MORE INFORMATION
When you install Microsoft Access for the first time, a new
file is created in the Program Files\Common Files\System folder. This is the
default workgroup information file. The default workgroup information file is
named System.mdw.
The workgroup information file is a required
component when you use a Microsoft Access database (MDB). This file is required
for both a run-time installation and a full installation of Microsoft Access.
This file is an important component of Microsoft Access security.
If
you develop database applications, it is important that you have a good
understanding of the workgroup information file. It is a good idea to reserve
the last phase of the development process for applying security in Access.
Until then, you can develop the database application in an unsecured database.
IMPORTANT: If you establish Access security in a database, Microsoft
recommends that you have a backup or copy of the workgroup information file in
a safe location. If the file is lost, damaged, or otherwise becomes impossible
to use, the only way to recover the file quickly is to have a backup copy of
the file. Otherwise, the database administrator would have to try to re-create
the User Accounts exactly as they were initially. This is a risky situation. If
the workgroup information file is not created exactly as the original, the file
will not work with the database. This will prevent the successful use of the
database for its designed purpose. In most cases, a current backup of the
database file is the only sure way to recover the file.
Access uses
the workgroup information file even when the database has not been secured. The
file uses the default Admin user account. The Admin user account does not have
a password at that point, and therefore it does not trigger a logon
prompt.
For additional information about
securing a Microsoft Access database, click the article number below to view
the article in the Microsoft Knowledge Base:
254372 ACC2000: Overview of How to Secure a Microsoft Access Database
For
additional information about the security Manager Add-In, click the article
number below to view the article in the Microsoft Knowledge Base:
235961 ACC2000: Access security Manager Add-In Available
Access security is based on a hierarchy of Groups,
Users, and Database objects (forms, reports, queries, and so on).
Groups and Users
Groups are collections of users who typically, but not always,
have the same "role" and reason for working in the database. Some users may be
given more latitude while other users will have less latitude within the
database. To administer users of varying scope, Microsoft recommends that they
be placed into separate groups based on their needs.
Users are
individuals who will actually use either all or part of the database. A User
can belong to more than one group. In Access security, one key concept to
remember is this. If any user is a member of two or more Groups in the database
and security has been established on the groups, that user will have the least
restrictive permissions between or among all the groups the user is a member
of.
Database Objects
The Database Objects have an Owner and have a series of
permissions on each object that must be determined at the Group level or the
individual User level.
The workgroup information file is used to
store the User and Group information. Each user account is created with a user
logon, a password, and a Personal ID. Each Group is created with a group name
and Workgroup ID. All of this information is stored in the workgroup
information file.
If the database administrator creates groups to
cluster users who work in the same capacity, it is far easier to assign
permissions at the group level than to try to administer individual user
accounts that have the exact same set of permissions over the whole company. If
the permissions are assigned to the group, they will extend to each member of
that group. Therefore, the database administrator can easily set up a new user
account, assign them to the proper group, and that user is ready to proceed
immediately. The group permissions will govern their activities automatically.
Permissions
With permissions, the user can open objects and modify objects or
the data retained by the objects. With the correct set of permissions, any user
belonging to a group can perform tasks without hindrance and without
compromising the security of the application or the underlying data.
NOTE: It is not a good idea to allow users to make design changes in a
production database. Microsoft recommends that design changes are made only to
the developer's copy of the database.
Permissions and the Ownership
of the database objects are stored in the actual database itself. Because the
permissions are stored in the database file, and the Users and Groups are
stored in the Workgroup file, this requires that both files be used together in
order for Access security to be properly implemented. Therefore, when you use
Access to open the secured database, Access must also be able to find the path
and location where the specific workgroup information file is stored.
It is also possible to use multiple workgroup information files. In fact, this
often occurs when you are working with more than one Access database from the
same computer. One database may be secured while others are not. Or each
database may have its own, separate security scheme. After the Access
application has been secured, the workgroup information file that was used
while setting up security is the only workgroup information file that should be
used with the secured database. In a multiuser environment, the workgroup file
can be copied to each workstation or be shared from the network server.
Workgroup File Administration
The developer or application administrator can create additional
workgroup information files using Wrkgadm.exe. This file can be found at the
following location:
C:\Program Files\Microsoft Office\Office\1033
The Workgroup Administrator is designed to create new workgroup
information files or to join to existing workgroup information files. After you
join a specific workgroup information file, Microsoft Access will use that
specific file each time that a database is opened, unless another method is
used to point Access to a different MDW file. Otherwise, Access will always use
the last workgroup file that you joined whenever you start Access by one of the
following means:
- From the Programs menu in Microsoft Windows.
- From a Desktop shortcut to the database file
only.
- When you double-click a database file in Windows
Explorer.
Microsoft Access can be instructed to use a specific workgroup
file at the time in which a database is opened. To accomplish this, it is
necessary to create a shortcut. The shortcut must have a command-line option
that will start a specific database and a specific workgroup information file.
To start an Access database named MyApp.mdb in a folder named MyAppFolder and
to use a secured workgroup file named System.mdw, the command line syntax must
have the
/WrkGrp command-line switch, for example:
"C:\Program Files\Microsoft Office\Office\Msaccess.Exe" "C:\MyAppFolder\MyApp.mdb" /wrkgrp "C:\MyAppFolder\System.mdw"
For additional information about
Command-Line options in Microsoft Access, click the article number below to
view the article in the Microsoft Knowledge Base:
209207 ACC2000: How to Use Command-Line Switches in Microsoft Access
Workgroup Information File Name
You can also give the workgroup information file a different name
than the default name of System.mdw. Often, the workgroup information file is
given the same name as the database it is securing. This helps identify it
quickly from other MDW files, and associates it with the correct database
file.
Another method for managing multiple workgroup information
files is to place a copy of the correct workgroup information file in the same
folder as the database it is associated with.
Additional or new
copies of the System.mdw file can be created to use with your specific
databases. If you accidentally "secure" the default copy of System.mdw, you can
create a new System.mdw file in the default path. To create a new workgroup
information file, follow these steps:
- Close any open databases, and then quit Microsoft
Access.
- Search your computer for the file Wrkgadm.exe, and then
double-click the file.
- Click Create in the dialog box that appears.
- To create a new workgroup information file, enter your User
Name, the Organization Name, and a Workgroup ID. The Workgroup ID can be any
string of alphanumeric characters. It must be between 8 and 20 characters long.
Click OK.
- Take note of the path and file name that is the default for
the new workgroup information file. If you want it to be in another path, edit
the path, or click Browse to locate the path that you want. If you also want the file name
to be different, you can change the name also. If there is another Workgroup
file with the same name, Access will prompt you to overwrite it or not. Click OK to proceed.
- The next window is a confirmation window that displays all
the information that you have entered. Review and click either OK to proceed, or Change if you find something that is not correct.
- When the Workgroup file has been successfully created, a
window will appear confirming this to you. Click OK in this message.
- You can now exit the Workgroup Administrator or join
another workgroup file to make it the default file.
Run-Time Access Databases
If you are using Microsoft Office 2000 Developer, you must
include the specific secured workgroup information file for any secured
database that you are distributing.
