In a multi-user database, how to restrict access to records

Problem
In a multi-use database, how do I restrict a user from having access to certain records and allow it for others.
The scenario is as follows:
The database handles records for a mental health organization.
According to HIPPA regulations (new law passed about security of medical records), a clinician should only have access to those clients assigned to him/her.
How do I allow this clinician to have access to his/her clients records while blocking access to those clients not assigned to him/her.

--
The fun is not in the speed but the sudden stops!!!

If the clinician logs in to the database using a userid and password, then
this would be fairly simple. Do the patient records have a field where the
cinician's userid is entered? If so, just base your forms on a query and in
the criteria under the clinician field, put...

=CurrentUser()


This will only pull records assigned to the currently signed on user.

This will not prevent them from simply opening the table and seeing all
records, or running any reports or queries that you have built that might
show them all records. There is much more to be done for that. You would
need to take away all table, query, and report access. Then let them have
access only to the forms and reports they would need to run. The queries
upon which the tables and reports were based, would need to be set to run
using the owner's permissions.

Post back with more detailed questions as you run into them.

Adn yes, please just post to one group, or copy the same message to multiple
groups. You don't need multiple people answering your questions.

Thanks,

Rick B


"Bikerman" wrote in message
...
Problem
In a multi-use database, how do I restrict a user from having access to
certain records and allow it for others.
The scenario is as follows:
The database handles records for a mental health organization.
According to HIPPA regulations (new law passed about security of medical
records), a clinician should only have access to those clients assigned to
him/her.
How do I allow this clinician to have access to his/her clients records
while blocking access to those clients not assigned to him/her.

--
The fun is not in the speed but the sudden stops!!!

"=?Utf-8?B?QmlrZXJtYW4=?=" wrote in
:

In a multi-use database, how do I restrict a user from having access
to certain records and allow it for others.

The standard answer to this is to use Access user security.

You remove all permissions from the tables for the users, but control read/
write access to the data with RWOP queries. What this means (Run With Owner
Permission) is that the you (as Admim) have permission to see the tables,
and you grant the users permission to see the data through those queries.
Thus, you can restrict which fields and which records they can have access
to. It's easier to understand than to explain!

Access security is admittedly not for the faint-hearted, and you need to
understand the processes involved (worst case scenario is to lock yourself
out of your own data!) but is pretty secure and very flexible. More details
in help files, or on MSDN site.

Hope that helps


Tim F

just read this and it seems almost exactly like what I need for my database

however, how do you set it up to have multiple users so that they need to
log on when opening the database/form?


"Rick B" wrote:

If the clinician logs in to the database using a userid and password, then
this would be fairly simple. Do the patient records have a field where the
cinician's userid is entered? If so, just base your forms on a query and in
the criteria under the clinician field, put...

=CurrentUser()


This will only pull records assigned to the currently signed on user.

This will not prevent them from simply opening the table and seeing all
records, or running any reports or queries that you have built that might
show them all records. There is much more to be done for that. You would
need to take away all table, query, and report access. Then let them have
access only to the forms and reports they would need to run. The queries
upon which the tables and reports were based, would need to be set to run
using the owner's permissions.

Post back with more detailed questions as you run into them.

Adn yes, please just post to one group, or copy the same message to multiple
groups. You don't need multiple people answering your questions.

Thanks,

Rick B


"Bikerman" wrote in message
...
Problem
In a multi-use database, how do I restrict a user from having access to
certain records and allow it for others.
The scenario is as follows:
The database handles records for a mental health organization.
According to HIPPA regulations (new law passed about security of medical
records), a clinician should only have access to those clients assigned to
him/her.
How do I allow this clinician to have access to his/her clients records
while blocking access to those clients not assigned to him/her.

--
The fun is not in the speed but the sudden stops!!!

You would have to implement user-level security. This is no simple task
(the first few times). I'd suggest you read the following links several
times and make a backup or two before you start.

Rick B

Security
Security FAQ

http://support.microsoft.com/?id=207793



The Security Whitepaper is also worth reading to help you understand.

http://support.microsoft.com/?id=148555



Joan Wild:

www.jmwild.com/AccessSecurity.htm



Lynn Trapp

http://www.ltcomputerdesigns.com/Security.htm



"adrian" wrote in message
...
just read this and it seems almost exactly like what I need for my
database

however, how do you set it up to have multiple users so that they need to
log on when opening the database/form?


"Rick B" wrote:

If the clinician logs in to the database using a userid and password,
then
this would be fairly simple. Do the patient records have a field where
the
cinician's userid is entered? If so, just base your forms on a query
and in
the criteria under the clinician field, put...

=CurrentUser()


This will only pull records assigned to the currently signed on user.

This will not prevent them from simply opening the table and seeing all
records, or running any reports or queries that you have built that
might
show them all records. There is much more to be done for that. You
would
need to take away all table, query, and report access. Then let them
have
access only to the forms and reports they would need to run. The
queries
upon which the tables and reports were based, would need to be set to
run
using the owner's permissions.

Post back with more detailed questions as you run into them.

Adn yes, please just post to one group, or copy the same message to
multiple
groups. You don't need multiple people answering your questions.

Thanks,

Rick B


"Bikerman" wrote in message
...
Problem
In a multi-use database, how do I restrict a user from having access to
certain records and allow it for others.
The scenario is as follows:
The database handles records for a mental health organization.
According to HIPPA regulations (new law passed about security of medical
records), a clinician should only have access to those clients assigned
to
him/her.
How do I allow this clinician to have access to his/her clients records
while blocking access to those clients not assigned to him/her.

--
The fun is not in the speed but the sudden stops!!!

=?Utf-8?B?YWRyaWFu?= wrote in
:

In a multi-use database, how do I restrict a user from having access
to certain records and allow it for others.

If the clinician logs in to the database using a userid and password,
then this would be fairly simple. Do the patient records have a
field where the cinician's userid is entered? If so, just base your
forms on a query and in the criteria under the clinician field,
put...

just read this and it seems almost exactly like what I need for my
database

Sorry I missed the original post. The answer to this is to use proper
database security.

1) Access user-level security can completely tie up the data so that
individuals can only see what you want them to, down to row and field
level. The idea is to remove _all_ privileges from the base tables, then
use Queries with RWOP to provide all access: as long as you can define
the query that selects the correct records, then you can restrict the
user to those records and fields.

2) You may well feel that the prevalence of security-busting utilities on
the Net makes Access an unsuitable container for highly confidential
data. Most civilised countries have serious laws about data protection
and you could be looking at a big chunk of your life sowing mailbags if
it goes wrong. Rightly so, too, in my view. Your organisation would be
well advised to look at a properly-administered DBMS like SQL Server etc
for the back end, in order to save itself a lot of money.

Hope that helps



Tim F