Ms Access 2007 Tutorial Pdf With Examples
Monica Okane
Microsoft Access is a Database Management System (DBMS) from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and softwaredevelopment tools. It is a part of the Microsoft Office suite of applications, included in the professional and higher editions. This is an introductory tutorial that covers the basics of MS Access.
This tutorial is designed for those people who want to learn how to start working with Microsoft Access. After completing this tutorial, you will have a better understating of MS Access and how you can use it to store and retrieve data.
It is a simple and easy-to-understand tutorial. There are no set prerequisites as such, and it should be useful for any beginner who want acquire knowledge on MS Access. However it will definitely help if you are aware of some basic concepts of a database, especially RDBMS concepts.
This tutorial teaches you how to use a role to delegate access to resources in different AWS accounts called Destination and Originating. You share resources in one account with users in a different account. By setting up cross-account access in this way, you don't have to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign in to another account to access resources in different AWS accounts. After configuring the role, you see how to use the role from the AWS Management Console, the AWS CLI, and the API.
In this tutorial, the Destination account manages application data accessed by different applications and teams. In each account, you store application information in Amazon S3 buckets. You manage IAM users in the Originating account, where you have two IAM user roles: Developers and Analysts. Developers and Analysts use the Originating account to generate data shared by multiple microservices. Both roles have permissions to work in the Originating account and access resources there. From time to time, a developer must update the shared data in the Destination account. The developers store this data in an Amazon S3 bucket called shared-container.
Developers can use the role in the AWS Management Console to access the shared-container bucket in the Destination account. They can also access the bucket by using API calls authenticated by temporary credentials provided by the role. Similar attempts by an Analyst to use the role fail.
First, you use the AWS Management Console to establish trust between the Destination account (ID number 999999999999) and the Originating account (ID number 111111111111). You start by creating an IAM role named UpdateData. When you create the role, you define the Originating account as a trusted entity and specify a permissions policy that allows trusted users to update the shared-container bucket.
In this section, you modify the role policy to deny Analysts access to the UpdateData role. Because Analysts have PowerUser access in this scenario, and you must explicitly deny the ability to use the role.
Finally, as a Developer, you use the UpdateData role to update the shared-container bucket in the Destination account. You see how to access the role through the AWS console, the AWS CLI, and the API.
IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, assume that you have an account in US West (N. California) in the standard aws partition. You also have an account in China (Beijing) in the aws-cn partition. You can't use an Amazon S3 resource-based policy in your account in China (Beijing) to allow access for users in your standard aws account.
You can use AWS IAM Identity Center to facilitate single sign-on (SSO) for external AWS accounts (accounts outside your AWS Organizations) using Security Assertion Markup Language (SAML). For details, see Integrate external AWS accounts into AWS IAM Identity Center for central access management with independent billing using SAML 2.0
If you want to have an application assume a role in another AWS account, you can use the AWS SDK for cross account role assumption. For more information, see Authentication and access in the AWS SDKs and Tools Reference Guide.
Switching roles using the AWS Management Console only works with accounts that do not require an ExternalId. For example, assume that you grant access to your account to a third party and require an ExternalId in a Condition element in your permissions policy. In that case, the third party can access your account only by using the AWS API or a command line tool. The third party cannot use the console because it cannot supply a value for ExternalId. For more information about this scenario, see How to use an external ID when granting access to your AWS resources to a third party, and How to enable cross account access to the AWS Management Console in the AWS Security Blog.
An Amazon S3 bucket created in the Destination account. You can call it shared-container in this tutorial, but because S3 bucket names must be globally unique, you must use a bucket with a different name.
You can allow users from one AWS account to access resources in another AWS account. In this tutorial, we'll do this by creating a role that defines who can access it and what permissions it grants to users that switch to it.
In this step of the tutorial, you create the role in the Destination account and specify the Originating account as a trusted entity. You also limit the role permissions to only read and write access to the shared-container bucket. Anyone granted permission to use the role can read and write to the shared-container bucket.
You want to set read and write access to the shared-container bucket. Although AWS provides some Amazon S3 managed policies, there isn't one that provides read and write access to a single Amazon S3 bucket. You can create your own policy instead.
The ListAllMyBuckets action grants permission to list all buckets owned by the authenticated sender of the request. The ListBucket permission allows users to view objects in the shared-container bucket. The GetObject, PutObject, DeleteObject permissions allows users to view, update, and delete contents in the shared-container bucket.
For now you do not need to require an external ID, or require users to have multi-factor authentication (MFA) in order to assume the role. Leave these options unselected. For more information, see Using multi-factor authentication (MFA) in AWS.
For Filter, choose Customer managed to filter the list to include only the policies that you created. This hides the AWS created policies and makes it much easier to find the one you need.
Now you must obtain the Amazon Resource Name (ARN) of the role, a unique identifier for the role. When you modify the Developer's role in the Originating account, you specify the role ARN from the Destination account to grant or deny permissions.
At this point, you have established trust between the Destination and Originating accounts. You did this by creating a role in the Destination account that identifies the Originating account as a trusted principal. You also defined what the users who switch to the UpdateData role can do.
At this point, both Analysts and Developers have permissions that allow them to manage data in the Originating account. Use the following required steps for adding permissions to allow switching to the role.
Add the following policy statement to allow the AssumeRole action on the UpdateData role in the Destination account. Be sure that you change DESTINATION-ACCOUNT-ID in the Resource element to the actual AWS account ID of the Destination account.
In most environments, you may not need the following procedure. If, however, you use PowerUserAccess permissions, then some groups might already be able to switch roles. The following procedure shows how to add a "Deny" permission to the Analysts group to ensure that they cannot assume the role. If you do not need this procedure in your environment, then we recommend that you do not add it. "Deny" permissions make the overall permissions picture more complicated to manage and understand. Use "Deny" permissions only when you do not have a better option.
Add the following policy statement to deny the AssumeRole action on the UpdateData role. Be sure that you change DESTINATION-ACCOUNT-ID in the Resource element to the actual AWS account ID of the Destination account.
After completing the first two steps of this tutorial, you have a role that grants access to a resource in the Destination account. You also have one role in the Originating account with users allowed to use that role. This step discusses how to test switching to that role from the AWS Management Console, the AWS CLI, and the AWS API.
If David needs to update data in the Destination account in the AWS Management Console, he can do so by using Switch Role. He specifies the account ID or alias and the role name, and his permissions immediately switch to those permitted by the role. He can then use the console to work with the shared-container bucket, but cannot work with any other resources in Destination. While David uses the role, he also cannot make use of his power-user privileges in the Originating account. That's because only one set of permissions can be in effect at a time.
David receives a link from their administrator that points to a predefined Switch Role configuration. The link is provided to the administrator on the final page of the Create role wizard or on the Role Summary page for a cross-account role. Choosing this link takes David to the Switch Role page with the Account ID and Role name fields already filled in. All David needs to do is choose Switch Roles.
The administrator does not send the link in email, but instead sends the Account ID number and Role Name values. To switch roles, David must manually enter the values. This is illustrated in the following procedure.
c80f0f1006