Setting access rights in 1C:Enterprise

Alexander Biryukov

10.06.2020 12 min

Any business system contains data, including various commercial and financial information. And of course, access to this data should be provided according to specific rules. The 1C:Enterprise, as a specialized business application development platform, offers a wide range of data access control capabilities.

In 1C:Enterprise platform, a particular metadata object called Roles is used to control user access.

Roles

The object "Role" determines what rights a user has. For each of the objects (Catalog, Document, etc.), the developer can set his own set of rights - read / write / add / change / …

The set of available rights is the aggregate of all permissions in user roles.

Let's open the object "Role", for example, "Full Rights":

Full rights

The object has two tabs - "Rights" and "Restriction Templates". "Rights" - the main tab, "Restriction Templates" - a tab for setting rights at the recording level in 1C. This is a significant tab. We'll consider this topic in the next article.

Let's look at the tab "Rights". Pay attention to the checkboxes at the bottom:

1. "Set rights for new objects" - if the flag is set on the role, permissions will be automatically set on new metadata objects;

2. "Set rights for attributes and tabular sections by default" - if this flag is set, attributes and tabular sections inherit the rights of the owner, for example, a Document, Directory, etc.

3. "Subordinate objects have independent rights" - if this flag is set, then the rights of the parent object are not taken into account. If this flag is not set, then when determining the rights of a subordinate object, the corresponding right of the parent object is analyzed.

Let's look at setting permissions for the entire program. To do this, click on the root in the "Rights" tab:

Role Full rights

We'll see the following settings: Administration, Data Administration, Update database configuration, etc. All these settings are intended for the general setting of access rights to the program.

If we need to configure the rights for a particular object, then we select this object in the configuration tree and configure the rights for this particular object:

 Role Full rights: rights

Please note that the set of rights for different types of objects is different.

For example, the right to "Posting" and "Undo posting" can be set only for documents, the right to "Totals control" - only for accumulations registers, and the right to "Use" - only for reports and data processors.

Full rights: Posting

Full rights: Totals control

Full rights: Use   

Now suppose that for a certain role we don't want to give access to any object, but in the process of the program, it's necessary to access this object. To handle this situation in 1C there is a special operator "SetPrivilegedMode()":

SetPrivilegedMode 

Thus, using the "SetPrivilegedMode()" operator allows you to disable rights management when executing program code temporarily.

To check whether the privileged mode is enabled or disabled, use the "PrivilegedMode()" command:

PrivilegedMode

To check the availability of a specific role to the current 1C user, the operator "IsInRole()" is used:

IsInRole

Well, enough theory, let's make a small example of working with rights.

Create a new 1C configuration, in it create one catalog "Customers":

Customers 

Now create three roles: "FullRights", "ViewOnly" and "CatalogNotVisible":

Three roles 

For each of these roles, let's define the access rights to the catalog "Customers".

The role "FullRights" has full access to the catalog "Customers":

Access to the catalog

The "ViewOnly" role allows you to only view the catalog "Customers", but you cannot change it:

Only view the catalog

And the last, third role "CatalogNotVisible" doesn't see the catalog "Customers":

CatalogNotVisible

Also create three users: "Admin", "ViewOnly" and "Can't see anything":

Three users

Assign an appropriate role for each user:

Role for each user

View only Role 

Catalog not visible Role 

Now run 1C under the user "Admin" and fill in the catalog Customers. As you can see, the catalog is entirely at our disposal. We can add new items, delete old ones, etc:

New items 

Then start 1C under the user "ViewOnly" and open the catalog "Customers". Please note that now we can't change the catalog, we can't add a new element to it. The only thing that is available to us is viewing:

New items: View only 

And now run 1C under the user "Can't see anything". As one would expect, in this case, the user doesn't even see the catalog Customers:

Can't see anything

Thus, the example just examined allows the developer to configure user rights flexibly.

But now let's assume that in 1C we conduct accounting for several companies at once. Is it possible to make the employees of the first company see only their customers (or suppliers), and the employees of another company see only their customers?

The answer to this question is yes. And there are two options for how to do it.

In the next article, we will talk about it.

You can download this Example for your own application.

If you have any questions about this article, you can always get answers on our forum: https://1c-dn.com/forum/

Stay with us!

Be the first to know tips & trick on business application development!

A confirmation e-mail has been sent to the e-mail address you provided .

Click the link in the e-mail to confirm and activate the subscription.