The Secured Database

The final element of Microsoft Jet security is your database. This is where the objects that have to be secure are stored. The actual permissions related to specific objects for specific users and groups are stored in system tables in your database. However, the definitions of user or group accounts themselves is not stored here. Such information is stored in the workgroup information file.

For example, when a user requests access to an object, Microsoft Jet has already retrieved the SIDs for the user and any groups to which he or she belongs from the workgroup information file when the user logged on. These SIDs are then compared to the SIDs in your database’s system tables to verify that the user has sufficient permissions to access the object.

Permissions

Microsoft Jet defines a set of permissions that give you fine control over a user’s access to an object. For example, you can allow a user to read an object’s contents, but not change them.

Microsoft Jet supports both explicit and implicit permissions. Explicit permissions are those you explicitly grant to an individual user. When an explicit permission is granted to a user, no other users are affected. Implicit permissions, on the other hand, are granted to a group. Because a group contains users, all users in a group receive the permissions granted to the group. If a user is added to a group, that user automatically gets all the implicit permissions of that group. Microsoft Jet uses the least restrictive set of permissions among the permissions granted to a user and all groups to which that user belongs. For example, if a user has explicit read permissions for a table but no write permission, and that same user also belongs to a group that has write permission for the table, the user will be able to write to the table because of the implicit write permission.

Microsoft Jet defines permission levels as numeric constants. For convenience (and more readable code), you can use built-in constants when specifying permissions. These built-in constants are available in Microsoft Access, Visual Basic, Microsoft Excel, Microsoft Word, Microsoft PowerPoint, and Visual C++. For other programming environments, you may want to create the constant definitions yourself.

Note You should generally use predefined constants instead of hard-coded values. These values may change in future releases of Microsoft Jet, but the constants should always be valid. The description of the following constants apply to both Container and Document objects.

The following set of tables describes the possible permission settings. Later in this chapter you’ll learn how to apply permissions to objects by using these settings.

The following table shows permissions available for all Microsoft Jet objects.

Constant Description
dbSecNoAccess No access to the object
dbSecFullAccess Full access to the object
dbSecDelete Can delete the object
dbSecReadSec Can read the object’s security-related information
dbSecWriteSec Can alter access permissions
dbSecWriteOwner Can change the Owner property

The following table shows permissions available for the Tables Container object or any Document object in a Documents collection.

Constant Description
dbSecCreate Can create new documents (valid only with a Container object)
dbSecReadDef Can read the object definition, including field and index information
dbSecWriteDef Can modify or delete the object definition, including field and index information
dbSecRetrieveData Can retrieve data from the Document object
dbSecInsertData Can add records
dbSecReplaceData Can modify records
dbSecDeleteData Can delete records

The following table shows permissions available for the Databases Container object or any Document object in a Documents collection.

Constant Description
dbSecDBCreate Can create new databases (valid only on the Databases Container object in the workgroup information file [System.mdw])
dbSecDBExclusive Exclusive access
dbSecDBOpen Can open the database
dbSecDBAdmin Defines the right of a user to change the database password