Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Understanding the role of workgroup information files in Access security
Article ID: 305542 - View products that this article applies to.
This article was previously published under Q305542
Moderate: Requires basic macro, coding, and interoperability skills.
This article applies only to a Microsoft Access database (.mdb).
For a Microsoft Access 2000 version of this article, see 305541
For a Microsoft Access 97 version of this article, see 303941
This article explains the role and relationship of the workgroup information file in Microsoft Access security.
When you install Microsoft Access and open a database for the first time, a file named System.mdw is created. This is the default workgroup information file.
By default, on computers that are running Microsoft Windows 2000, the System.mdw file is created in the user profile in the following path.
NOTE: The Application Data folder is a hidden folder.
C:\Documents and Settings\<user name>\Application Data\Microsoft\Access\System.MDWOn computers that are running Microsoft Windows 98, the default System.MDW file is created in the following path:
C:\Windows\Application Data\Microsoft\Access\System.MDWThe workgroup information file is a required component when you use a Microsoft Access database (MDB). This file is required for both a run-time installation and a full installation of Microsoft Access. This file is an important component of Microsoft Access security.
If you develop database applications, it is important that you have a good understanding of the workgroup information file. It is a good idea to reserve the last phase of the development process for applying security in Access. Until then, you can develop the database application in an unsecured database.
A workgroup is a group of users who share data in a multiuser environment. When security is implemented on a database, the user and group accounts are recorded in the workgroup information file. User passwords are also stored in the workgroup information file.
IMPORTANT: If you establish Access security in a database, Microsoft recommends that you store a backup copy of the workgroup information file in a safe location. If the file is lost or damaged, the only way to recover the workgroup information file quickly is to restore the file from a backup copy. If you do not have a backup copy, you must re-create the User and Group Accounts with the same Personal IDs that were originally assigned. If the new workgroup information file is not created exactly as the original file, you will not be able to open the database with the workgroup file.
Access uses the workgroup information file even when the database has not been secured. The default Admin user account, which is stored in the workgroup information file, is used to open all unsecured databases. If you assign a password to the Admin user, you will receive a logon prompt when you reopen the database.
For additional information about securing a Microsoft Access database, click the following article number to view the article in the Microsoft Knowledge Base:
289885Access security is based on a hierarchy of Groups, Users and Database objects (forms, reports, queries, and so on).
(http://support.microsoft.com/kb/289885/ )How to help protect a Microsoft Access Database
Groups and UsersGroups are collections of users who typically, but not always, have the same role in a shared database. You may want to grant some users more control than others. To administer users who you want to have different levels of permissions, it is recommended that you place the users into separate groups based on their roles and assign permissions to the group rather than to the individual user.
Users are individuals who will work with all or part of the database. A user can belong to more than one group. It is important to remember that if any user is a member of two or more groups, that user will have the most liberal permissions assigned to any of the groups to which they belong.
The workgroup information file stores the User and Group information. Each user account is created with a user logon, a password, and a Personal ID. Each Group is created with a group name and Workgroup ID. That information is stored in the workgroup information file.
Database ObjectsEach Database Object has an owner and a series of permissions that must be set at the Group level or the individual User level.
If the database administrator creates groups to cluster users who work in the same capacity and will have the same permissions on all objects, it is far easier to assign permissions at the group level than to try to administer individual user accounts over the whole company. If the permissions are assigned to the group, they will extend to each and every member of that group. Therefore, the database administrator can easily set up a new user account, assign that user to the proper group, and have the new user proceed immediately. The group permissions will govern the user's activities automatically.
PermissionsPermissions are granted to groups and users to regulate how they are allowed to work with each table, query, form, report, and macro in a database. With permissions, the user or group can create, view, modify, or delete objects already created. Users inherit the permissions of the groups to which they are assigned.
NOTE: It is not a good idea to allow users to make design changes in a production database. Microsoft recommends that design changes are made only to the developer's copy of the secured database. The secured database can then be redistributed.
Permissions and the ownership of the database objects are stored in the database. Because permissions and ownership are always associated with the user and group accounts that are stored in the workgroup information file, the secured application must always be able to point to the specific workgroup information file that it was secured with.
When you are working with more than one Access database from the same workstation or server, it is possible to use multiple workgroup information files. One database may be secured while others are not. Each database may have its own separate security scheme. After the Access application has been secured, the workgroup information file used while setting up the security is the only workgroup information file that the database will work with. The workgroup information file can be copied to each local workstation or shared across the network.
WORKGROUP FILE ADMINISTRATIONThe developer or application administrator can create additional workgroup information files by starting the Workgroup Administrator from the Access menus. On the Tools menu in Access, point to Security, and then click Workgroup Administrator.
Note that the Workgroup Administrator shows the location of the current workgroup information file. The Workgroup Administrator is designed to create or join workgroup information files. Joining a specific workgroup information file makes the file the default workgroup file when Microsoft Access is started by one of the following methods:
To start a secured Access database named MyApp.mdb in a folder named MyAppFolder with the workgroup information file used when establishing security on MyApp.mdb, the command-line syntax must include the /WrkGrp command-line switch, for example:
"C:\Program Files\Microsoft Office\Office\MSAccess.Exe" "C:\MyAppFolder\MyApp.MDB" /wrkgrp "C:\MyAppFolder\System.MDW"You can create a shortcut and enter this syntax as the target of the shortcut.
For additional information about Startup Command-Line Options, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/209207/EN-US/ )ACC2000: How to Use Command-Line Switches in Microsoft Access
Workgroup Information File NameYou can give the workgroup information file a different name than the default name of System.mdw. Developers often name the workgroup information file the same name as the database it is securing in order to distinguish it quickly from other MDW files and to associate it with the correct database file.
Another method for managing multiple multiple workgroup information files is to place a copy of the correct workgroup information file in the same folder as the database that it is associated with.
Additional or new copies of the System.mdw file can be created to use with your specific databases. If you accidentally "secure" the default copy of System.mdw, you can copy it to the application folder and then create a new System.mdw in the default path. To create a new workgroup information file, follow these steps:
Run-Time Access DatabasesIf you are using Microsoft Office Developer to package a Microsoft Access application, you must include the corresponding secured workgroup information file for any secured database that you are distributing.
If you are not distributing a secured Microsoft Access database, you do not have to include the workgroup information file.
NOTE: When you distribute a Microsoft Access database with a profile, you must add a workgroup information file even if the database is not secured.
For additional information about Microsoft Access security, see the "Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 Through 2000" white paper at the following Microsoft Web site:
Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 Through 2000