1C:DN > Forum > 1C:Enterprise Platform > 1C:Query language and DCS > Record level security and ALLOWED query clause for information register


Record level security and ALLOWED query clause for information register

Common questions about 1C:Query language, Query builder tool and Data composition schema

Silvia Ashley
#1
People who like this:0Yes/0No
Jul 13, 2012 01:42 PM
Active user
Rating: 6
Joined: Sep 16, 2011
Company: TLG Integration

Hello! I’m trying to understand record level security. I have created Files catalog with CreatedBy attribute as reference to Users catalog. And ReadOwnFiles role.
In this role for Files catalog I checked all rights except Interactive delete. In Data access restrictions for Read right I have added a row where left Margins default and Access Restriction filled with this query:

Code
WHERE CreatedBy = &CurrentUser

Next I added CurrentUser session parameter as a reference to Users catalog. I use some demo data, so it does not matter which value is in this session parameter. I use predefined values for testing purpose.
It works fine: I can create, read and edit files for current users only.

After that I added FileVersions non-periodic information register with File dimension as a reference to Files catalog and Version as Number. The resource is Data of ValueStorage type.
In records list of this register I can see all records including ones for restricted files, except for I can see IDs of them instead of descriptions.
To solve this problem I have added a custom list form with ALLOWED clause in dynamic list custom query:
Code
SEL ECT ALLOWED
   InformationRegisterFileVersions.File,
   InformationRegisterFileVersions.Version
FR OM
   InformationRegister.FileVersions AS InformationRegisterFileVersions


But it still displays records with references to restricted Files catalog items. What am I doing wrong?
 
Timofey Bugaevsky
#2
People who like this:0Yes/0No
Jul 13, 2012 04:52 PM
Timofey Bugaevsky
Guest

Joined:
Company:

First when you apply restrictions for reading and do not apply restrictions for inserting, updating or deleting it will cause unexpected behaviour like when you add an item to the catalog and can not see it. In your case if you will try to add Files catalog item for another user you will add it, but the system will display a message: The user doesn't have appropriate rights to execute a database operation. So you should set restrictions for Read, Insert, Update and Delete rights.

Second: ALLOWED clause works for metadata objects with RLS, so you need to add restrictions for your information register. For examle like following:

Code
WHERE File.CreatedBy = &CurrentUser
 
Silvia Ashley
#3
People who like this:0Yes/0No
Jul 13, 2012 05:05 PM
Active user
Rating: 6
Joined: Sep 16, 2011
Company: TLG Integration

I understand, thank you!
 
Subscribe
Users browsing this topic (guests: 1, registered: 0, hidden: 0)
Be the first to know tips & tricks on business application development!

A confirmation e-mail has been sent to the e-mail address you provided .

Click the link in the e-mail to confirm and activate the subscription.

© 1C LLC. All rights reserved

1C Company respects the privacy of our customers and visitors to our website.

Disclaimers and Limitation of Liability | Terms and Conditions | Privacy policy | Site Map