Microsoft Office 2000/Visual Basic Programmer's Guide   

User-Level and Share-Level Security

Microsoft Jet provides both share-Level and User-Level security. In share-Level security systems, passwords are associated with specific objects, not with users. Any user who knows the password for an object can access that object. Microsoft Jet provides a simple form of share-Level security: the ability to password-protect the opening of a database. Add a password to your database when all you want to do is prevent unauthorized users from opening your solution and you're not concerned about what authorized users do once they're inside. For more information about using database passwords, see "Setting a Database Password" earlier in this chapter.

If you need more control, for example, to prevent users from modifying the design of your tables and queries, Microsoft Jet also provides User-Level security. With User-Level security, users are authenticated when they start Microsoft Jet, before any database is opened. (A user is authenticated by logging on to the system with a name and a password, which are compared to a database of user account information that is called a workgroup information file or system database.) After the user is authenticated, the system determines the user's level of access to a database and the objects it contains by comparing the user's identification to a set of object permissions that have been defined for that object by the solution's administrator. Different users can have different levels of permissions for the same objects.

Microsoft Jet User-Level security functions as follows: Administrators assign specific permissions for a database and the objects it contains to users and groups. When a user starts up a session of the Jet database engine in a secure environment, the user logs on, entering a user name and password. The password's function is to authenticate the user, not to give access to any particular objects. Microsoft Jet then reads the current workgroup information file to determine all the groups the user belongs to, and stores that information internally. Every time the user tries to perform an action such as opening a database, browsing a table, or modifying a query, Microsoft Jet first checks to see if the user, or any of the groups to which the user belongs, has the necessary permissions to perform this action. If the user or groups the user belongs to have sufficient permissions, Microsoft Jet performs the action. If not, Microsoft Jet returns an error message indicating that permission is denied, and the operation fails.