You've secured your database so that certain classes of users can't edit data using a particular form or run a specific report, but this doesn't prevent them from trying to open the form or report and receiving a permission error. You'd like your application to adjust itself based on the current user's security level. Is there any way to accomplish this?
Using VBA code, you can create a function that determines if the current user is a member of a security group. Based on the value this function returns, you can change any runtime property of any form or control, thus adapting your application to the user's security level.
Because this solution makes use of Access Security, you'll need to join the workgroup you created when you secured the database before you can try the sample database.
Now start Access. You will be prompted for a username and password. Enter the name of a user from the Solution in Recipe 10.1s Table 10-1. With the exception of the Paul and Admin accounts, the passwords for these are blank. (The passwords for the built-in Admin account and the Paul account are both "password"; note that case is significant.)
Load 10-06.MDB and open the frmSwitchboard form. Depending on which user you logged in as, you will see either a Manager-, Programmer-, or Default-level form. For example, Manager-level users will see two Manager buttons and a Close button. In addition, a Close menu item will be included in the File menu. In contrast, a member of the Programmers group will see two Programmer buttons, no Close button, and no File Close menu item.
To implement this system in your own database, follow these steps:
Import the basGroupMember module into your database.
For each form you want to customize at runtime based on the user's group membership, attach an event procedure to the form's Open event that calls the acbAmMemberOfGroup function one or more times within an If...Then statement. Because users can be members of more than one group, you need to check for membership in the "highest"-level groups first, in decreasing order of security level.
File Close menu available?
Manager #1Manager #2Close
Manager Main Menu
Programmer #1Programmer #2
Programmer Main Menu
Default #1Default #2
Default Main Menu
Once you have determined the security level for the currently logged-in user, selectively hide and unhide controls on the form to suit your application's needs. You might also want to alter the caption of labels or other controls or customize other aspects of the form's look and feel. Finally, you can customize the menus for the form by changing the form's MenuBar property to point to different sets of menu macros. We have done all of this in the sample frmSwitchboard form. The runtime customizations to frmSwitchboard are summarized in Table 10-15.
The code that drives this customization process for frmSwitchboard is shown here:
Private Sub Form_Open(Cancel As Integer) ' Adapt switchboard to match level of logged in user. ' Because users can be members of more than one group, ' you need to check membership in decreasing order ' starting with the highest-level group. If acbAmMemberOfGroup("Managers") Then Me.cmdManager1.Visible = True Me.cmdManager2.Visible = True Me.cmdProgrammer1.Visible = False Me.cmdProgrammer2.Visible = False Me.cmdDefault1.Visible = False Me.cmdDefault2.Visible = False Me.cmdClose.Visible = True Me.lblMenu.Caption = "Manager Main Menu" ElseIf acbAmMemberOfGroup("Programmers") Then Me.cmdManager1.Visible = False Me.cmdManager2.Visible = False Me.cmdProgrammer1.Visible = True Me.cmdProgrammer2.Visible = True Me.cmdDefault1.Visible = False Me.cmdDefault2.Visible = False Me.cmdClose.Visible = False Me.lblMenu.Caption = "Programmer Main Menu" Else Me.cmdManager1.Visible = False Me.cmdManager2.Visible = False Me.cmdProgrammer1.Visible = False Me.cmdProgrammer2.Visible = False Me.cmdDefault1.Visible = True Me.cmdDefault2.Visible = True Me.cmdClose.Visible = False Me.lblMenu.Caption = "Default Main Menu" End If End Sub
By default, the form is saved with the least-secure options set; if anything goes wrong, this provides a little extra assurance. When any user opens frmSwitchboard, the Load event procedure is called, and the form's look and feel is customized on the fly. Group membership is determined using the acbAmMemberOfGroup function found in basGroupMember:
Public Function acbAmMemberOfGroup(strGroup As String) Dim wrk As DAO.Workspace Dim usr As DAO.User Dim strTest As String Set wrk = DBEngine.Workspaces(0) ' Refresh collections to stay in synch with ' Access UI wrk.Users.Refresh wrk.Groups.Refresh ' Set up pointer to current user Set usr = wrk.Users(CurrentUser( )) ' Handle errors in line On Error Resume Next ' If any property of the Groups collection ' using the passed-in group works then we're ' a member. Otherwise an error will occur ' and we can assume we are not a member. strTest = usr.Groups(strGroup).Name acbAmMemberOfGroup = (Err.Number = 0) Err.Clear End Function
This function is simple: it determines if a user is a member of a group by setting a pointer to the Users collection of the current user and then attempts to get the name of the group in the Groups collection of that user. If this fails, the user is not a member of the group in question. If it succeeds, the user must be a member of the group. See the Solution in Recipe 10.5 for more details on the programmatic manipulation of user and group collections.
We could have based the form customizations on the name of the current user using the built-in CurrentUser function, but this requires us to consider each user individually, which should be avoided if possible. It's much easier to manage groups of users rather than individual users. Still, you can always add more tests to the If...Then statement in the Load event procedure.
It's important that you include an Else clause in the If...Then statement of the Load event procedure to handle users who are not members of any of the groups for which you have tested. In the sample event procedure, we have tested for membership in only the Managers and Programmers groups. Any users who are not members of either group are handled by the Else clause.
You can use this technique to alter any runtime property in response to the user's group membership, including:
Whether certain menu items appear.
Whether certain controls are visible, and therefore active.
What query a form is based on; some users can see more records than others.
What data entry controls are visible; some users can enter more fields than others.
What toolbars are shown.