This is the first of (hopefully) a series of FAQ's on Access Security written to be just the guts of the knowledge. There are no frills or excessive repetition for easy reading.
The purpose of this FAQ is to introduce you to security terminology you may not otherwise be familiar with. This may not be a complete list but I find these are common concepts needed to talk about Access Security.
Table of Contents
1 Users 2 Groups 3 Authentication 4 Permissions 5 Explicit Permissions 6 Implicit Permissions 7 Restrictive Permissions a Least Restrictive Permissions b Most Restrictive Permissions 8 Owner
Users are the basic entity of any security model. A user is usually intended as a person and is simply the most basic thing that can be assigned permissions (see section 4 permissions).
Groups are a method of combining users. Doing this is enormously helpful from an administration stand point. It is much easier to set up how things should work for a group than it is to maintain it for individual users. You set up how things work for groups once and then add or remove users from a group for that user to gain or lose those traits. Otherwise you would set up each user for the same traits or remove them countless times.
This is how you prove you are a particular user. You supply some sort of credentials to prove this. Most familiar and used in Access is the Username and Password combination. You identify yourself with a Username and prove it by entering a Password.
Permissions are the settings or options you have that allow users or groups to do things or not do things. A thing is given permissions. For example folders and files are given permissions in Windows and in Access, objects (Database, Tables, Queries, Forms, Reports, Macros, Modules) are given permissions.
5 Explicit Permissions
Explicit permissions are visible when you check the permissions for the thing you are looking at. Both a user and group can be given explicit permissions. It is a permission granted directly to a user or group.
6 Implicit Permissions
Implicit Permission is the ability to do something despite the fact you do not see it set explicitly. This can also be thought of as indirect permissions. The most common is the inheritance that happens from being in a group. If Fred is in the Accounting group and the Accounting group is given permission X and Fred is not granted any then Fred is said to have Implicit Permission to do X because he inherited it from the Accounting Group.
7 Restrictive Permissions
In the previous section Fred has implicit permissions to do X. But what if Fred and Accounting are both Assigned permissions? What if Fred is still not granted permission to do X but the Accounting Group is? He does not have explicit permission but he does have implicit permission. How do we know if Fred can do X?
The answer is it depends on whether the system uses Least Restrictive Permissions or Most Restrictive Permissions. Each is a methodology of merging two or more sets of permissions to one real or final permissions for the user. These methods are some what self explanatory but may be counterintuitive to pick up.
If Least Restrictive permissions are used then yes, Fred does have permission X. You can think of this as any grant of permission in yields that permission. You could also think of this as using the boolean OR operator on each permission from each set.
If Most Restrictive permissions are used then no, Fred does not have permission X. All permission grants must grant the permission or the user does not end up with it. You could also think of this as using the Boolean AND operator on each permission from each set.
Note in Access the system has rules to determine whether evaluation of permissions is Least or Most Restrictive. It is not a function of making a choice. The good news is it is simple, the rules are basic and never change. The same can be said about Windows File Permissions which is worth mentioning as File permissions can and should play an important part of security.
Everything that can be assigned permissions also has and can be assigned an Owner. The Owner is by default the user that created it. However it can be set to another user or group. The special characteristic of an Owner is that it has permission to set permissions for the object whether or not it is granted otherwise. OR the owner has least restrictive permission to set permissions with the regular permission set.