Scope: managed applications, ordinary applications.
1.1. If different infobase access rights are assigned in a configuration, use roles to configure access. Roles are created by configuration developers to restrict access of users to data.
1.2. In the simplest case, roles in a configuration can directly correspond to positions held by users (CEO, Accountant, Warehouse supervisor, and other).
To provide more flexible access rights, roles can correspond to more specific functions. Sets of these functions form sets of access rights of particular user groups. In this case, several roles are assigned to users (for example, ReadProductionDocuments, InsertUpdateWarehouseDocuments, ReadMasterData, and so on). To facilitate administration, we recommend that you provide standard role combinations in a configuration (for example, predefined profiles for CEO, accountant, warehouse supervisor). You can take advantage of the Access Management subsystem from Standard Subsystems Library.
2. Make sure your configuration includes the following required roles for administering the infobase and interactively opening external reports and data processors:
FullAccess ("Full access" synonym), SystemAdministrator ("System administrator" synonym), and InteractiveOpenExternalReportsAndDataProcessors ("Open external reports and data processors interactively" synonym).
2.1. FullAccess is a required role, which grants unrestricted access to application data of the infobase but does not allow the infobase administration as such (configuration update, Designer access, and other).
This role must do the following:
- It can be used separately and assigned to users.
- Grant unrestricted access to area data (separated data), except for the interactive deletion right (see also cl. 5).
- Allow to administer a data area (administer users, set up the application, delete marked objects, and so on).
- Include the following rights:
- Data administration
- Active users
- Event log
- Exclusive mode
- Thin client
- Web client
- Save user data
- Output
If a configuration is used in SaaS, the FullAccess role is assigned to subscriber administrators (data area administrators).
If a configuration is used in the hosted mode, the FullAccess role is assigned to users along with the SystemAdministrator role as infobase application and system administration functions are combined in this mode.
2.2. SystemAdministrator is a required role, which grants additional rights to administer the whole infobase (configuration update, Designer access, and other).
This role must do the following:
-
It can be assigned only together with the FullAccess role.
-
Provide unrestricted access to all shared data of the infobase.
-
Contain all object access rights, except for the interactive deletion right. See cl. 5 below.
-
Include all the rights to the configuration root (in particular, Administration and Data administration), except for Interactive open external reports and Interactive open external data processors.
2.3. InteractiveOpenExternalReportsAndDataProcessors is a required role, which grants additional rights to open external reports and data processors in the File – Open menu.
This role must do the following:
- Include rights to the configuration root (Interactive open external reports and Interactive open external data processors).
If a configuration is used in the hosted mode, the InteractiveOpenExternalReportsAndDataProcessors role is assigned to administrators. For security reasons, this role can be restricted by the administrator.
In SaaS, SystemAdministrator, FullAccess, and InteractiveOpenExternalReportsAndDataProcessors roles are assigned to SaaS administrators.
2.4. FullAccess, SystemAdministration, and InteractiveOpenExternalReportsAndDataProcessors roles are assigned as main configuration roles (DefaultRoles property).
3. Roles to set up general infobase rights. If it is required to set up general infobase rights in a configuration (such as "Thin client", "Thick client", "Interactive open external data processors", and other), define separate roles in the configuration to grant these rights. These roles are not used separately, assign them only together with other configuration roles.
A configuration must be accessible both if these roles are assigned or any of them is not assigned to a user.
3.1. Administration grants "Administration", "Data administration", "Administration of configuration extensions", and "Active users" rights.
3.2. OuputToPrinterFileClipboard grants the Output right.
3.3. StartAutomation grants the Automation right.
3.4. StartWebClient grants the "Web client" right.
3.5. StartExternalConnection grants the "External connection" right.
3.6. StartThickClient grants the "Thick client" right.
3.7. StartThinClient grants the "Thin client" right.
3.8. InteractiveOpenExternalReportsAndDataProcessors grants "Interactive open external data processors" and "Interactive open external reports" rights.
3.9. UpdateDatabaseConfiguration grants the "Update database configuration" right.
3.10. ViewEventLog grants the "Event log" right.
3.11. AllFunctionsMode grants the "All functions mode" right. This mode is designed only for developers or deployment specialists. Make sure users have access to required objects without using this mode. For example, all standard data processors (delete marked objects, manage totals and aggregates, and other) must be accessible to users in the application interface.
3.12. SaveUserData grants the "Save user data" right. We recommend that you grant this role to all user categories. The exceptions are cases when it is required to explicitly restrict access to user interface or other personal settings. This mode might be required for external or temporary users (respondents, auditors, and other) or several users operating under a single account.
Make sure the configuration is accessible to users without the SaveUserData role. A configuration accesses the following from code:
- User settings (saves and imports data from various settings storages: CommonSettingsStorage, ReportsOptionsStorage, FormDataSettingsStorage, ReportsUserSettingsStorage, SystemSettingsStorage).
- User operation records (UserOperationsHistory) and favorites (UserFavorites).
- User report settings (the SetCurrentUserSettings method of the managed form extension for reports).
In this case, if a user is not granted the SaveUserData right, this code must be skipped not to affect main user scenarios. If user interfaces or form items to manage user settings are available in the configuration (history of entered values, "Remember my choice" check boxes, and other), they must not be available to users without the SaveUserData right.
If you use Standard Subsystems Library in the configuration, use the CommonSettingsStorageLoad and CommonSettingsStorageSave functions of the Common common module.
See also: Operations with user settings
4.1. If some users require temporary or permanent unrestricted access to infobase data, provide dedicated roles in the configuration. For example, temporary access to auditors or permanent access to company CEO.
4.2. In the simplest case, when configuration roles correspond to positions held by the users (CEO, Accountant, Warehouse supervisor, and other), add a separate ViewOnly role.
The ViewOnly role includes Read, Use, View and Input by string rights (if applicable) for most metadata objects. The exception is the data, which is never displayed to users and used in configurations for internal reasons. Such data is always accessed in the privileged mode.
4.3. In configurations, in which roles correspond to separate minor functions whose sets form sets of rights assigned to user categories, we recommend that you grant users combinations of roles, which grant read-only access (for example, ReadProductionDocuments, ReadWarehouseDocuments, ReadCashDocuments). We recommend that you provide standard combinations of such roles in the configuration (for example, ready-to-use profiles for auditors, company owners).
To grant such users unrestricted access to infobase data, disable access restriction conditions at the record level (RLS).
5. Make sure the following rights are not assigned in any roles, including FullAccess and SystemAdministrator (except for reasonable cases):
- Interactive deletion
- Interactive deletion of predefined data
- Interactively setting a deletion mark for predefined data
- Interactively clearing a deletion mark for predefined data
- Interactive deletion of marked predefined data
We recommend that you grant the deletion right in the FullAccess and SystemAdministrator roles only.