Sharing Access Databases a Common Mistake

8/9/2019 Sharing Access Databases a Common Mistake

1/20

Sharing Access Databases

This document is meant to provide the best practices for sharing an access database withothers. Incorporated into these best practices are the concepts of Performance, MaximumSecurity, Future Manageability, and Higher Degrees of Scalability. Simply put, your database willbe as secure as possible, as easy to modify as possible, and as easy to migrate to a largerplatform when and if you ever outgrow Access.

A common mistake is to share an access database by saving it to a network shareand control access via NTFS ie. Read Only or Full Access permissions.

If you fail to give a database user less than "Full Control" permissions on the directory whichcontains the database. This will cause problems each time they go into the database as theycan't lock the records in the database, due to the inability to manipulate the locking database file(*.LDB).

What Is An LDB File ?

Whenever you open an Access database, a file with the same name as the database and anextension of LDB will be opened automatically.

For example if you open Northwind.mdb, a file called Northwind.ldb will be generated. This newfile keeps track of users and the objects that require some form of locking in the database.When all users have exited gracefully from the database, the LDB file is automatically closeddown and deleted.

When a user says, "I can't get into the database. The message says, 'The file is already in use,'"explain to your boss, "That's because the first user to open the database didn't have 'create'permissions to create the locking database file, because I didn't give them 'Full Control'permissions on the directory that contains the database.

Alldatabase users must have "Full Control" permissions on the directory whichcontains the database.

Sharing an entire database over the network has been identified by Microsoft as thenumber one cause of database corruption, so don't do it!

Congratulations! Your database has become so popular that others would like to use it. Just

copy it to a shared location on the network and create shortcuts, right? Wrong! This is perhapsthe largest cause of Access database corruption. Multiple users accessing the same .MDB atthe same time is just asking for problems.


2/20

What is the correct method to share an Access database?

The correct method to share an Access database is to split the database into a frontend(FE) and backend (BE).

Splitting a database is a relatively simple concept. You take an existing Access MDB databasewith its tables, queries, forms, reports, macros, modules, etc. and divide it into two databases:

The BackEnd database just contains the tables The FrontEnd database contains the application objects (everything except the tables)

and links to the tables in the back-end database

A copy of the FE database should be installed on each user's local hard drive.The BE database, which contains only the shared tables, is located on the network. Think of theFE like a shortcut on the users desktop that points to the BE on the server that contains thedata.

This design is especially useful in multi-user environments where the back-end database isstored on a network and contains the shared data. Each user then has a copy of the front-enddatabase on their desktop pointing to the shared database.

In multi-user environments, the front-end database can also contain tables that are private to theuser. These local tables can store the users settings, selections, temporary or intermediatetables for processing data or reports, etc.


3/20

Reasons to Split a Microsoft Access Database

Here are some of the major reasons to use a split database architecture

Without a split database architecture, youll need to update the database with the latestdata, people have changed with every new release.

Application enhancements are simplified since they are made in the front-end databasewithout worrying about changes to the data in the back-end database. Releasing newversions and bug fixes becomes much easier since only the application part needs to bedistributed. Of course, if you modify table structures or add/delete/rename tables, youllneed to apply those changes to the back-end database.

Performance can be significantly enhanced and network traffic reduced when the userhas a copy of the front-end database installed on their desktop rather than running it offthe network each time they use it.

Temporary tables can be kept for each user in their front-end database. This avoidscollisions among multiple simultaneous users if they were all using one database.

Without splitting a database, multiple users running the same database on the networkincrease the chance of database corruption. The split database design minimizes this

problem and avoids code corruption from impacting data corruption. This simplifies database administration since the data is stored centrally and can be

backed up and compacted. A single master front-end application database is copied toeach users machine, but is not necessary to back up.

Provides an opportunity to expand a database size beyond the 2 GB size limitation ofAccess since the front-end database can link to multiple back-end databases ifnecessary.

Sets the stage for migration to SQL Server. If the application evolves to need thefeatures of SQL Server, you can still use the front-end database to link to data stored inSQL Server.

Optimise Performance

Most Access multi-user applications involve a database that is accessed simultaneously bydifferent users and applications.

The data contained in this database can be described as dynamic meaning that in a networkedenvironment the data changes as users add new records or edit them.

However, the components and objects of your Access application forms, reports, queries etc -are static. In majority of cases these database objects are stored in a central database and each

time a user accesses this application they receive these static objects together with the dynamicdata. Receiving and sending the same static data over the network again and again will ofcourse affect the performance of the application negatively especially as more and more usersmake use of your application. An obvious solution to this scenario would be to use the networkto only send dynamic data and at the same time enable users to load the forms, queries etc.locally.


4/20

How do I split a database?

*** Always backup any database before making changes of any kind. ***

Using Microsoft Access Splitter Utility

Beware splitting a secure database with the wizard -- The Database Splitter Wizard iscommonly used to quickly and easily split the database, but if it's used on a secure database,the back end database file will be left unsecured.

Microsoft Access has a built-in utility for assisting you with the splitting process.Open Access > Choose Tools > Database Utilities > Database Splitter

The Database Splitter dialog box


5/20

Creating the Back-end Database

Confirmation of Database Split

You will now have a backend and frontend copies of your database.The two copies of your database will be distinct in the sense that all tables will be saved to thebackend copy while most other objects such as forms, reports, macros etc will be placed in thefront end copy.

Note also that the frontend copy of your database will not have any tables in it; this is indicatedby the little black arrow icon that appears next to the table names in the tables window. They willhave links to the tables that is now stored in the backend copy of your database:


6/20

Displaying the database FrontEnd

The Database Splitter Tool provides the same functionality as splitting the database manually asdescribed below.

Splitting an Access Database manually

Create the BackEnd (Where the Tables will reside)

1. Make a copy of your database - This will be the backend.2. Open the backend and delete all objects except the tables.

So delete queries, reports, forms etc

What do I do with the BackEnd?

The BE should reside permanently on your network share.

Note: This new BE should be named differently than your FE.

Example:

FE name = Accounting.MDB, BE name = AccountingBE.MDB

All of your users will need Read/Write/Delete permissions at the BE location.


7/20

Create the FrontEnd

1. Open your original database and delete the tables/relationships.

To DeleteTables/Relationships

Goto Tools > Relationships

If a relationship is established you will see a line connecting fields in the Relationshipswindow as shown

You now have a basic FE.

What do I do with the FE?This new .MDB file becomes your new development copy. Guard it with your life. Back it upfrequently, as well as the new BE you have created which houses all of your data. Designchanges from now on will take place in this FE copy.


8/20

Link the FE to theBE

Open the FE and link to the tables in your newly created BE Go to File, Get External Data, LinkTables and locate the backend in its permanent network location.

Choose all the tables > Choose OK. Choose File > Get External Data > Link Tables >Browse to your BE and link.

(If you change the BE location after the links in your FE are created, they will be broken andyou will have to relink them.)

So how would you update the links?

Well Microsoft Access provides us with the Linked Table Manager, which as the name implies,manages links between tables. To access the linked table manager, simply right click on thelinked table and select Linked Table Manager from the list:


9/20

The Linked Table Manager

The dialog box lists the linked tables in the current database and shows the location of thephysical tables to which they point. You can select the links that you'd like to update, and thenclick the OK button. Access will then display a File Open dialog box that prompts you for the newlocation of the back-end database file.

Distribute individual copies of this new FE to your users.

"Can I use a shortcut on my users desktop to open the FE?"

A: Yes. But the shortcut should point to the LOCAL COPY of the FE.

Each user receives their own copy of the FE file this copy should be placed on theirlocal machine.

Splitting databases as above is a fantastic way of solving the network bottleneck problem theonly drawbacks is that every time you make a change to any of the objects contained in the frontendpart of your application you need to redistribute that copy to all your users. If you only haveone or two users, this is not a problem; if you have a few hundred users then it just mightbecome one!

There are many good reference articles for redistributing a FE database automatically withoutgoing machine to machine. Here are a couple of the many links you will find if you do a search:

Deploying and updating Front End Database Applications, by Bill Moscahttp://thatlldoit.com/howtosarticles.aspx#fe_updater

Auto FE Updater, by Tony Toewshttp://autofeupdater.com/
http://thatlldoit.com/howtosarticles.aspx#fe_updaterhttp://autofeupdater.com/http://autofeupdater.com/http://autofeupdater.com/http://thatlldoit.com/howtosarticles.aspx#fe_updater


10/20

Securing and Administering Access

So now we have split the Access database into a frontend (FE) and backend (BE).How do we share the database and control access with Read Only or Full Access permissions?

MS Access Security

User-level security Governing who is permitted to view, add, edit and delete database objects(tables, queries etc)

And Workgroup-file-based security: Controls the ability to edit user permissions

Before we begin, we first need to define some terms.

A Workgroup Information File (*.MDW) stores information to authenticate a user. It stores theuser names, group names, and passwords. It does not store any permission or rights to anydatabase. Its main purpose is to verify that a user is really who they say they are. Thepermissions of the database objects, tables, queries, forms, etc., are stored in each MDB file.The

System.mdw is the default workgroup filename created when you install MS Access.

When you create a new User, you will be prompted for a User Name, Password, and a PID orPersonal Identification number. A PID can be any text or numbers up to 20 characters long. Allthree values uniquely identify each user.

Every time a user opens the MS Access program, MS Access attempts to login the Admin userwith a blank password. If the log in is successful, MS Access continues loading and the usernever realizes that they were logged in as Admin. However, if the login is unsuccessful, say forexample the Admin user does not have a blank password, then a login dialog box pops upasking the user to specify a username and password.

MS Access verifies that the user name and password exist in the Workgroup Information File.After the user has been verified, the workgroup information files job is done. The MDB itselfstores security rights and privileges for each user and for each database object

The MDB will have a list of user ids and the privileges that each user may have. One user mayhave the rights to open the table, but not delete any records, or change the design of the table.Another user may not have any restrictions at all. The MDB file knows each users privileges.The distinction between the workgroup information file and the MDB file is one that confuses alot of developers.


11/20

Secure the Database with the User-Level Security Wizard

The User-Level Security Wizard can secure any or all of the objects in your database. All therelationships and linked tables are kept intact when you secure the database with the Security

Wizard. It also makes a backup copy of the original database in case you have forgotten to doso. The backup file has the same name with the .bak file extension.

With the Security Wizard, you can be specific about which users enjoy which permissions. Youcan also decide who belongs to which groups and edit user passwords and personal IDs (PIDs)as well. A PID is similar to a password and is used in combination with the user name to identifyan account.

Start the User-Level Security WizardThe database must be open before you can work with the User-Level Security Wizard.

TIP Prior to using the Security Wizard, be sure to open the database in shared mode. If you

open it in Exclusive mode, the Security Wizard will offer to reopen it in shared mode.

The first thing that you need to do when intending to use a Microsoft Access database in ashared environment is to put it in shared mode. You can do this by selecting Tools > Options,which opens the Options dialog box:

Click on the Advanced tab Default Open Mode selection box and check the shared option asabove. This will then open all databases in shared mode by default. This means that you donthave to go through this exercise every time you create/open a new database.


12/20

Also note Default Record Locking selection options

No Locks - When a user has saved the changes to a record that has been edited, thenand only then does Microsoft Access lock it. The record is therefore not locked while theuser is actually editing it. The No Locks option is best used when there is a slim chanceof more than one user editing the same record. This method of locking is also referred to

as optimistic locking. All Records - As the name suggest, this option locks up the entire table while records

are being edited. Of all the options, this one is the safest for obvious reasons. Thedisadvantage of this method of record locking is that multiple users will be unable toaccess the database for long periods of time.

Edit Record - This option is the most logical and I think the most commonly used in amulti-user environment. The Edit record option ensures that Access locks a record themoment a user begins the editing process and then the lock is released when the usersaves or otherwise abandon the edits. This method of locking is also referred to aspessimistic locking.

Select the most appropaite option i.e. Edit Record

1. Open the database whose objects you want to secure.

2. Click Tools > Security > User-Level Security Wizard.

The wizard will immediately ask you to create a workgroup information file. It will create anunsecure backup of the database, and then move to secure the current database. You will needto put in information about the users who will develop and use the database.

Create a new workgroup information file (*. MDW)

Use the MS Access Workgroup Administrator program. The WRKGADM.EXE file starts thisprogram. Do not leave the Workgroup ID blank or anyone will be able to create a workgroup filesimilar to yours.


13/20

The default workgroup file is called System.MDW. In earlier versions of Access, system.mdwwas located in:

c:\windows\system\ or in more recent versions in:

C:\Documents and Settings\[user]\Application Data\Microsoft\AccessNote that this recent setup makes the default workgroup file particular to the user logged in

You should rename the workgroup file system.mdw it should have a different name to avoidconfusion. Also avoid names that conflict with your database names. Access wont run properlyif the workgroup name (MDW file) and the database name (MDB file) are identical.

The Security Wizard opens and asks you to

Select Create A New Workgroup Information File if one doesnt exist.

Select Modify My Current Workgroup Information File to make changes in an existing WIF

Select Create A New Workgroup Information File Click Next


14/20

A workgroup information file is a file about the users in a workgroup. Microsoft Access reads thisfile at startup. It contains information about account names, passwords, group membership andpreferences. Preference information is specified in the Options dialog box.

A workgroup information file is initially created by the setup program when Microsoft Access isinstalled. The file is identified by the name and organisation information that is supplied during

the setup process of Microsoft Access.

A Workgroup ID (WID)is created when a new workgroup information file is created. A WID canhave between four and twenty characters and is case-sensitive. The WID guarantees that theworkgroup file can't be recreated by another user by simply guessing the name and company. Italso makes the Admins group unique to this workgroup file.

By default, Access will create a unique, 4 to 20 character string at random that is case sensitive,and associates an identity to the workgroup, otherwise refered to as a WID. For securitypurposes the WID is hidden here.

If you are creating a database for several users to user on a network, you will want to putboth the MDW and the MDB file on the network for all persons to use. Everyone must jointhe new MDW to be authenticated properly. Otherwise, the MDB file will not allow them toaccess any objects.

In File name select afile name and its Network Location

Remember rename the workgroup file called System.mdw avoid names that conflict with yourdatabase names. Access wont run properly if the workgroup name (MDW file) and the database

name (MDB file) are identical.


15/20

If you choose to make the WIF the default, every Access database you open will use itunless you specify that it be opened with a different WIF.

Ensure that the "I want to create a shortcut to open my secured database" option is selected,before clicking Next.

The wizard then will ask you what objects in your database do you want to secure. By default,Access will secure all existing database objects and all new objects. You can select objects thatwill not be secured, meaning ALL users will have full permissions for that object. It'srecommended that you don't bypass security for any object within your database.

Click Next

Naturally, you don't want everyone to have Admin rights to a database. The next screen allowsyou to include pre-defined groups within your workgroup. If you click on each group (do not put acheckmark beside any yet), you can read a brief description of each group. To make it easier to

track, it's recommended that you change the Group ID of any groups you include to somethingeasier to work with.

Create any group accounts for this workgroup.

For example, you may want to create a group named PowerUsers for users that may need lotsof database permissions. You may also create a Personnel group account for those users thatonly need limited rights.


16/20

To make permissions easier for you to manage, try and avoid setting permissions for individualusers.

Remember that there are several database object types for which you may need to setpermissions.

Database object, Table objects, Query objects, Form objects, Report objects, Macro objects,Module objects

Pre-Defined Groups

Click Next, once you have the groups you want.

In addition to these available groups, Access creates two other groups, Users and Admins.By default, all database users are added into the Users group. Those users who are in theAdmins group have full permissions and are the only users that can create permissions andgroups. For this exercise, the "No, the Users group should not have any permissions" option willbe selected.


17/20

Enter a password and change the personal ID (PID) for the Administrator account beforeyou add any users to your database.

All the databases that you have been creating up to this time have been created by the Adminuser of the default System.Mdw. The System.Mdw that comes with Access is a generic

workgroup file. All System.Mdw on everyones computers has the exact same Admin accountwith no password and with a PID of Null, making the Admin user account not very secure tocontinue to use.

When entering passwords, they are shown in plain text for all to see.

Create a new user account that will be the new workgroup administrator. Click Next

Instead of continuing to use the Admin user, we will disable the Admin user's abilities. The

reason for this is that every workgroup file has an Admin user, so using it will make our databaseless secure. I like to name my new workgroup administrator something like PowerAdmin. Writedown the new name and PID. Store this information in a secure location.


18/20

Now you will need to assign your users to groups. By default, the Admins group will be present.If specified that the Users group shouldn't have permissions, then the Users group will not bepresent.

Modify the Admins group by adding the new administrator and removing the original Adminaccount.

Any user in the Admins group will have full control of all the database's objects. They can alsocontrol other user's access to the database's objects.

By removing the Admin account from the Admins groups, the Admin becomes virtually useless.After our database is secure, if any one successfully logs in as the Admin user, they find thatthey don't have very many rights. If anyone needs to log in as a user with full rights, they shoulduse the new workgroup administrator that we createdClick Next

Specify the location where you want the unsecured backup to be stored. You will want toremove the .bak file extension and replace it with a .mdb extension. Click Finish.


19/20

Access will then create the workgroup information file(WID), a secured version of your database,an unsecured version to the location you specified, and a One-Step Security wizard report.

The One-Step security wizard report lists the name of the secured and unsecureddatabases, the name and properties the WID, the name of all secured and unsecured

objects, group names and properties, and all user information. It is recommended that you print a hard copy of the report and place it in a secure

location because of the sensitivity of some of the information contained. Do not save the report.

The Security Wizard will then tell you that it encrypted the database and that you must exitAccess and open the database in the future by using the shortcut on the Windows desktop tothe database's WID.

Re-Log into Access the new workgroup administrator that you created previously.

You'll need to shut down and restart Access to be able to log in.

Set up a password for the new workgroup administrator.

Up to this point, the new workgroup administrator doesn't have a password. You can set up apassword for this account underTools > Security > User and Group Accounts > Change LogOn Password.

Run the Security wizard underTools >Security > User - Level Security.

This step creates a new database and copies all the current database's objects into it. TheSecurity Wizard does 4 things for us.

The Wizard sets the owner of the database from Admin to the new workgroup administrator.This is done by creating a new database while logged in as the new workgroup administrator. Ifwe had left the database owner as the Admin user, then the admin user would still be able toadminister certain permissions of the database objects.

The Security Wizard changes the owner of each object in the database from Admin to the new

workgroup administrator. The owner of any object has special administrator privileges that wedont want any one to have except the new workgroup administrator. This step can be donemanually, but the Security Wizard automates this for us.

The Security Wizard removes all permissions from the Admin user. It also removes allpermissions from the Users group account, except for the Database Open/Run permissionwhich allows a user to open the database. Every user account that is created is automaticallyadded to the User group. Before we ran the Security Wizard the User group had all permissionsto all database objects.


20/20

Controlling MS Access Login Behavior

The Workgroup file (.MDW) should be located in the same folder as the BE. Your .MDW fileshould be named differently than your BE. (Ex: BE name = AccountingBE.MDB, WorkGroupname = AccountingWG.MDW) Your shortcut to open your database will look similar to:

"Full Path to MSAccess.EXE" "Full Path to local copy of the FE" /wrkgrp "Full Path toWorkgroup file"

http://www.techonthenet.com/access/security/use_mdw.php

Note: To apply a database password you must sign in to the database in Exclusive mode.

This can be accomplished by doing the following:

Open Access. (MSAccess.EXE, NOT your database) Choose Open an existing file. Browse to your BE or FE. (Single-Click only) Click the dropdown menu on the Open button. Choose Open Exclusive. (Your database will open) Choose Tools >> Security >> Set Database Password

When applying a password to the BE, this should be done before the links from the FE arecreated. If the links are already in place, manually delete the linked tables from yourdevelopment FE. Then follow the steps outlined above in the Create the FE section to re-establish the links in your FE to your new password protected BE. You will be prompted for thepassword during the linking process once, but after that you should not receive any moreprompts. The password will be permanently stored in the link. Keep this in mind if you ever havea need to change your database password. You will need to delete and recreate all the links inthe FE.

If you dont want the user to enter a password you can incorporate this password in the shorcut

"C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE" /user paul /wrkgrp"S:\\ashfp01\LackeyP$\QADR Workgroup.mdw" /pwd "letmein"

multiuser access db

http://www.access.qbuilt.com/html/multiuser_dbs.html
http://www.access.qbuilt.com/html/multiuser_dbs.htmlhttp://www.access.qbuilt.com/html/multiuser_dbs.html

Sharing Access Databases a Common Mistake

Documents

Transcript of Sharing Access Databases a Common Mistake