Set wsp = DBEngine.Workspaces(0)

    grpName = "MANAGER"
    grpID = "MGR13579"

With wsp
    Set newGrp = .CreateGroup(grpName, grpID)
               .Groups.Append newGrp
    If Err = 3390 Then
      MsgBox "Group Name : " & grpName & vbCr & vbCr & "Group PID     : " & grpID & vbCr & vbCr & "Account Name already Exists..! "
      Err.Clear
    End If

      .Groups.Refresh
End With

'Add the User SMITHJOHN to the MANAGER Group Account
usrName = "SMITHJOHN"

   With wsp
     Set tempGrp = .Users(usrName).CreateGroup(grpName)
         .Users(usrName).Groups.Append tempGrp
         .Users.Refresh
   End With
End Function

If you run the revised Code again it will show an Error Message saying that the MANAGER Group Account already exists, because you have already run this code once. But, the remaining part of the code will run.

If you open the User and Group Accounts control now and select SMITHJOHN in the User Name Control you can see that MANAGER group name is now appearing under the Member of List indicating that the User is a member of the MANAGER Group Account.

See the sample image given below.

Share:

Translate



PageRank
Your email address:

Delivered by FeedBurner

Search

Infolinks Text Ads


Blogs Directory

Popular Posts

Search This Blog

Blog Archive

Powered by Blogger.

Labels

Forms How Tos Functions MS-Access Security Reports msaccess forms Animations msaccess animation Utilities msaccess controls Access and Internet MS-Access Scurity MS-Access and Internet Queries External Links msaccess reports msaccess tips Menus and Toolbars Accesstips MsaccessLinks Process Controls Art Work Downloads msaccess How Tos Graph Charts msaccessQuery List Boxes Command Buttons Emails and Alerts Query Combo Boxes Custom Wizards DOS Commands ms-access functions msaccess functions msaccess graphs msaccess reporttricks msaccessprocess security advanced Access Security Array Custom Functions Data Macros Menus Property Report Top Values VBA msaccess email msaccess menus progressmeter Access2007 Auto-Number Command Button Copy Form Join Microsoft Numbering System Records Security Split SubForm Table Utility Variables Workgroup database msaccess wizards Access2003 Accounting Year Action Animation Attachment Binary Numbers Bookmarks Budgeting Calculation ChDir Color Palette Conditional Formatting Controls Data Filtering Data Type Defining Pages Diagram Disk Dynamic Lookup Error Handler Excel Export Expression External Field Type Fields Filter Form Instances Formatting Groups Hexadecimal Numbers Import Labels List Logo Macro Mail Merge Main Form Memo Methods Monitoring Object Reference Objects Octal Numbers Operating System Paste Primary-Key Product Rank Reading Recordset Rich Text Sequence SetFocus Summary Tab-Page Tables Time Difference Union Query User Users Water-Mark Word automatically commands function hyperlinks iSeries Date iif ms-access msaccess msaccess alerts pdf files reference restore switch text toolbar tutorial updating upload vba code

Featured Post

Function Parameter Array Passing

Last week we have explored the usage of ByVal (By Value) and ByRef (By Reference),  in the Function Parameter, to pass the value from  a Va...

Labels

Blog Archive

Recent Posts