I could probably write a book on this subject lol.
The easiest way that I find is to do several things:
1 - Create a user access table with usernames, rights levels and a checkbox option for access (uncheck it and they can't open the db).
2 - Create a custom menu bar. Disable all other menu bars and shortcut bars, depending on the level of control you want.
3 - Utilize a front end and a back end. Back end will be your data tables needed for this - user access table, whatever other tables you need, etc. Front end will link to tables in the back end and will house all of your forms, queries, reports, etc. as well as code. There should be NO CODE or anything other than tables in your back end. Possibly a bit of code to prevent the back end from being opened by anyone other than yourself or others assigned to maintain it, but other than that, nothing. The back end should also be password protected to prevent someone maybe accidentally opening it and doing something.
4 - For SQL - the best thing to do is to create the SQL connections in the VBA code only after your program has determined that a user is authorized to open it - you can also limit some people to only certain SQL tables, etc.
5 - Be sure to use MDE files for end user computers. If these are hacked apart they could get to objects - but not the SQL tables. They COULD get access to the VBA code but it is not simple at all unless they pay a company to do it that has already developed software to reconstruct VBA from an MDE.
6 - Using the database options you can prevent it from showing the database window which lists the forms, tables, etc. Also be sure to disable the hot keys like the shift bypass and alt-F11 keys in here.
So basically what your program will need to do is upon opening - check the username against the user access table. If they have no access - it quits the application. This only works if you are on a network so that nobody can just login with whatever username they want. If you aren't on an actual network with server (domain) then you may want to assign usernames/passwords and have them have to type that in and then authenticate.
If they have access - it can check what access level depending on what you want them to be able to do, and show/hide the different menus on your custom menu bar to only allow access to certain forms/reports/whatever.
Also at this point it would create the connections to the SQL tables if they have access.
This is a very simplistic overview but I feel this is one of the most secure ways to control access to Access databases.