Understanding Database Object Ownership

The user who creates an object becomes the owner of the object. (Access calls the owner of an object the object's creator.) Object owners have special status within the Access security system. The following sections briefly describe owners' permissions and how to change the ownership of database objects. A more detailed description of object ownership is contained in the file SECURE.ZIP, written for Access 2.0, that you can download from the MSACCESS forum on CompuServe.

Establishing Owner Permissions for Objects

The owner of an object has full (Administer) permissions for the object. No other user, including members of the Admins group, can alter the object owner's permissions for the object directly. For example, the Admin user is the owner of all the database objects in Northwind.mdb. Thus, anyone who uses the Admin user account has full permissions for all objects in Northwind.mdb. This is one reason for assigning a password for the Admin account.

When a user other than the object's creator adds a new object to the database or to one of the existing objects in the database, this user becomes the owner of the object. For example, if user Margaret adds a control object to a form created by Larry, Margaret is the owner of the control object, not Larry. Mixed ownership of objects can lead to bizarre situations, such as the inability of the owner of a query to execute the query because the owner of the underlying tables has changed. (You can overcome this problem, however, by adding the WITH OWNERACCESS OPTION to the Jet SQL statement for the query or by changing the Run Permissions property of the query from User's to Owner's.)

When you create new database objects with the default Admin user ID, anyone else who has a retail copy of Access 97 and uses the default Admin user ID also has full permissions for these objects. Thus, when you begin developing an application that you intend to share with others or that you want to prevent others from using or modifying, create a new account in the Admins group as described earlier in the chapter. Use your new Admins account when you create new applications.

Changing the Ownership of Database Objects

Following are the three methods of changing the ownership of existing Access database objects:

• Create a new database file, and then choose F ile, Get External Data, Import. Open the .mdb file containing the objects, and import all the objects into the new .mdb file. The user who creates the new .mdb file becomes the owner of the imported objects.

• Use the Change Owner page of the User and Group Permissions dialog.

• Use the Security Wizard to create a new secure database file, import the objects, and then encrypt the new database.

The following two sections describe the second and third methods for changing database object ownership.

Using Access 97's Change Owner Feature. To use the Change Owner feature that originated in Access 95, you must be a member of the Admins group for the database and must follow these steps:

1.	Open the database containing the objects whose ownership you want to change.
2.	Choose T ools, Security, User and Group Permissions to open the User and Group Permissions dialog, and then click the Change Owner tab.
3.	Choose the class of object you want to change in the Object Type drop-down list.
4.	If you want to change the ownership of all objects of the selected class, select the first item in the Object list, move to the bottom of the list, and Shift+click the last item of the list.
5.	Select the new owner's name from the New Owner drop-down list.
6.	Click the Change Owner button to change the ownership of the selected items, from Admin to RogerJ in this example (see Figure 24.32).
7.	Repeat steps 3–6 for each class of objects whose ownership you want to change.

The preceding process is the fastest way to remove permissions of the Admin user accrued from ownership of the original objects.

Using the Security Wizard. You can change the ownership of all objects in a database for which you have Administer permissions by importing all the objects into a new database you create with a user ID other than Admin. Access 2.0 made it easy to import the database objects from one .mdb file into another .mdb file with its Import Database add-in. Access 97's Security Wizard goes the Import Database add-in one better by letting you choose the database objects to secure and encrypting the new secure copy of the database in a single (long) step. The Security Wizard automatically imports every object in the source database into the new encrypted destination database.

To test the Security Wizard, follow these steps:

1.	If you aren't logged on to Access, launch it and log on with your new user ID that includes Admins group membership and open the database to secure—NwindData.mdb in this case.
2.	Choose T ools, Security, User-Level Security Wizard to display the Security Wizard's opening dialog.
3.	Clear the check box that corresponds to the class of database objects that you don't want to make secure (see Figure 24.33). If you want to secure all database objects, accept the wizard's default. Figure 24.33. Setting the types of objects to secure in the new database.
4.	Click OK to open the Destination Database dialog. Select the folder in which to store the new secure database file and give the file a new name. The default is Secure database.mdb (see Figure 24.34). Figure 24.34. Specifying the path and file name for the new secure database file.
5.	Click the Save button to put the Security Wizard to work. After a few seconds, the message shown in Figure 24.35 appears, indicating successful creation of the new secure database. Click OK to close the dialog.

The owner of all the objects in the new database is the user ID you used when you opened the source database. Only members of the Admins group have access of any kind to the newly secured database.