Any business system contains data, including various commercial and financial information. And of course, access to this data should be provided according to specific rules. The 1C:Enterprise, as a specialized business application development platform, offers a wide range of data access control capabilities.
In 1C:Enterprise platform, a particular metadata object called Roles is used to control user access.
The object "Role" determines what rights a user has. For each of the objects (Catalog, Document, etc.), the developer can set his own set of rights - read / write / add / change / …
The set of available rights is the aggregate of all permissions in user roles.
Let's open the object "Role", for example, "Full Rights":
The object has two tabs - "Rights" and "Restriction Templates". "Rights" - the main tab, "Restriction Templates" - a tab for setting rights at the recording level in 1C. This is a significant tab. We'll consider this topic in the next article.
Let's look at the tab "Rights". Pay attention to the checkboxes at the bottom:
1. "Set rights for new objects" - if the flag is set on the role, permissions will be automatically set on new metadata objects;
2. "Set rights for attributes and tabular sections by default" - if this flag is set, attributes and tabular sections inherit the rights of the owner, for example, a Document, Directory, etc.
3. "Subordinate objects have independent rights" - if this flag is set, then the rights of the parent object are not taken into account. If this flag is not set, then when determining the rights of a subordinate object, the corresponding right of the parent object is analyzed.
Let's look at setting permissions for the entire program. To do this, click on the root in the "Rights" tab:
We'll see the following settings: Administration, Data Administration, Update database configuration, etc. All these settings are intended for the general setting of access rights to the program.
If we need to configure the rights for a particular object, then we select this object in the configuration tree and configure the rights for this particular object:
Please note that the set of rights for different types of objects is different.
For example, the right to "Posting" and "Undo posting" can be set only for documents, the right to "Totals control" - only for accumulations registers, and the right to "Use" - only for reports and data processors.
Now suppose that for a certain role we don't want to give access to any object, but in the process of the program, it's necessary to access this object. To handle this situation in 1C there is a special operator "SetPrivilegedMode()":
Thus, using the "SetPrivilegedMode()" operator allows you to disable rights management when executing program code temporarily.
To check whether the privileged mode is enabled or disabled, use the "PrivilegedMode()" command:
To check the availability of a specific role to the current 1C user, the operator "IsInRole()" is used:
Well, enough theory, let's make a small example of working with rights.
Create a new 1C configuration, in it create one catalog "Customers":
Now create three roles: "FullRights", "ViewOnly" and "CatalogNotVisible":
For each of these roles, let's define the access rights to the catalog "Customers".
The role "FullRights" has full access to the catalog "Customers":
The "ViewOnly" role allows you to only view the catalog "Customers", but you cannot change it:
And the last, third role "CatalogNotVisible" doesn't see the catalog "Customers":
Also create three users: "Admin", "ViewOnly" and "Can't see anything":
Assign an appropriate role for each user:
Now run 1C under the user "Admin" and fill in the catalog Customers. As you can see, the catalog is entirely at our disposal. We can add new items, delete old ones, etc:
Then start 1C under the user "ViewOnly" and open the catalog "Customers". Please note that now we can't change the catalog, we can't add a new element to it. The only thing that is available to us is viewing:
And now run 1C under the user "Can't see anything". As one would expect, in this case, the user doesn't even see the catalog Customers:
Thus, the example just examined allows the developer to configure user rights flexibly.
But now let's assume that in 1C we conduct accounting for several companies at once. Is it possible to make the employees of the first company see only their customers (or suppliers), and the employees of another company see only their customers?
The answer to this question is yes. And there are two options for how to do it.
In the next article, we will talk about it.
Stay with us!