简体繁体 English

如何控制Access数据库的用户权限？

[英]How to control user rights to an Access database?

原文 2009-02-09 18:15:37 2 6 ms-access/ permissions

What is the simplest way to allow one user write access and everyone else read-only access to a MS Access database on a local network? 允许一个用户写访问权限以及其他人对本地网络上的MS Access数据库进行只读访问的最简单方法是什么？

I trust my users, but unfortunately Access saves changes to data as soon as the row of a table is deselected. 我相信我的用户，但不幸的是，只要取消选择表的行，Access就会保存对数据的更改。 Accidental keystrokes are saved without the user asking for the changes to be saved. 保存意外击键，用户不要求保存更改。

6 个解决方案

Some thoughts on controlling user rights to a Jet data store: 关于控制Jet数据存储的用户权限的一些想法：

if you really want to lock things down, you'll never manage it with Jet, as it's inherently vulnerable because the user has to have WRITE access to the MDB file. 如果你真的想锁定它，你永远不会用Jet管理它，因为它本身就容易受到攻击，因为用户必须拥有对MDB文件的WRITE访问权限。
if you are content with controlling rights to the data in your front-end application, you could provide different front ends (one for WRITE users and one for READ-ONLY). 如果您满足于控制前端应用程序中数据的权限，则可以提供不同的前端（一个用于WRITE用户，另一个用于READ-ONLY）。
if you're not using ACCDB format, you can use Jet user-level security. 如果您不使用ACCDB格式，则可以使用Jet用户级安全性。 It's a surprisingly complicated technology if you really want to lock down access to the data -- you have to follow all the instructions in the Jet Security White Paper to the letter, or your data will be open to anyone with the standard Jet workgroup file. 如果您真的想要锁定对数据的访问权限，那么这是一项令人惊讶的复杂技术 - 您必须遵循Jet安全白皮书中的所有说明，或者您的数据将对使用标准Jet工作组文件的任何人开放。 And even once you're done, it is crackable (though not without spending $$$ to buy cracking software). 甚至一旦你完成，它是可以破解的（虽然不是没有花费$$$购买破解软件）。 BTW, database passwords before Access 2007 were completely useless and easily cracked. 顺便说一句，Access 2007之前的数据库密码完全无用且容易破解。 Access 2007 enhances the security by raising the level of data encryption, but a database password causes lots of issues and doesn't allow you to have more than one level of access (unless you provide two different front ends with different passwords -- cf. #2). Access 2007通过提高数据加密级别来增强安全性，但数据库密码会导致许多问题，并且不允许您具有多个访问级别（除非您提供两个不同的前端使用不同的密码 - 参见＃2）。
if you just want to use Jet ULS to control access in your front end, you can add your users to groups and then check the group membership in your front-end UI objects (ie, forms), and give WRITE permission to the users who are in the user group that provides that level of access. 如果您只想使用Jet ULS来控制前端的访问权限，则可以将用户添加到组中，然后检查前端UI对象（即表单）中的组成员身份，并向用户授予WRITE权限。在提供该级别访问权限的用户组中。 The easiest way to do this, assuming you have more READ-ONLY users than those with WRITE permission is to have the READ-ONLY users log on as the default admin user (ie, you do nothing for their setup), and have the WRITE users log on as a user in the group with WRITE permission. 最简单的方法是假设您拥有比具有WRITE权限的用户更多的READ-ONLY用户，那就是让READ-ONLY用户以默认管理员用户身份登录（即，您没有为他们的设置做任何事情），并拥有WRITE用户使用WRITE权限以组中的用户身份登录。 In other words, if they aren't logged on as user "admin", they have full WRITE access. 换句话说，如果它们未以用户“admin”身份登录，则它们具有完全WRITE访问权限。
another alternative is to use NTFS security groups. 另一种方法是使用NTFS安全组。 API code for that is found on the Access Web , but it does require a Windows administrator to implement for you. 用于此的API代码可在Access Web上找到，但它确实需要Windows管理员为您实施。 Again, you would be limiting access in your front end application, rather than actually restricting user rights in the back-end MDB. 同样，您将限制前端应用程序中的访问权限，而不是实际限制后端MDB中的用户权限。

Only Jet ULS actually allows you to prevent a READ-ONLY user (who hasn't cracked your workgroup file) from editing your data. 只有Jet ULS实际上允许您阻止READ-ONLY用户（没有破解您的工作组文件）编辑您的数据。 All users have to have network access to your back-end MDB, but you can make it hard for them to get to the data even without jumping through the hoops in implementing Jet ULS. 所有用户都必须具有对后端MDB的网络访问权限，但即使没有实现Jet ULS的跳跃，也可能使他们难以获取数据。 Here are some steps to do that (and yes, all of these are a form of "security by obscurity" and will only slow down a READ-ONLY user determined to hack your back end): 以下是执行此操作的一些步骤（是的，所有这些都是“默默无闻的安全”形式，并且只会减慢确定要破解后端的READ-ONLY用户）：

Right click each table in your back end and turn on the HIDDEN attribute. 右键单击后端的每个表，然后打开HIDDEN属性。 This can also be done in code (see SetHiddenAttribute in Help). 这也可以在代码中完成（请参阅“帮助”中的SetHiddenAttribute）。 Naturally, if the end user sets their Access options to display hidden tables, this won't do anything. 当然，如果最终用户将其Access选项设置为显示隐藏表，则不会执行任何操作。 But most end users don't know about that, and if your users are running your app in the runtime, they won't have the option. 但大多数最终用户并不知道，如果您的用户在运行时运行您的应用程序，他们将无法选择。
Change the back-end database's Startup Properties to not display the database window and to not use special keys. 将后端数据库的“启动属性”更改为不显示数据库窗口，并且不使用特殊键。 You can find code for setting the startup properties in the Help topic for "AllowBypassKey". 您可以在“AllowBypassKey”的“帮助”主题中找到用于设置启动属性的代码。
In your back-end, create a macro named AutoExec with one command, Quit. 在后端，使用一个命令Quit创建一个名为AutoExec的宏。 With special keys disabled, there is no way to prevent the execution of this macro, and as soon as the user attempts to open the back end (even if they hold down the SHIFT key, ie, the standard keystroke for bypassing all startup routines), the database (and the instance of Access) will close. 禁用特殊键后，无法阻止此宏的执行，并且只要用户尝试打开后端（即使他们按住SHIFT键，即绕过所有启动例程的标准击键），数据库（和Access的实例）将关闭。

Now, all of these things can be undone by someone who knows what they are doing. 现在，所有这些事情都可以被知道自己在做什么的人解开。 If you gave me a back end with these things implemented, I'd be in it in about 5 minutes, simply by running code in another Access database to change all these startup properties to give me access. 如果你给了我一个实现这些东西的后端，我会在大约5分钟内进入它，只需在另一个Access数据库中运行代码来更改所有这些启动属性以便我访问。

But your end users likely don't have that level of expertise. 但是您的最终用户可能没有那种专业水平。 Any such user who does probably ought to be a WRITE user, no? 任何这样的用户可能应该是一个WRITE用户，不是吗？ :) :)

Yes, of course -- all of these things are easily hackable by anyone who knows how. 是的，当然 - 所有这些事情都很容易被任何知道如何做的人所破解。 But it's also easy to break into your house in seconds for the person with the right tools. 但是对于拥有合适工具的人来说，在几秒钟内闯入你的房子也很容易。 That doesn't mean you don't lock the doors, even though it's not bulletproof protection from burglary. 这并不意味着你不会锁门，即使它不是防盗的防弹保护。

Another consideration is that if you provide your users only the Access runtime instead of full Access, they won't be able to undo any of these settings in your back-end MDB. 另一个考虑因素是，如果您仅向用户提供Access运行时而不是完全Access，则他们将无法撤消后端MDB中的任何这些设置。

Last of all: 最后一个：

Security is not solely a technical issue -- most of it is, in fact, a people problem. 安全不仅仅是一个技术问题 - 事实上，大部分问题都是人员问题。 In order for people to do their work, you have to trust them to a certain extent in giving them access to your data. 为了让人们完成工作，您必须在一定程度上信任他们，让他们访问您的数据。 There is no technical solution to the problem of the untrustworthy system administrator, for instance, and the only way to fully protect your data is to not give them any access to it at all. 例如，对于不值得信任的系统管理员的问题没有技术解决方案，完全保护数据的唯一方法就是根本不给他们任何访问权限。

The easiest way would be to use share permissions. 最简单的方法是使用共享权限。 Grant write access to a group and put the users who must write to the database in that group. 授予对组的写访问权限，并将必须写入该用户的用户放入该组。 Put everyone else in a read group. 将其他人放在阅读组中。 This assumes you have a Windows domain, of course. 当然，这假设您有一个Windows域。

Here is a site that has some information on securing Access databases. 这是一个站点，其中包含有关保护Access数据库的一些信息。 It deals with Access 2000, there may be more options for newer versions. 它处理Access 2000，可能有更多版本的选项。

这是一个厚颜无耻的答案，但如果您需要更好的安全性，请认真考虑升级到更强大的RDBMS。

I think it is possible using an ODBC connection to use Access as an interface to almost any database. 我认为可以使用ODBC连接将Access用作几乎所有数据库的接口。 For example, I have successfully configured a SQL Server 2008 Express Edition database with 2 users, one read/write and one read-only. 例如，我已成功配置了一个SQL Server 2008 Express Edition数据库，其中包含2个用户，一个读/写和一个只读。 I have been able to connect to the database from Access by opening an ODBC data source. 我已经能够通过打开ODBC数据源从Access连接到数据库。 So a user can have the Office-based report-generating and mail-merging functionality they are familiar with. 因此，用户可以使用他们熟悉的基于Office的报告生成和邮件合并功能。 But with any database server you wish. 但是您希望使用任何数据库服务器。

This conversation may be a little old, but for some reasons I got the same problem recently. 这个对话可能有点旧，但由于某些原因，我最近遇到了同样的问题。 It will not suit to everyone, cause it relies not on M$ SQL Server but on MySQL. 它不适合所有人，因为它不依赖于M $ SQL Server而是依赖于MySQL。 Use the MySQL ODBC connector (available here: http://dev.mysql.com/downloads/connector/odbc/ ), and store your tables on a MySQL server. 使用MySQL ODBC连接器（可在此处获取： http ： //dev.mysql.com/downloads/connector/odbc/ ），并将表存储在MySQL服务器上。 The Access user's rights on tables will inherit from the MySQL user's rights. Access用户对表的权限将继承MySQL用户的权限。 Pretty easy to customize... 很容易定制......

Fact is, there is NO functional security for an access database . 事实上， 访问数据库没有功能安全性 。

The link below sells software that will 'recover' your access database Even if it has aa password. 下面的链接销售将“恢复”您的访问数据库的软件即使它有一个密码。

It is a good thing they exist. 他们存在是件好事。 Their program saved one of my customer's butts once when their previous programmer died and no one else had the password. 当他们以前的程序员死了，没有其他人拥有密码时，他们的程序保存了我的一个客户的屁股。 Thanks to this program we could not get in and no data was lost. 由于这个程序，我们无法进入，没有数据丢失。

http://www.stellarinfo.com/access-recovery.htm http://www.stellarinfo.com/access-recovery.htm

And before you even think it, No, I do not work for them. 在你想到之前，不，我不为他们工作。