Menu
homeGames

Restricting access to documents and reference books. Accounting info Restrict access to cash documents 1s 3.0

In this article I will look at how to work with users in:

  • create a new user;
  • configure rights - profiles, roles and access groups;
  • how to configure rights restrictions at the record level () in 1C 8.3 - for example, by organization.

The instructions are suitable not only for the accounting program, but also for many others built on the basis of BSP 2.x: 1C Trade Management 11, Salary and Personnel Management 3.0, Small Firm Management and others.

If you are interested in setting up rights from a programmer's point of view, read.

In the 1C program interface, user management is carried out in the “Administration” section, in the “Setting up users and rights” item:

To create a new user in 1C Accounting 3.0 and assign him certain access rights, there is a “User and Rights Settings” item in the “Administration” menu. Let's go there:

The list of users is managed in the “Users” section. Here you can create a new user (or group of users) or edit an existing one. Only a user with administrative rights can manage the list of users.

Let’s create a user group called “Accounting”, and there will be two users in it: “Accountant 1” and “Accountant 2”.

To create a group, click the button highlighted in the figure above and enter a name. If there are other users in the information base who are suitable for the role of accountant, you can immediately add them to the group. In our example there are none, so we click “Record and close”.

Now let's create users. Place the cursor on our group and click the “Create” button:

In the full name we will enter “Accountant 1”, and the login name will be set to “Accountant1” (this is what will be displayed when entering the program). The password will be “1”.

Be sure to make sure that the “Login to the program is allowed” and “Show in the selection list” checkboxes are checked, otherwise the user will not see himself during authorization.

Get 267 video lessons on 1C for free:

Leave “Startup mode” as “Auto”.

Setting up access rights - roles, profiles

Now you need to specify “Access Rights” for this user. But you need to write it down first, otherwise a warning window will appear as shown in the picture above. Click “Record”, then “Access Rights”:

Select the Accountant profile. This profile is standard and configured with the basic rights required by an accountant. Click “Record” and close the window.

In the “User (creation)” window, click “Save and close”. We are also creating a second accountant. We make sure that users are enabled and can work:

It should be noted that the same user can belong to several groups.

We chose access rights for accountants from those that were included in the program by default. But there are situations when it is necessary to add or remove some right. To do this, it is possible to create your own profile with a set of necessary access rights.

Let's go to the "Access Group Profiles" section.

Let's say we need to allow our accountants to view the journal entry.

Creating a profile from scratch is quite labor-intensive, so let’s copy the “Accountant” profile:

And let's make the necessary changes to it - add the role " ":

Let's give the new profile a different name. For example, “Accountant with additions.” And check the “View registration log” checkbox.

Now we need to change the profile of the users we created earlier.

Restricting rights at the recording level in 1C 8.3 (RLS)

Let's figure out what it means to restrict rights at the record level, or, as they call it in 1C, RLS (Record Level Security). To get this opportunity, you need to check the appropriate box:

The program will require confirmation of the action and will inform you that such settings can greatly slow down the system. It is often necessary to prevent some users from seeing documents from certain organizations. It is precisely for such cases that there is an access setting at the record level.

We go again to the profile management section, double-click on the “Accountant with Additions” profile and go to the “Access Restrictions” tab:

“Access type” select “Organizations”, “Access values” select “All allowed, exceptions are assigned in access groups”. Click “Save and close”.

Now we return to the “Users” section and select, for example, the user “Accountant 1”. Click the “Access Rights” button:

Using the “Add” button, select the organization whose data will be seen by “Accountant 1”.

Note! Using a mechanism for separating rights at the record level can affect the performance of the program as a whole. Note for the programmer: the essence of RLS is that the 1C system adds an additional condition to each request, requesting information about whether the user is allowed to read this information.

Other settings

The sections “Copying settings” and “Clearing settings” do not raise any questions; their names speak for themselves. These are settings for the appearance of the program and reports. For example, if you have set up a beautiful appearance for the “Nomenclature” directory, it can be replicated to other users.

This article will discuss how to independently, easily and simply grant the rights to work in the 1C: Accounting 8 program to employees of an enterprise. You can provide access only to those reports, directories or documents that a specific employee needs for work, and limit access to those not included in the list of settings. We will set access settings based on the program “1C: Accounting 8” version 3 configuration “Taxi”. Setting access settings will not take much time and knowledge; after reading this article, it can be done by any employee who has worked or has an understanding of software products of the 1C family.

Who is granted access rights?

Access rights can be granted:

  • One user;
  • A group of people (users).

To facilitate the work of the service that is responsible for granting rights, it is better to perform this procedure by groups, rather than by specific individuals working at a given period of time.

Groups can be grouped depending on:

  • Positions (divisions);
  • Functional responsibilities;
  • Other characteristics or parameters.

Rights can be granted to:

  • Viewing documents, reference books, drawing up reports in the 1C program. Provided to services, for example, sales or purchasing managers;
  • Work, while documents are created (deleted), new directory elements are introduced (displayed). These rights may be granted, for example, to the chief accountant or accounting service;
  • Administration of the program, while an employee with administrator rights has full rights and can, for example, grant access rights, update the program and perform other functions included in the first and second points.

In the 1C program, there are four main profiles for the rights granted:

  • Administrator;
  • Chief Accountant;
  • Accountant;
  • Synchronizing data with other programs;
  • Viewing only.

How to set up access rights in 1C?

A user of the 1C program, only with “Administrator” rights, who has “Full rights”, can grant (configure) access rights for employees of the organization.

To configure access rights, you need to select the “Administration” section in the main menu, then go to “Program Settings” and select “User and Rights Settings” there.

When setting up users and rights, there are six sections to complete, each of which is described below:

  • Users;
  • Access group profiles;
  • Settings coding;
  • Clear settings;
  • User settings;
  • External users.

In the “Users” section, data is created for an employee of the organization to whom rights are granted. In this case, you need to fill in the following fields:

  • Full name;
  • An individual is selected from the “Individual” directory;
  • Login to the program is allowed, the checkbox is checked;
  • The “Main” tab displays the name for entering the program (as it will be called when opening the program), establishing an authentication procedure when setting (changing) a password when entering the database, or showing in the selection list when entering the database without verification;
  • On the “Addresses, telephones” tab, you enter data via e-mail on the Internet, telephone numbers;
  • On the “Comment” tab, you can leave any user records necessary for work.

Next, in the setting, set the “Display author of the document” flag in the “Responsible” field in the created document.

A convenient function, since when an error is detected, the head of the department can see who created the document in order to eliminate and prevent such an error in the future.

In the “Access Group Profiles” section, you can set the “Restrict access at the record level” attribute for all employees of the organization or create actions (roles) for each employee who is granted rights in the 1C program. In this case, you need to select the necessary positions on the “Allowed actions (roles)” tab and then on the “Description” tab it will be written down which actions include these rights.

It is better not to provide administrator rights for “normal” work in the program, since these rights provide great opportunities in the 1C database, not only to view, change, delete documents, but also other functions, which include changing the program configuration.

In the “Copying user settings” section, you can copy settings already provided to other employees of the enterprise. It is possible to copy all settings or individual settings to selected users or all users.

This function is convenient to use in large enterprises, in order to save time on creating similar settings for new employees.

In the “Clearing user settings” section, you can clear settings for selected users or all users at once, without going into individual settings for each employee. This function allows you to clear all settings or selected settings.

The “User Settings” section allows you to manage report settings, program appearance and other settings. They are also provided to a specific user of the 1C program.

You can also grant external users the right to view the program. A convenient function for providing program viewing to external auditors, partners and other users. When you check the “Allow access to external users” checkbox, the “External Users” block opens, in which you can select the type of users:

  • Counterparties;
  • Individuals.

When you select one of the types, data on the external user opens, which needs to be filled in, this is the name and password when logging into the system. After recording, the “Access Rights” tab becomes active, in which the rights are set: administrator, chief accountant, data synchronization with other programs, viewing only.

Rights are granted to everyone, I wish you successful and promising work.

There is often a need to partially restrict access to data. For example, when a user should see documents only from his organization. In such cases, 1C uses a mechanism for restricting access at the record level (the so-called RLS - Record Level Securiy).

For example, let's assume that we are faced with the following task. The enterprise maintains multi-company accounting and each counterparty and database user belongs to a specific organization. It is necessary to provide access to the “Counterparties” directory in such a way that each user can view, edit and add contractors only for his organization.

To solve the problem we will use the “1C:Enterprise 8.2” platform. Let’s create a new configuration in the properties of which the “Managed application” option will be selected as the main launch mode.

Next, we will create a directory “Organizations” and two more directories – “Counterparties” and “Users” with the requisite “Organization”. In addition to directories, we will need two session parameters - “Organization” and “User” (of appropriate types). The values ​​of these parameters are set when a configuration session starts and are stored until it ends. It is the values ​​of these parameters that we will use when adding access restriction conditions at the record level.

Setting session parameters is performed in a special module – “Session Module”

In this module we will describe the predefined procedure “Setting Session Parameters” in which we will call the function of the previously prepared general module “Full Rights”. This is necessary due to the peculiarities of the database operating in managed application mode, when part of the program code can only be executed on the server side (I will not dwell on explaining these principles in detail in this article).

Code 1C v 8.x Procedure Setting Session Parameters (Required Parameters)
FullPermissions.SetSessionParameters();
End of Procedure

In the properties of the “Full Rights” module, you must check the “Server”, “Call server” and “Privileged” checkboxes (the latter means that the procedures and functions of this module will be executed without access rights control). The module text will look like this:

Code 1C v 8.x Function DetermineCurrentUser()
TechUser = Directories.Users.FindByName(UserName(), True);
Return TechUser;
EndFunction

Procedure SetSessionParameters() Export
CurrentUser = DefineCurrentUser();
CurrentOrganization = Directories.Organizations.EmptyLink();
If ValueFilled(CurrentUser) Then
CurrentOrganization = CurrentUser.Organization;
endIf;
SessionParameters.User = CurrentUser;
SessionParameters.Organization = CurrentOrganization;
End of Procedure

FunctionSessionParameterSet(ParameterName) Export
Return ValueFilled(SessionParameters[ParameterName]);
EndFunction

Function RoleAvailable to User(RoleName) Export
return RoleAvailable(RoleName);
EndFunction

In the managed application module, we will check for the presence of a configuration user in the “Users” directory (for simplicity, we will search for it by name) and shut down the system if it is not found. This is necessary to ensure that the session parameters are filled in.

Code 1C v 8.x Procedure Before Starting the System (Failure)
// we will check everyone except the administrator for presence in the "Users" directory
If Not FullRights.RoleAvailableToUser("FullRights") Then
If NOT FullRights.SessionParameterSet("User") Then
Warning("User """ + UserName() + """ not found in the directory!");
Refuse = True;
Return;
endIf;
endIf;
End of Procedure

Now we can proceed directly to the description of access restrictions. To do this, create the “User” role and go to the “Restriction Templates” tab, where we add a new template “AccountsReadingChange” with the following template text: WHERE Organization =Organization #Parameter(1)


Constraint pattern text is an extension of the query language. Unlike a regular request, the text of the restriction must necessarily contain the “WHERE” condition. The values ​​of the session parameters of the same name are used as the values ​​of the request parameters (in our case, “&Organization”). A construction like #Parameter(1) means that in this place the system will substitute the text passed as the first parameter where the template is used. Using the template provided, each table entry will be checked (in our case, this will be the “Counterparties” directory). For records whose “Organization” attribute value matches that specified in the corresponding session parameter, the condition described in the template will be met. This way, these records will be available for reading, editing or adding (depending on which of these rights the template applies to). I will demonstrate the above using our example.

Let’s go to the “Rights” tab of the “User” role and open the list of rights in the “Counterparties” directory. We will use the “AccountsReadingChange” restriction template for the “Reading”, “Changing” and “Adding” rights.

For the “Read” right we will use a template with the “OR ThisGroup” parameter. In this case, users of this role will be allowed to read not only elements of the “Accounts” directory of their organization, but also all groups of this directory.

#CounterpartiesReadChange("OR ThisGroup")

Since when adding new directory elements, the system implicitly reads predefined details (this is necessary, for example, for numbering), it is necessary to ensure unhindered reading of these fields. To do this, add an additional line with empty restriction text to the data access restriction table and list the fields for which this rule applies - Link, Data Version, Parent, Code.

Thus, the task of restricting access at the record level has been solved. Users with existing restrictions will only have access to view and edit data for their organization.

SETTING USER RIGHTS. BSP. ACCESS PROFILE 8.6.2.
Platform:8.2.17.153 and higher or 8.3.4.365 and higher.

ADMINISTRATION TOOLS:

Universal editor. Multi-handler:
- System Administrator (WSH & WMI):
- Setting up user rights. BSP.

IMPORTANT! Configurations containing the "Access Group Profiles" reference book are supported..

Test environment:
- "Retail...":
- Retail 2.0, 2.1, 2.2 (RUSSIA);
- Retail 2.0 (UKRAINE);
- Retail 2.0 (BELARUS).
- "Trade management...":
- Trade management 11.0, 11.1, 11.2, 11.3 (RUSSIA);
- Trade management 3.0 (UKRAINE);
- Trade management 3.1 (BELAR).
- "Accounting...":
- Enterprise Accounting 3.0 (RUSSIA);
- Accounting for an agricultural enterprise 3.0 ARGOSOFT (RUSSIA).
- "Comprehensive automation" :
- Integrated automation 2.0, 2.2 (RUSSIA);
- "ERP Enterprise Management":
- ERP Enterprise Management 2 (RUSSIA)
- "Managing a small company...":
- Management of a small company 1.4, 1.5 (RUSSIA).
- "Salaries and personnel management...":
- Salary and personnel management 3.0 (RUSSIA).
- "Retail. Auto parts store...":
- Retail. Auto parts store 2.1 (RUSSIA).

VERSION 8.6.2 (08.2017)
- BSP 2.3.6.35.
- ERP Enterprise Management 2.
- Other changes.

VERSION 8.6.1 (02.2017)
- BSP 2.3.4.107.
- Other changes.

VERSION 8.6 (11.2016)
- Highlighting roles by 2 (two) substrings.
- Other changes.

VERSION 8.5 (09.2016)
- BSP version 2.3.3.77. New roles.
- Support for "Complex Automation" 2.2, "Trade Management" 11.3.
- Other changes.

INTRODUCTION.

Security subsystem 1C:Enterprise.

Common security settings in operating systems are the so-called set of read/write permissions for different user groups, for example, Windows AD (Active Directory).
The security subsystem used in 1C software is called roles.

Library of standard subsystems (BSS):

Currently, there has been great developmentlibrary of standard subsystems (BSS) , in which the set of objects forming the security subsystem has been expanded.
In general, security in the BSP is built on the following configuration metadata objects:

- Directory "Access Groups" - this directory contains information on access groups.
Maintaining access groups allows you to quickly and easily manage the delimitation of rights in systems with a large number of users.

- Roles configuration items . They are set in the "Configurator" mode. Located in the "General" section.
The list of roles created in configuration mode is used in the elements of the "Access Group Profiles" directory.Roles are not editable in user mode.

- Plans of Types of Characteristics (PVC) "Types of Access" - used to identify all kinds of objects for which it is necessary to establish access control.
For example, elements of this PVC can be elements of the directories “File Folders”, “Types of Prices”, “Users”, “External Users”, etc.

- Directory "Access Group Profiles" - used to assign rights to a group of users, while the profile contains information about the roles and types of access available to members of this group.
The AccessGroup Profile allows you, in the future, to easily change the accessibility or inaccessibility of specific types of objects for all users of the access rights group.

- General Forms: “Access Rights” and “Access Rights Simplified” - allow you to include the User in an Access Group/Profile, view allowed roles and a report on rights, “Rights By Access Values” (PVC “Access Types”)

In addition, a number of internalinformation registers :

Information register "AccessValueGroups";
- Register of information "Dependencies of Access Rights";
- Information register "Access Group Values";
- Information register "AccessValueSets";
- Information register "Access Group Tables";
- Register of information "Role Rights";

These registers are filled in automatically and are not intended for manual adjustment by users.

Windows and 1C:

In Windows, there are security groups that can act as access groups:
- Administrators;
- Users;
- Experienced users;
- Guests;
- etc.

1C:Enterprise has a large set of profiles that regulate user rights, for example:
- Manager;
- Manager;
- Marketer;
- Storekeeper;
- Cashier;
- etc.

All of these profiles fall under the "User" category in Windows terminology.
There is also an "Administrator" profile, which provides full access to configuration data and metadata without any restrictions.
There is, as a rule, no profile of the “Experienced User” type in 1C:Enterprise.

PURPOSE OF PROCESSING: CREATE A PROFILE WITH WIDE RIGHTS.

"no less - no more":
Using existing rules for assigning rights to users, create profiles with extended rights.
In this case, you need to give as many rights as necessary.

IMPORTANT! The "Full Rights" role is not assigned by default.

Terminology:
Service (non-object) “profiles” - profiles defined programmatically in processing.
Predefined configuration profiles - configuration metadata.
"EXPERT" ("Experienced") - Experienced user - expert.
"MIN" ("Mandatory") roles are roles defined by 1C as mandatory assigned to the access profile.

THREE CLICKS:

CLICK 1st. Profile "GENERALIZED BY PROFILES":

Consists of "Required" roles and predefined profile roles .
Users for whom this profile will be enabled will receive a wide range of rights, but no more than those explicitly provided for in the standard configuration for other roles.


IN

CLICK 2nd. Profile "EXPERIENCED USER":

Consists of roles that are part of the non-object profile "Experienced [user]".
Users for whom this profile will be activated will receive the widest range of rights possible for the User.
If necessary, you can change the composition of the selected roles.


IN

CLICK 3rd. Profile "ALLOWED, WHAT IS NOT PROHIBITED" :

Consists of roles that are not included in the "Administrative" non-object profile.
Reverse role assignment mode. Only what needs to be classified as “Administrative” roles is indicated - the rest is for Users.
If necessary, you can change the composition of the selected roles.


IN

The list of rights is determined by role in the current row of the "Profile Roles" table.

PECULIARITIES:

1. Place of use of processing.

For correct operation, it is recommended to use processing on the Main Node of the RIB.

The situation is typical for the Retail 2.0.6.4 RIB configuration:
- Updating supplied profiles only works correctly on the MainNode.
(therefore, on the SlaveNode, the "Update supplied profiles" button is disabled).
- Recording a profile on a SubordinateNode in the standard form is incorrect.
Similar to how work with the directory "Identifiers of Metadata Objects" is organized (only the Main Node of the RIB).

2. Update supplied profiles. Predefined profiles.
This is setting up predefined user access group templates and involves returning to the initial list of roles of all predefined configuration profiles supplied by 1C.
those. The predefined profile supplied will have the minimum required set of roles installed.
ATTENTION! If you changed the composition of the roles of predefined profiles, these changes may be lost.

Profiles in the "Access Group Profiles" directory often have the status of predefined.
Whether you want to create new profiles predefined or not is at your discretion.

3. Role "Full Rights" . Profile for system administration .
The system includes a predefined "Administrator" profile, which includes the "Full Rights" role.
This role provides full access to configuration data and metadata without any restrictions.
ATTENTION! It is not recommended to add the Full Rights role to any other profiles as it automatically disables any other access restrictions.
A profile containing the "Full rights" role "degenerates" into the "Administrator" profile.

4. Role "Administrator" and External processing.
External processing is performed in SAFE MODE.

In safe mode:
- privileged mode is ignored;
- actions external to the 1C:Enterprise platform are prohibited: COM; loading external components; launching external applications and operating system commands; access to the file system, except temporary files; Internet access.

An attempt to disable Safe Mode in external processing results in the error: “Safe mode has not been set in this procedure/function.”

Adding the "Administrator" role to the access profile removes the above restrictions.

ATTENTION! It is not recommended to install the "System Administrator" role, because this role, along with the "Full Rights" role, is assigned to the "Administrator" profile.

TEST ENVIRONMENT:
Operating system (x32/x64): Windows XP, Windows 7/8, Windows Server 2003 R2 SP2.
1C:Enterprise:
Platform: 8.2.17.153 and above or 8.3.4.365 and above.
Architecture: File version.
Configurations: Various, containing the directory "Access group profiles".
Compatibility Mode: Do not use.
Modality usage mode = Use/Not Use.
Launch mode: Managed application.

Best regards to the MA community!