How permissions work and who can assign them
This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.
There are two types of permissions: explicit and implicit. Explicit permissions are those permissions that are granted directly to a user account; no other users are affected. Implicit permissions are those permissions that are granted to a group account. Adding a user to that group grants the group's permissions to that user; removing a user from the group takes away the group's permissions from that user.
When a user attempts to perform an operation on a secured database object, that user's set of permissions are based on the intersection of that user's explicit and implicit permissions. A user's security level is always the least restrictive of that user's explicit permissions and the permissions of any and all groups to which that user belongs. For this reason, the least complicated way to administer a workgroup is to create new groups and assign permissions to the groups, rather than to individual users. Then you can change individual users' permissions by adding or removing them from groups. Also, if you need to grant new permissions, you can grant them to all members of a group in a single operation.
Permissions can be changed for a database object by:
Members of the Admins group of the workgroup information file in use when the database was created.
The owner of the object.
Any user who has Administer permission for the object.
Even though users might not be able to currently perform an action, they might be able to grant themselves permissions to perform the action. This is true if a user is a member of the Admins group, or if a user is the owner of an object.
The user who creates a table, query, form, report, or macro is the owner of that object. The same group of users that can change permissions can change the ownership of these objects by using the User And Group Permissions command on the Security submenu (Tools menu), or they can re-create these objects. To re-create these objects, you do not have to start from scratch. You can make a copy of the object, or import it or export it to another database. If you want to secure an entire database, this is the easiest way to transfer the ownership of all of these objects, including the database . The best way to secure an entire database is by using the User-Level Security Wizard, which creates a new database and imports all objects into it.
Note Copying, importing, or exporting doesn't change the ownership of queries that has its RunPermissions property set to Owner's. You can change ownership of a query only if its RunPermissions property is set to User's.
For information on types of permissions, click aa170308(v=office.10).md.