Creating fields that only certain groups can change 1

[svegal]

I am new to creating anything complicated in Access. I need to create a database of drawing numbers. The database will have fields for approvals by several different groups. Only members of the group should be able to write to that group's approval field.<br>
<br>
I found a thread (Jan 4, 2000 - Jan 5, 2000) by Sterling, dougp, and Elisabeth that discussed this but I could not see a complete solution.<br>
<br>
I am thinking I can use the user/group level security and have a table for each groups approval (which only that group can change). Then link(?) each groups approval table to a table with all the drawing numbers, I tried putting a autonumber field in each table and link the autonumber fields together in a form, but the autonumbers seem to not work well (sometime it skips a number).<br>
<br>
How do I link(?) the tables together when they don't have a common field? <br>
<br>
Is there a better apporach than I am taking?<br>
<br>
Any help would be greatly appreciated. Thanks.

 

[elizabeth]

You don't link autonumbers to autonumbers, you link primary keys to foriegn keys. And when the primary key is an autonumber, you set it up as a long integer in the table that you are linking it to. <br>
<br>
For example, if you have:<br>
tblDrawing: primary key DrawingID (autonumber)<br>
tblApproval: primary key ApprovalID (autonumber), foriegn key DrawingID (long int). Link: tblDrawing.Drawing ID (one) to tblApproval.DrawingID (many). <br>
<br>
Don't worry about the Autonumbers skipping (not being sequential). Only the proper group would have add, delete or edit permissions on tblApproval, everyone else would just have read permissions.

 

[WP]

Sounds a bit complicated to me.<br>
<br>
Why not just lock the fields that are to be read-only for a certain user group or groups.<br>
<br>
Below is the code:<br>
<br>
Notice that I have made read-only field blue on a grey background. This looks good on sunken fields.<br>
<br>
<br>
If glrIsMember(CurrentUser(), &quot;TheGroup&quot Then<br>
Field1.Locked=True<br>
Field1.Forecolor=vbBlue<br>
Field1.Backcolor=cGrey<br>
<br>
Field1.Locked=True<br>
Field1.Forecolor=vbBlue<br>
Field1.Backcolor=cGrey<br>
<br>
etc.<br>
Endif<br>
<br>
<br>
<br>
Global Const cGrey = 12632256<br>
<br>
Function glrIsMember(ByVal pstrUser As String, ByVal pstrGroup As String) As Integer<br>
<br>
' Check if a user account is a member of a group account.<br>
'<br>
' (From The Microsoft Access Developer's Handbook<br>
' by Ken Getz, Paul Litwin, and Greg Reddick, Sybex 1994)<br>
'<br>
' In:<br>
' pstrName: name of user account<br>
' pstrGroup: name of group account<br>
' Out:<br>
' Return value: True (is member) or False (not a<br>
' member or either account doesn't exist).<br>
' Example:<br>
' intIsMember = glrIsMember(&quot;Alicia&quot;, &quot;Librarians&quot<br>
<br>
On Error GoTo glrIsMemberErr<br>
<br>
Dim wrk As Workspace<br>
Dim usr As User<br>
Dim gru As Group<br>
Dim strMsg As String<br>
Dim intErrHndlrFlag As Integer<br>
Dim varGroupName As Variant<br>
Dim strProcName As String<br>
<br>
Const FLAG_SET_USER = 1<br>
Const FLAG_SET_GROUP = 2<br>
Const FLAG_CHK_MEMBER = 4<br>
Const FLAG_ELSE = 0<br>
<br>
strProcName = &quot;glrIsMember&quot;<br>
<br>
'Intialize return value<br>
glrIsMember = False<br>
<br>
'Initialize flag for determining<br>
'context for error handler<br>
intErrHndlrFlag = FLAG_ELSE<br>
<br>
Set wrk = DBEngine.Workspaces(0)<br>
<br>
'Refresh users and groups collections<br>
wrk.Users.Refresh<br>
wrk.Groups.Refresh<br>
<br>
intErrHndlrFlag = FLAG_SET_USER<br>
Set usr = wrk.Users(pstrUser)<br>
<br>
intErrHndlrFlag = FLAG_SET_GROUP<br>
Set gru = wrk.Groups(pstrGroup)<br>
<br>
intErrHndlrFlag = FLAG_CHK_MEMBER<br>
varGroupName = usr.Groups(pstrGroup).Name<br>
<br>
intErrHndlrFlag = FLAG_ELSE<br>
<br>
If Not IsEmpty(varGroupName) Then<br>
glrIsMember = True<br>
End If<br>
<br>
glrIsMemberDone:<br>
On Error GoTo 0<br>
Exit Function<br>
<br>
glrIsMemberErr:<br>
Select Case Err<br>
Case ERR_NAME_NOT_IN_COLLCTN<br>
Select Case intErrHndlrFlag<br>
Case FLAG_SET_USER<br>
strMsg = &quot;The user account '&quot; & pstrUser & &quot;' doesn't exist.&quot;<br>
Case FLAG_SET_GROUP<br>
strMsg = &quot;The group account '&quot; & pstrGroup & &quot;' doesn't exist.&quot;<br>
Case FLAG_CHK_MEMBER<br>
Resume Next<br>
Case Else<br>
strMsg = &quot;Error#&quot; & Err & &quot;--&quot; & Error$(Err)<br>
End Select<br>
Case ERR_NO_PERMISSION<br>
strMsg = &quot;You don't have permission to perform this operation.&quot;<br>
Case Else<br>
strMsg = &quot;Error#&quot; & Err & &quot;--&quot; & Error$(Err)<br>
End Select<br>
MsgBox strMsg, MB_ICONSTOP + MB_OK, &quot;Procedure &quot; & strProcName<br>
Resume glrIsMemberDone<br>
<br>
End Function<br>
<br>
<p>Bill Paton<br><a href=mailto:wpaton@neptune400.co.uk>wpaton@neptune400.co.uk</a><br><a href=

http://www.neptune400.co.uk>www.neptune400.co.uk</a><br>

 

[elizabeth]

You can just lock the fields on the form if you are not concerned about people entering data directly into the tables, or through queries, or through other forms.

 

[svegal]

I have Elizabeth's way working in a test case. With some clean up I can make it work. <br>
If I used Bill's suggestion, Is there a way to prevent users from accessing anything that can change the table except by using the form that has the records locked? <br>
<br>
Thanks to both of you for the help.

 

[elizabeth]

Here's a few ways, depending on the sophistication of your users, not in order of easiest or best answer first...<br>
1) Use Access security to make the table inaccessable to all groups, and put code behind the form to open the table &quot;with owner's permissions&quot;. <br>
2) Lock up the whole database by making it an MDE or using the ODE to shrink-wrap it.<br>
3) Turn on the table's &quot;Hidden&quot; property. <br>
<br>
Have Fun!!

 

[svegal]

I have the form set up with fields locked that already contain data. I also have several filters on the form to help users find the records they need. Everything is looking good and I am securing the database.<br>
<br>
How do I set up the form to open the table &quot; with owners permission&quot;? I can find in the on-line help how to do this with a query but not with a form.<br>
<br>
<br>
If I can get through this, I think I will start having fun!!

 

[elizabeth]

If the form locks the fields except to the proper group(s) you can let anyone open the form. Start having fun now

 

[svegal]

I want to secure the database as mentioned in your second posting on 2/17/2000 -- Use Access security to make the table inaccessable to all groups, and put code behind the form to open the table &quot;with owner's permissions&quot;.<br>
<br>
I can do the first part (use Access security to make the table inaccessable to all groups) but am having trouble figuring out how to put code behind the form to open the table &quot;with owner's permissions&quot;.<br>
<br>
If I understand this right the users will not be able to open the table to edit it. They will need to access it thru the form.

 

[elizabeth]

My understanding was that you could base the form on a query (also secured as the table) against the table and (assuming the owner is a member of the admin group) run that &quot;with owner's permissions&quot;. Let me know if it doesn't work; it's been awhile since I've used that option so it may be more complex than I remember. This would give you the back-end security to just lock the individual fields as WP suggests.<br>

 

[svegal]

Still having trouble but getting closer.<br>
<br>
I created a query in design view and put that query name as the record source in my form. Everything worked as long as the user had permission to read update and insert data in the query. If I took these permissions away the user could not add or change anything in the form.<br>
<br>
If I grant the user permission to read, update and insert data in the query then they can execute the query and change my table how ever they want to. <br>
<br>
Next, I copied the SQL code from the query and pasted it directly into the record source field on the form property sheet. Here is what I pasted in:<br>
<br>
SELECT [Drawing Approvals].Drawing_Number, [Drawing Approvals].Revision, [Drawing Approvals].[Production Number], [Drawing Approvals].By, [Drawing Approvals].Checked, [Drawing Approvals].Approved1, [Drawing Approvals].Approved2, [Drawing Approvals].Approved3, [Drawing Approvals].Approved4, [Drawing Approvals].[Approval's Complete]<br>
FROM [Drawing Approvals]<br>
WITH OWNERACCESS OPTION;<br>
<br>
It works for a user with permissions on the table but not if the user has no permissions on the table. It appears that the WITH OWNERACCESS OPTION is not working when I put the SQL code in the record source field on the form property sheet.<br>
<br>
Any suggestions?<br>
<br>
Thanks again for your help.

 

[elizabeth]

Sorry, I've led you down a blind alley <br>
<br>
I originally set up the following permissions for User group:<br>
table Table1 - Read Design, Read Data<br>
form Form1 - Open/Run, Read Design (RecordSource:<br>
SELECT Table1.* FROM Table1 WITH OWNERACCESS OPTION<br>
<br>
Results: as a member of the User group, I could<br>
open and read but not change data in Table1<br>
open and read <i>and change data</i> in Form1<br>
<br>
<b>BUT!</b>, before I began writing this I wondered if that user could write a query with user permissions against that table (no). In the process of testing, I noticed that user could <i>no longer</i> make changes to the data using Form1! Somehow between multiple sessions of jumping in and out as admin & user, I must not have been set to the all the permissions I applied. When you launch Access it asks for name & password, not when you open the db, so I think it's only reading updated permissions from system.mdw when Access launches, not when the db opens. <br>
<br>
So if you waded through all the above, my apologies; this does not work as I thought. Sigh. Depending on how desperate you are not to create separate Approval table(s), I am aware of (but have not used) two other features that might be of help. One is creating a backend database and securing it with a database-level password. I don't know how but you embed the password in your front end somewhere. This keeps people from overwriting your data, but not from linking to it or importing to it. Sounds like you're more interested in keeping it from being changed than in keeping it confidential. The other is to change permissions in code right in the app with the SetPermissions method.<br>
<br>
Good luck! Please post if you find a good security solution.<br>
<br>

 

[svegal]

The answer for the field level security can be found at:<br>
<br>
<A HREF="

http://support.microsoft.com/support/Access/Content/SECFAQ.asp#Item25"

TARGET="_new">

http://support.microsoft.com/support/Access/Content/SECFAQ.asp#Item25</A><br>

<br>
What you do is change the permissions for the record source of your form with code so that when the form is active the user has permission and when the form is deactivated the permission are taken away.<br>
<br>
I think I am going to try the first method (linking different tables together) above to see if it works better. If it works the way I think my users will be able to access the data any way they choose.<br>
<br>
I'm having fun now.