Microsoft KB Archive/305542

= Understanding the role of workgroup information files in Access security =

Article ID: 305542

Article Last Modified on 3/27/2007

-

APPLIES TO


 * Microsoft Office Access 2003
 * Microsoft Access 2002 Standard Edition

-



This article was previously published under Q305542



Moderate: Requires basic macro, coding, and interoperability skills.

This article applies only to a Microsoft Access database (.mdb).

For a Microsoft Access 2000 version of this article, see 305541.

For a Microsoft Access 97 version of this article, see 303941.



SUMMARY
This article explains the role and relationship of the workgroup information file in Microsoft Access security.



MORE INFORMATION
When you install Microsoft Access and open a database for the first time, a file named System.mdw is created. This is the default workgroup information file.

By default, on computers that are running Microsoft Windows 2000, the System.mdw file is created in the user profile in the following path.

NOTE: The Application Data folder is a hidden folder.

C:\Documents and Settings\ \Application Data\Microsoft\Access\System.MDW

On computers that are running Microsoft Windows 98, the default System.MDW file is created in the following path:

C:\Windows\Application Data\Microsoft\Access\System.MDW

The workgroup information file is a required component when you use a Microsoft Access database (MDB). This file is required for both a run-time installation and a full installation of Microsoft Access. This file is an important component of Microsoft Access security.

If you develop database applications, it is important that you have a good understanding of the workgroup information file. It is a good idea to reserve the last phase of the development process for applying security in Access. Until then, you can develop the database application in an unsecured database.

A workgroup is a group of users who share data in a multiuser environment. When security is implemented on a database, the user and group accounts are recorded in the workgroup information file. User passwords are also stored in the workgroup information file.

IMPORTANT: If you establish Access security in a database, Microsoft recommends that you store a backup copy of the workgroup information file in a safe location. If the file is lost or damaged, the only way to recover the workgroup information file quickly is to restore the file from a backup copy. If you do not have a backup copy, you must re-create the User and Group Accounts with the same Personal IDs that were originally assigned. If the new workgroup information file is not created exactly as the original file, you will not be able to open the database with the workgroup file.

Access uses the workgroup information file even when the database has not been secured. The default Admin user account, which is stored in the workgroup information file, is used to open all unsecured databases. If you assign a password to the Admin user, you will receive a logon prompt when you reopen the database.

For additional information about securing a Microsoft Access database, click the following article number to view the article in the Microsoft Knowledge Base:

289885 How to help protect a Microsoft Access Database

Access security is based on a hierarchy of Groups, Users and Database objects (forms, reports, queries, and so on).

Groups and Users
Groups are collections of users who typically, but not always, have the same role in a shared database. You may want to grant some users more control than others. To administer users who you want to have different levels of permissions, it is recommended that you place the users into separate groups based on their roles and assign permissions to the group rather than to the individual user.

Users are individuals who will work with all or part of the database. A user can belong to more than one group. It is important to remember that if any user is a member of two or more groups, that user will have the most liberal permissions assigned to any of the groups to which they belong.

The workgroup information file stores the User and Group information. Each user account is created with a user logon, a password, and a Personal ID. Each Group is created with a group name and Workgroup ID. That information is stored in the workgroup information file.

Database Objects
Each Database Object has an owner and a series of permissions that must be set at the Group level or the individual User level.

If the database administrator creates groups to cluster users who work in the same capacity and will have the same permissions on all objects, it is far easier to assign permissions at the group level than to try to administer individual user accounts over the whole company. If the permissions are assigned to the group, they will extend to each and every member of that group. Therefore, the database administrator can easily set up a new user account, assign that user to the proper group, and have the new user proceed immediately. The group permissions will govern the user's activities automatically.

Permissions
Permissions are granted to groups and users to regulate how they are allowed to work with each table, query, form, report, and macro in a database. With permissions, the user or group can create, view, modify, or delete objects already created. Users inherit the permissions of the groups to which they are assigned.

NOTE: It is not a good idea to allow users to make design changes in a production database. Microsoft recommends that design changes are made only to the developer's copy of the secured database. The secured database can then be redistributed.

Permissions and the ownership of the database objects are stored in the database. Because permissions and ownership are always associated with the user and group accounts that are stored in the workgroup information file, the secured application must always be able to point to the specific workgroup information file that it was secured with.

When you are working with more than one Access database from the same workstation or server, it is possible to use multiple workgroup information files. One database may be secured while others are not. Each database may have its own separate security scheme. After the Access application has been secured, the workgroup information file used while setting up the security is the only workgroup information file that the database will work with. The workgroup information file can be copied to each local workstation or shared across the network.

WORKGROUP FILE ADMINISTRATION
The developer or application administrator can create additional workgroup information files by starting the Workgroup Administrator from the Access menus. On the Tools menu in Access, point to Security, and then click Workgroup Administrator.

Note that the Workgroup Administrator shows the location of the current workgroup information file. The Workgroup Administrator is designed to create or join workgroup information files. Joining a specific workgroup information file makes the file the default workgroup file when Microsoft Access is started by one of the following methods:
 * From the Programs menu in Microsoft Windows.
 * From a Desktop shortcut to the database file.
 * Through file association when you double-click the database file in Windows Explorer.

The user can use the default workgroup information file or can force Access to use a secured workgroup information file created for a specific database. To associate specific secured database files with their workgroup information files, you must create desktop shortcuts. Each desktop shortcut must have the Command-Line option set to start a specific database and use the specific workgroup information file secured with that database.

To start a secured Access database named MyApp.mdb in a folder named MyAppFolder with the workgroup information file used when establishing security on MyApp.mdb, the command-line syntax must include the /WrkGrp command-line switch, for example:

&quot;C:\Program Files\Microsoft Office\Office\MSAccess.Exe&quot; &quot;C:\MyAppFolder\MyApp.MDB&quot; /wrkgrp &quot;C:\MyAppFolder\System.MDW&quot;

You can create a shortcut and enter this syntax as the target of the shortcut.

For additional information about Startup Command-Line Options, click the article number below to view the article in the Microsoft Knowledge Base:

209207 ACC2000: How to Use Command-Line Switches in Microsoft Access

Workgroup Information File Name
You can give the workgroup information file a different name than the default name of System.mdw. Developers often name the workgroup information file the same name as the database it is securing in order to distinguish it quickly from other MDW files and to associate it with the correct database file.

Another method for managing multiple multiple workgroup information files is to place a copy of the correct workgroup information file in the same folder as the database that it is associated with.

Additional or new copies of the System.mdw file can be created to use with your specific databases. If you accidentally &quot;secure&quot; the default copy of System.mdw, you can copy it to the application folder and then create a new System.mdw in the default path. To create a new workgroup information file, follow these steps:
 * 1) Start Microsoft Access without opening any specific database.
 * 2) On Tools menu, point to Security, and then click Workgroup Administrator.
 * 3) Click Create in the dialog box that appears.
 * 4) In the Workgroup Owner Information dialog box, enter your Name, Organization, and a Workgroup ID. Store the Workgroup ID.
 * 5) In the Workgroup Information File dialog box, take note of the path and file name that appears as the default for the new workgroup information file. If you want to place the file in another location, edit the path. You can also change the file name here.
 * 6) If there is another Workgroup file with the same name, the Workgroup Administrator will ask you if you want to overwrite the file. After making your choice, click OK.
 * 7) The next window is a confirmation window that displays all the information that you have entered. Review and click either OK to proceed, or Change if you find something that is not correct.
 * 8) When the Workgroup file has been successfully created, a window will appear confirming this to you. Click OK in this message. The process is complete.
 * 9) You can now exit the Workgroup Administrator or join another workgroup file to make it the default file.

Run-Time Access Databases
If you are using Microsoft Office Developer to package a Microsoft Access application, you must include the corresponding secured workgroup information file for any secured database that you are distributing.

If you are not distributing a secured Microsoft Access database, you do not have to include the workgroup information file.

NOTE: When you distribute a Microsoft Access database with a profile, you must add a workgroup information file even if the database is not secured.

