Go through all ib 1s 8 users. ib management

Information security, like information protection, is a complex task aimed at ensuring security, implemented by the implementation of a security system. The problem of information security is multifaceted and complex and covers a number of important tasks.

Problems information security are constantly aggravated by the processes of penetration into all spheres of society of technical means of data processing and transmission, especially acute this problem stands in the field of financial accounting systems. The most popular system accounting, sales management, CRM processes in Russia is the 1C Enterprise system.

Let's consider potential security threats when using the 1C program.

	Using 1C with databases in file format. 1C file databases are the most vulnerable to physical impact. This is due to the architectural features of this type of database - the need to keep open (with full access) all configuration files and the file databases themselves for all users operating system. As a result, any user who has the right to work in a 1C file database can theoretically copy or even delete a 1C information database with two mouse clicks.
	Using 1C with databases in DBMS format. This type of problem arises if a DBMS (PosgreSQL, MS SQL) is used as a storage for 1C databases, and an enterprise 1C server is used as an intermediate communication service between 1C and the DBMS. This is an example - many companies practice modifying 1C configurations to suit their needs. In the process of refinement, in the conditions of project “fuss”, constant testing of new, improved functionality, responsible specialists often neglect the rules of network security. As a result, some individuals who have direct access to the DBMS database or have administrator rights on the 1C Enterprise server, even for a temporary test period, can either make a backup copy to external resources or completely delete the database in the DBMS.
	Openness and accessibility of server equipment. If there is unauthorized access to server equipment, company employees or third parties can use this access to steal or damage information. Simply put, if an attacker gains direct access to the body and console of a 1c server, the range of his capabilities expands tenfold.
	Risks of theft and leakage of personal data. Here, current threats to the security of personal data are understood as a set of conditions and factors that create the current danger of unauthorized, including accidental, access to personal data during their processing in an information system, for example, by responsible employees, PC operators, accounting departments, etc. This may result in the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions of responsible persons.
	Network security. An enterprise information system built in violation of GOST, security requirements, recommendations, or lacking proper IT support is replete with holes, viruses and spyware. software, many backdoors (unauthorized access to the internal network), which directly affects the safety of corporate data in 1C. This leads to easy access for an attacker to commercially sensitive information. For example, an attacker can use free access to backup copies and the absence of a password for archives with backup copies for personal gain. Not to mention the elementary damage to the 1C database by viral activity.
	Relationship between 1C and external objects. Another potential threat is the need (and sometimes a special marketing feature) of the 1C accounting database to communicate with the “outside world.” Uploads/downloads of client banks, information exchange with branches, regular synchronization with corporate websites, portals, other reporting programs, client and sales management and much more. Since in this area of 1C compliance with security standards and uniformity of network information exchange is not encouraged, a leak is quite real at any point along its route. As a result of the need for non-standard improvements to process automation or budget cuts for the necessary measures to protect traffic - in accounting system The number of vulnerabilities, holes, insecure connections, open ports, easily accessible unencrypted exchange files, etc. instantly increases. You can safely imagine what this could lead to - starting from the elementary disabling of the 1C database to certain time, ending with the forgery of a payment order for several million.

What can be proposed to solve such problems?

1. When working with file databases 1C It is imperative to implement a number of measures to ensure the security of bases:

Using NTFS access restrictions, give the necessary rights only to those users who work with this database, thereby protecting the database from theft or damage by unscrupulous employees or an attacker;
Always use Windows authorization to log into user workstations and access network resources;
Use encrypted disks or encrypted folders that will allow you to save confidential information even if you remove the 1C database;
Establish an automatic screen locking policy, as well as provide user training to explain the need for profile locking;
Differentiation of access rights at the 1C level will allow users to access only the information to which they have the appropriate rights;
It is necessary to allow the launch of the 1C configurator only to those employees who need it.

2. When working with DBMS 1C databases Please pay attention to the following recommendations:

Credentials for connecting to the DBMS should not have administrative rights;
It is necessary to differentiate access rights to DBMS databases, for example, create your own account for each information base, which will minimize data loss if one of the accounts is hacked;
It is recommended to limit physical and remote access to database servers and 1C enterprises;
It is recommended to use encryption for databases; this will save confidential data even if an attacker gains physical access to the DBMS files;
Also one of important decisions is encryption or setting a password on backups data;
It is mandatory to create administrators for the 1C cluster, as well as the 1C server, since by default, if no users are created, absolutely all users of the system have full access to the information bases.

3. Requirements for ensuring the physical security of server equipment:
(according to GOST R ISO/IEC TO – 13335)

Access to areas where sensitive information is processed or stored must be controlled and limited to authorized persons only;
Authentication controls, such as an access control card plus a personal identification number , must be used to authorize and confirm any access;
An audit trail of all access must be kept in a secure location;
Personnel of third party support services should be given limited access to security areas or processing facilities important information only when required;
this access must be authorized and monitored at all times;
Access rights to security areas should be regularly reviewed and updated, and revoked if necessary;
Relevant safety and health regulations and standards must be taken into account;
Key equipment must be located so as to avoid access to it general public;
Where applicable, buildings and rooms should be unassuming and should give minimal indication of their purpose, with no prominent signage, outside or inside the building, indicating the presence of information processing activities;
Signs and internal telephone books indicating the locations of sensitive information processing facilities should not be readily available to the general public.

4. Confidentiality of personal data. The main goal in organizing the protection of personal data is to neutralize current threats in the information system, defined Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” , a list of state standards and requirements of international IT security certifications (GOST R ISO/IEC 13335 2-5, ISO 27001) . This is achieved by limiting access to information by its types, delimiting access to information by user roles, structuring the process of processing and storing information.
Here are some key points:

The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes;
Consent to the processing of personal data must be specific, informed and conscious;
Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted;
Only personal data that meets the purposes of their processing are subject to processing;
Operators and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided federal law;
Photographic, video, audio or other recording equipment such as cameras on mobile devices, should not be allowed unless authorized;
Drives with removable media should only be permitted if there is a business need for it;
To prevent malicious actions in relation to confidential information, paper and electronic media information should be stored in appropriate locked cabinets and/or other secure pieces of furniture when not in use, especially during non-working hours;
Media containing important or sensitive proprietary information should be put away and locked away (for example, in a fireproof safe or cabinet) when not required, especially when the area is unoccupied.

5. Network Security- this is a set of requirements for the infrastructure of an enterprise’s computer network and the policies for working in it, the implementation of which ensures the protection of network resources from unauthorized access. As part of the recommended actions for organizing and ensuring network security, in addition to the basic ones, you can consider the following features:

First of all, the company must implement a unified information security regulation with appropriate instructions;
Users should be denied access to undesirable sites, including file hosting services, as much as possible;
From the external network, only those ports that are necessary for the correct operation of users should be open;
There must be a system for comprehensive monitoring of user actions and prompt notification of violations of the normal state of all publicly available resources, the operation of which is important for the Company;
Availability of a centralized anti-virus system and cleaning and deletion policies malware;
Availability of a centralized system for managing and updating anti-virus software, as well as policies for regular OS updates;
The ability to run removable flash media should be limited as much as possible;
The password must be at least 8 characters long, contain numbers, and upper and lower case letters;
There must be protection and encryption of key information exchange folders, in particular 1c exchange files and the client-bank system;
Power and long-distance communication lines included in information processing facilities should be underground where possible or be subject to adequate alternative protection;
Network cables must be protected from unauthorized interception or damage, for example by using a cable conduit or avoiding routes through publicly accessible areas.

Summarizing all of the above, I would like to note that the main rules for protecting information are limiting the rights and capabilities of users, as well as control over them when using information systems. The fewer rights a user has when working with an information system, the less chance there is of information leakage or damage due to malicious intent or negligence.

A comprehensive solution for protecting enterprise data, including 1C databases, is the “Server in Israel” solution, which contains up-to-date tools for ensuring high level confidentiality of information.

System integration. Consulting

— Vasya, starting from today you are creating users!
- But I’m a programmer, not a system administrator?!
— System administrators don’t know 1C, so you will create users!
- Aaaah!!!

A programmer is a person who writes programs for a computer. However, managing the list of users in 1C is usually entrusted to someone associated with 1C, namely a 1C programmer.

In principle, some programmers are not against it, since it gives them some “privileges”.

Nevertheless, the list of users in 1C differs little from the lists of users in other programs. Therefore, creating a new user or disabling an existing one is as easy as shelling pears.

1C users

So, 1C has its own list of users. It is used to regulate access to the 1C database. When entering the database, 1C will ask you to select a user from this list and enter a password.

There are options in which 1C does not ask for a username to log in. However, this doesn’t mean anything at all . It’s just that in this case, the user from the list is mapped to a Windows/domain user and is detected automatically. How

The only option when 1C does not really prompt the user is when creating a new (empty) database. In this case, the list of 1C users is empty. Until the first user is added, 1C will log in automatically. A similar system is used in Windows when there is one user without a password.

1C users differ from each other:

Access rights
Interface (presence of items in the menu).

There is no “superuser” or “administrator group” as such. An administrator is a user who has all configuration rights and administration rights enabled. In an empty database (when the list of users is still empty), this particular user should be added first.

Two lists of 1C users

In fact, 1C has two lists of users. One of them (the list of 1C users) is “real” from the programmer’s point of view. It's in the configurator. It is by this that 1C identifies the user.

This is the approach of old standard configurations (for example, trade management 10, accounting 1.6, etc.) - users are edited in this list, and are automatically included in the user directory upon first login.

The second (users of version 1C 8.2, “not real”) is the users directory (and the external users directory, as in UT 11). The directory existed before, but the approach of the new standard configurations is that users are added to it, and are automatically included in the “real” list.

The main problem with this approach is that those who don’t like working this way and want to do it the old way can’t do it, since certain fields are filled in when setting up, and if you add a user to the list, they won’t be picked up automatically in the directory.

How to add a user to the list of 1C users

So, the list of 1C users is in the configurator. and open the Administration/Users menu.

To add a user, you must press the add button (or Ins from the keyboard). If the list is now empty, then the first user must have administrative rights (see below).

Name – user name (which he will choose when logging into 1C)
Full name - reference full name, does not appear anywhere
Password
Show in selection list
o if the checkbox is checked, the user will be in the selection list when logging into 1C
o if the checkbox is not checked, then the user will not be in the selection list (that is, you cannot select), but you can enter his name from the keyboard and log in
Operating system authentication – can be associated with a Windows/domain user and this user will not need to enter a password (will log in automatically).

On the Other tab, you select rights and basic user settings.

The main interface is a menu that will be available to the user (used only in the thick client)
Language – Russian
[Main] Launch mode - thick or thin client, using this parameter you can enter the configuration of the thin client - thick and vice versa
Available roles (user rights).

User rights in configurations are usually divided into blocks (“roles”). In the approach of the old configurations, they were broken down by user position (cashier, manager, etc.). This approach has a disadvantage - since in different organizations the cashier and the manager may have different functions.

Therefore, in the approach of new configurations, they are divided by actions (access to burying the month, access to cash transactions). That is, for each user a set of operations is set.

In both cases there are basic access rights to enter the program. In the old approach it's:

User
Full Rights (for administrator).

In the new approach it is:

Basic Rights
BasicRightsUT
LaunchThinClient – plus LaunchXxxClient for launching others
SubsystemХхх – a check mark for each subsystem (tab in the interface) that the user needs
Full Rights (for the administrator, not Administration!).

PS. For external users, basic rights are not required.

How to add a 1C user - 1C 8.2 users

The list of 1C 8.2 users in the new version is located in 1C (in 1C Enterprise mode), in the Users and External Users directories (only if the configuration supports it). The difference is that you must create users not in the configurator, but in this directory, and they will get into the configurator automatically.

If you are using a thin client, then see the Administration desktop tab. Otherwise, open the Users directory, for example, through the Operations menu.

Click the Add button (or Ins from your keyboard). To be able to manage the list of users, you must have Full Rights enabled.

Unlike the first approach, here you do not directly indicate each right (role) to the user, but indicate groups of rights (user groups).

The User Groups directory contains a profile that defines a set of rights (roles). In the User Group Profiles directory, you can change or add such sets of rights (roles).

1C user settings

In some configurations (especially in the old approach configurations) it is not enough to create a user. Additionally required:

Log in as a user for the first time
After that, find the user in the user directory
In the directory form, click (options “or”)
o Menu Go/User Settings
o Menu Additional Information/User Settings and Advanced User Rights
o In some configurations this is a sign directly on the user form
o In some configurations, the global menu of the program Tools/User Settings
Configure additional settings/user rights that determine auto-filling of fields and some accesses.

How to disconnect a 1C user

[Temporary] user disconnection is not provided in most configurations. Here are variations that can be used to achieve this result.

Configurations of the old approach (via the configurator):

Delete user
Change password
Remove the User role (will not be able to log in).

New Approach Configurations (via Enterprise):

Uncheck Access to information. database allowed
Change password
Remove from all access groups.

Active 1C users

1C allows you to find out the list of users who are currently in the database.

To do this, in Enterprise mode, select the Tools/Active Users menu (thick client, administrative interface). In the thin client - the Administration tab, on the left Active users (may be in See also).

In Configurator mode, select the Administration/Active Users menu.

Disabling 1C users

As you know, in order to update the database (configuration) it is necessary that all users log out of 1C (not in all cases, but often required).

Users don’t like to leave (this is a fact). And if you ask them over the phone, they will definitely log in again within 30 seconds. When there are 200 users, it becomes a very fun event.

Therefore, there are three ways to disconnect users from 1C:

The “Users” directory is intended to store a list of users. These are mainly users working with the configuration (information security users).

Identification of an IS user with a directory user is performed by matching the IS user name with the directory user name.

Editing additional information is done through the "Additional information" submenu.

Additional information is only available in the regular app.

User Settings - allows you to change user settings

Contact information - allows you to change contact information, which is used when the user interacts with clients and when working with built-in email

User groups - allows you to change the groups the user belongs to

Additional rights - allows you to change additional rights user

Only the User Administrator can create, edit and delete users.

Creating information security users

Information security users can be created in configurator mode or in enterprise mode.

Managing the properties of information security users in enterprise mode is preferable to directly managing users through the configurator.

A user's authority is determined by their roles and additional rights.

Permissions can be assigned using profiles.

Record-level access rights are determined by the user groups that users belong to.

2009

Section "Modernization of management, financial and economic mechanisms at different levels of the education system using 1C technologies"

"25. Methods and means of ensuring information security in the 1C:Enterprise 8.1 system" (P.B. Khorev, Russian State Social University (RGSU), Moscow)

Presentation

The constant development of information technologies and systems leads, unfortunately, to the exacerbation of old problems and the emergence of new ones. One of these problems is the problem of information protection - reliable provision of its safety and established status of use. Therefore, ensuring the security of information and information processes is a mandatory function of modern information systems.

The main methods of protection against unauthorized access to information system objects are

identification and authentication of users of information systems and processes activated by them;
authorization of subjects (determining the subject's access rights to an object with confidential information);
audit of events related to the security of the information system.

This report will discuss the methods and means of ensuring information security available in the 1C:Enterprise 8.1 system.

The database administrator in the 1C:Enterprise 8.1 system can create and then edit a list of users who are allowed to work with the system. When adding a new user (initially the list of users is empty), the following properties of the created user are specified: account(on the "Basic" tab):

the name under which the user will be registered in the system;
full name(it is advisable to use this property to specify the last name, first name and patronymic, position and name of the department of an employee of the organization in which the system is used);
“1C:Enterprise” authentication flag (when this “checkbox” is checked, when a user tries to log into the “1C:Enterprise” system, his identification and authentication will be carried out using the system itself);
user password, the entry of which will be required to identify him using the 1C:Enterprise system:
confirmation of the user password (required to eliminate the possibility of an error when entering the password, since the password symbols are replaced by * symbols when entered);
a sign that the user is prohibited from changing his password when authenticated using 1C:Enterprise;
a sign that the user name is displayed in the list when trying to log in and authenticate using 1C:Enterprise;
Windows authentication flag (when this “Flag” is enabled, when a user tries to log into the 1C:Enterprise system, the name under which the session is running with the Microsoft Windows operating system will be determined, and the name to which the name corresponds will be searched in the list of users of the 1C:Enterprise system "current" Windows user);
Windows operating system user name associated with this user system "1C:Enterprise" when using authentication using the Windows operating system (the name can be specified in the format \\domain name\user account name or selected using the corresponding button from the list of local and global accounts known on this computer ).

The database administrator can, using the infobase parameter settings, set the minimum length of system user passwords (if the “Checking the complexity of user passwords” checkbox is selected, then the minimum length of passwords cannot be less than 7 characters) and require that user passwords meet the complexity conditions, meeting the requirements for the complexity of Windows user passwords (in addition, the password must not be a sequence of characters).

Most in a safe way authentication of users when they log into the 1C:Enterprise system will combine authentication using 1C:Enterprise and Windows tools. In this case, it is advisable to uncheck the “Show in the selection list” checkbox in the “1C:Enterprise” authentication properties group, and in the Windows security settings, enable the requirements for the minimum length and complexity of passwords, limit their maximum validity period, the non-repeatability of passwords and their minimum validity period, and set a threshold counter value unsuccessful attempts Login to Windows.

To force the user authentication dialog to be displayed using 1C:Enterprise (if the Windows authentication checkbox is enabled), you must use the parameter when starting 1C:Enterprise command line/WA+ .

It must be borne in mind that the list of users of the 1C:Enterprise system is not part of its configuration, but is created separately for each organization in which this system is installed.

A role in the 1C:Enterprise system is a set of access rights to various database objects. Typically roles are created for individual job responsibilities, and each user of the system can be assigned one or more roles. If a user is assigned several roles, then granting him access to a database object will be done as follows:

If at least one of the roles assigned to the user allows the requested access, then it is granted to the user.
If all roles assigned to a user do not allow appropriate access, the requested access is not granted.

To create and edit roles, use the 1C:Enterprise system configurator. During the configuration creation process, a set of standard roles is created, which can then be edited.

When creating or editing a role, a window with two tabs is used - “Rights” and “Restriction Templates”. The “Rights” tab contains a hierarchical structure of configuration objects for all subsystems and a list of access rights applicable to the selected object (to enable a right, you must select the corresponding “checkbox”).

In the 1C:Enterprise system, there are two types of rights - basic and interactive. Basic rights are checked whenever accessing information system objects. Interactive rights are checked when performing interactive operations (for example, viewing and editing data in a form).

The 1C:Enterprise system allows checking access rights using the built-in language. For example, when adding new commands to a form, the developer must additionally check that the user has the appropriate interactive rights.

When editing a role, it is necessary to take into account the inheritance (hierarchy) of rights: when canceling a “parent” (“senior”) right, its “child” (“junior”) rights are also canceled, and when installing a “child” right, its “parent” right is also established. For example, when you cancel the View right, the Edit right of the corresponding object is also canceled.

Using the “Set rights for new objects” checkbox, you can provide for the edited role automatic installation access rights to new (subsequently added) configuration objects.

The following access rights can be set for the root configuration object:

administrative functions (includes opening the configuration, opening the list of users, setting up the log, updating the configuration and others administrative actions);
updating the database configuration;
monopoly mode;
active users(opening their list);
log (opening this log);
external connection (working with the system via a COM interface);
automation (working with the system as an automation server);
interactive opening of external processing;
interactive opening of external reports;
output printing, saving, using the clipboard when working with the system).

For ease of administration, the 1C:Enterprise system provides a window for viewing and editing all roles created in this configuration. If for a certain role you need to revoke or set all access rights to the selected object, you can use the checkbox in the “All rights” row for the column with the name of the role being edited. If a certain access right needs to be revoked or set in all roles, you can use the checkbox in the row with the name of the corresponding right for the All Roles column.

To limit access to database objects at the level of individual fields and records, the 1C:Enterprise system provides a mechanism for restricting access to data (using rights to read, add, change and delete these objects). It is possible to set several access restrictions for the read right, and only one restriction for the remaining specified rights.

For each data access restriction by reading right, you can select a field by the value of which the access restriction condition will be checked, or specify “Other fields”, which will ensure that the condition for each field is checked.

The condition for restricting access to data can be defined using the designer or manually by creating and editing named access restriction templates on the “Restriction Templates” tab of the role editing window.

In order to facilitate the user's work and further limit his rights, the 1C:Enterprise system provides an interface mechanism. Using these objects, sets of main menu commands and toolbar elements are created that the user can work with. Using the main interface menu designer, the administrator creates a list of submenus and a list of commands for each submenu.

After defining the structure of the main menu, one or more toolbars can be added to the created interface. These panels can be located at the top, bottom, left and right in the 1C:Enterprise program window.

Note that after creating roles and interfaces, it is necessary to update the database configuration so that new users of the information system can be assigned the created roles and interfaces.

Events that should be recorded in the 1C:Enterprise system log can be specified by the administrator using its configuration function. Here you can also select the period of time after which the log will be saved in a new file, as well as shortening the log entries before the expiration of the specified period by deleting them and possibly saving them in a file.

Literature

Radchenko M.G. "1C:Enterprise 8.1. Practical guide for developers. Examples and typical techniques. M.: 1C-Publishing LLC, St. Petersburg: Peter, 2007.
1C:Enterprise 8.1. Configuration and administration. M.: Firm "1C", 2007.