When you install Microsoft Access and open a database for
the first time, a file named System.mdw is created. This is the default
workgroup information file.
By default, on computers that are running
Microsoft Windows 2000, the System.mdw file is created in the user profile in
the following path.
NOTE: The Application Data folder is a hidden folder.
C:\Documents and Settings\<user name>\Application Data\Microsoft\Access\System.MDW
On computers that are running Microsoft Windows 98, the default
System.MDW file is created in the following path:
C:\Windows\Application Data\Microsoft\Access\System.MDW
The workgroup information file is a required component when you
use a Microsoft Access database (MDB). This file is required for both a
run-time installation and a full installation of Microsoft Access. This file is
an important component of Microsoft Access security.
If you develop
database applications, it is important that you have a good understanding of
the workgroup information file. It is a good idea to reserve the last phase of
the development process for applying security in Access. Until then, you can
develop the database application in an unsecured database.
A
workgroup is a group of users who share data in a multiuser environment. When
security is implemented on a database, the user and group accounts are recorded
in the workgroup information file. User passwords are also stored in the
workgroup information file.
IMPORTANT: If you establish Access security in a database, Microsoft
recommends that you store a backup copy of the workgroup information file in a
safe location. If the file is lost or damaged, the only way to recover the
workgroup information file quickly is to restore the file from a backup copy.
If you do not have a backup copy, you must re-create the User and Group
Accounts with the same Personal IDs that were originally assigned. If the new
workgroup information file is not created exactly as the original file, you
will not be able to open the database with the workgroup file.
Access
uses the workgroup information file even when the database has not been
secured. The default Admin user account, which is stored in the workgroup
information file, is used to open all unsecured databases. If you assign a
password to the Admin user, you will receive a logon prompt when you reopen the
database.
For additional information about securing a Microsoft Access
database, click the following article number to view the article in the Microsoft Knowledge Base:
289885
How to help protect a Microsoft Access Database
Access security is based on a hierarchy of
Groups, Users and Database objects (forms, reports, queries, and so on).
Groups and Users
Groups are collections of users who typically, but not
always, have the same role in a shared database. You may want to grant some
users more control than others. To administer users who you want to have
different levels of permissions, it is recommended that you place the users
into separate groups based on their roles and assign permissions to the group
rather than to the individual user.
Users are individuals who will
work with all or part of the database. A user can belong to more than one
group. It is important to remember that if any user is a member of two or more
groups, that user will have the most liberal permissions assigned to any of the
groups to which they belong.
The workgroup information file stores
the User and Group information. Each user account is created with a user logon,
a password, and a Personal ID. Each Group is created with a group name and
Workgroup ID. That information is stored in the workgroup information
file.
Database Objects
Each Database Object has an owner and a series of permissions
that must be set at the Group level or the individual User level.
If
the database administrator creates groups to cluster users who work in the same
capacity and will have the same permissions on all objects, it is far easier to
assign permissions at the group level than to try to administer individual user
accounts over the whole company. If the permissions are assigned to the group,
they will extend to each and every member of that group. Therefore, the
database administrator can easily set up a new user account, assign that user
to the proper group, and have the new user proceed immediately. The group
permissions will govern the user's activities automatically.
Permissions
Permissions are granted to groups and users to regulate how they
are allowed to work with each table, query, form, report, and macro in a
database. With permissions, the user or group can create, view, modify, or
delete objects already created. Users inherit the permissions of the groups to
which they are assigned.
NOTE: It is not a good idea to allow users to make design changes in a
production database. Microsoft recommends that design changes are made only to
the developer's copy of the secured database. The secured database can then be
redistributed.
Permissions and the ownership of the database objects
are stored in the database. Because permissions and ownership are always
associated with the user and group accounts that are stored in the workgroup
information file, the secured application must always be able to point to the
specific workgroup information file that it was secured with.
When
you are working with more than one Access database from the same workstation or
server, it is possible to use multiple workgroup information files. One
database may be secured while others are not. Each database may have its own
separate security scheme. After the Access application has been secured, the
workgroup information file used while setting up the security is the only
workgroup information file that the database will work with. The workgroup
information file can be copied to each local workstation or shared across the
network.
WORKGROUP FILE ADMINISTRATION
The developer or application administrator can create additional
workgroup information files by starting the Workgroup Administrator from the
Access menus. On the
Tools menu in Access, point to
Security, and then click
Workgroup Administrator.
Note that the Workgroup Administrator shows the
location of the current workgroup information file. The Workgroup Administrator
is designed to create or join workgroup information files. Joining a specific
workgroup information file makes the file the default workgroup file when
Microsoft Access is started by one of the following methods:
- From the Programs menu in Microsoft Windows.
- From a Desktop shortcut to the database file.
- Through file association when you double-click the database
file in Windows Explorer.
The user can use the default workgroup information file or can
force Access to use a secured workgroup information file created for a specific
database. To associate specific secured database files with their workgroup
information files, you must create desktop shortcuts. Each desktop shortcut
must have the
Command-Line option set to start a specific database and use the specific
workgroup information file secured with that database.
To start a
secured Access database named MyApp.mdb in a folder named MyAppFolder with the
workgroup information file used when establishing security on MyApp.mdb, the
command-line syntax must include the /WrkGrp command-line switch, for example:
"C:\Program Files\Microsoft Office\Office\MSAccess.Exe" "C:\MyAppFolder\MyApp.MDB" /wrkgrp "C:\MyAppFolder\System.MDW"
You can create a shortcut and enter this syntax as the target of
the shortcut.
For additional information about Startup Command-Line
Options, click the article number below to view the article in the Microsoft
Knowledge Base:
209207 ACC2000: How to Use Command-Line Switches in Microsoft Access
Workgroup Information File Name
You can give the workgroup information file a different name than
the default name of System.mdw. Developers often name the workgroup information
file the same name as the database it is securing in order to distinguish it
quickly from other MDW files and to associate it with the correct database
file.
Another method for managing multiple multiple workgroup
information files is to place a copy of the correct workgroup information file
in the same folder as the database that it is associated with.
Additional or new copies of the System.mdw file can be created to use with your
specific databases. If you accidentally "secure" the default copy of
System.mdw, you can copy it to the application folder and then create a new
System.mdw in the default path. To create a new workgroup information file,
follow these steps:
- Start Microsoft Access without opening any specific
database.
- On Tools menu, point to Security, and then click Workgroup Administrator.
- Click Create in the dialog box that appears.
- In the Workgroup Owner Information dialog box, enter your Name, Organization, and a Workgroup ID.
Store the Workgroup ID.
- In the Workgroup Information File dialog box, take note of the path and file name that appears as
the default for the new workgroup information file. If you want to place the
file in another location, edit the path. You can also change the file name
here.
- If there is another Workgroup file with the same name, the
Workgroup Administrator will ask you if you want to overwrite the file. After
making your choice, click OK.
- The next window is a confirmation window that displays all
the information that you have entered. Review and click either OK to proceed, or Change if you find something that is not correct.
- When the Workgroup file has been successfully created, a
window will appear confirming this to you. Click OK in this message. The process is complete.
- You can now exit the Workgroup Administrator or join
another workgroup file to make it the default file.
Run-Time Access Databases
If you are using Microsoft Office Developer to package a
Microsoft Access application, you must include the corresponding secured
workgroup information file for any secured database that you are
distributing.
If you are not distributing a secured Microsoft Access
database, you do not have to include the workgroup information file.
NOTE: When you distribute a Microsoft Access database with a profile,
you must add a workgroup information file even if the database is not
secured.