1c display user roles from the configurator. Configuring roles, access rights and user interfaces

In order to differentiate access rights, in 1C 8.3 there are special configuration objects - roles. They can later be assigned to specific users, positions, etc. They indicate which configuration objects will be available. It is also possible to specify the conditions for providing access.

Roles are configured in the configurator. They can also be assigned to specific users, but for convenience, 1C has implemented a mechanism for access groups. In the user directory, open (“Administration - Setting up users and rights - Users”) the card of any employee and click on the “Access Rights” button. The interface may differ in different configurations, but the essence is the same.

You will see a list of entries in the “Access Group Profiles” directory. The checkboxes indicate those whose rights will be available to the user.

The directory of access group profiles (“Administration - Setting up users and rights - Access group profiles”) contains a list of roles that will be available to the user when assigned. Available profile roles are marked with flags.

Users often have the same sets of roles. Using this mechanism allows you to significantly simplify setting up rights by selecting access group profiles rather than the roles themselves.

Roles in the configurator (for programmers)

Roles indicate which objects and under what conditions will be available to the user to whom they are available. Open any role and you will see two tabs: Rights and Restriction Templates.

The first tab displays a list of configuration objects and the rights assigned to them for this role.

When allowing any actions to be performed with an object, it is possible to specify a restriction of access to data. This mechanism is called RLS and allows you to configure rights at the record level. It is quite interesting, but if used actively, performance may decrease.

At the bottom of the form, roles can be configured automatic installation right:

for new objects (permissive rights);
to details and tabular parts (rights are inherited from the owner object)
on subordinate objects (rights are assigned taking into account the rights on parent objects).

Rights can be assigned both to bleaching objects and to the entire configuration as a whole. In any role, on the “Permissions” tab, select the item with the name of the configuration. All possible roles for it will be displayed on the right. This contains program launch modes, “All functions”, administrative and other rights. When you click on any right, its description will be displayed below. There is nothing complicated here.

The rights settings for other configuration objects are similar: reading, adding, deleting, posting (for documents), managing totals (for accumulation and accounting registers) and others. It is important to note the right to “Interactive deletion” here. If it is available, users will be able to physically delete data from the program (shift + delete). For important objects this right It is highly undesirable to prescribe.

Programmatic access rights check

To check whether a user has a role, use the following function:

RoleAvailable("System Administrator")

In the case when the role being checked is assigned to the user, the function will return the value “True”. Otherwise – “False”.

In order to perform any actions with an object that is not accessible, you can use the following method:

SetPrivilegedMode(True)

After enabling privileged mode, no rights checks are performed. After completing actions on inaccessible objects, you must call this method again with the “False” parameter to disable this mode. Remember that in the client-server version, when executed on the client, this method does not perform any actions.

To check whether the privileged mode is set, use the function (returns “True” or “False”):

PrivilegedMode()

User interface without access rights

If a user tries to perform any action in the program, but for which he does not have rights, a corresponding warning will be issued.

There are cases when some field displays the format “<Объект не найден>" with a GUID, the user may also not have enough rights to read the value it contains. To test this theory, just look at the value of this field with full rights. If the inscription does not disappear, there is a possibility of a broken link.

Working in the 1C program allows different users to assign functional access to documents and database directories. For example:

If the user works as an accountant, then in 1C he is assigned the appropriate role, which allows him to add, change, delete documents and directories on business activities.
If a 1C user works only with reports and views database data, say a manager, then he is given rights to read data.
A user who can work with all objects of the 1C program - Administrator, has full rights and receives unlimited access to work with the database in 1C.

Access rights can only be configured Administrator– 1C user who is assigned Full rights.

Setting access rights in 1C 8.3 Accounting 3.0

In 1C: Accounting 8th edition. 3.0 there are 4 main profiles for working with the program:

Administrator;
Accountant;
Chief accountant;
Synchronization with other programs;
Read only.

To understand the principle of setting rights in 1C, let’s turn to the configurator. When analyzing configuration objects we will see a special branch Roles, where all possible accesses to database data specified by 1C developers are listed:

Each role corresponds to a set of capabilities for working with configuration objects, these are:

Reading;
Addition;
Carrying out;
Cancellation;
Editing;
Delete.

If you open a given role, then for each object you can view what can be done with each configuration object:

It is important to know that a 1C user can be assigned any set of roles from the list specified by the developers. At the same time, if in some role it is impossible to change an object, but in another role added to this user it is possible, then the resulting user rights will be “changeable”. The roles complement each other. To ensure that an object cannot be changed by the user, none of the roles assigned to it should have “Change”.

Setting up access rights in 1C 8.3 Accounting

Setting up access rights in 1C 8.3 is carried out in the Administration section – User and rights settings:

The User and Rights Settings window opens:

Let's consider the possibilities of setting up access in 1C.

How to create a new user in 1C 8.3

By default, the 1C program sets Login to the program is allowed, Show in selection list and login to the program using the login and password set in 1C. You can set the password yourself, or you can suggest setting it to the program. As a rule, the password specified by the 1C program meets a more serious level of verification and it is more difficult to select such a password when hacking the system.

You must remember the password! If the password is lost, only the Administrator can reset it again. If the passwords are lost and you cannot enter the database, you will have to “hack” the entrance to the database.

Specialists use a HEX editor for this and change the information responsible for working with users in the right places. This is possible, but not advisable.

How to set up access rights based on standard profiles in 1C 8.3

Each user (Administration – User and rights settings – Users) is assigned Access Rights from the list of profiles that is in the configuration. For example, for accountant S.B. Petrova. assign the Accountant profile:

Here we can transfer settings to a new user from a user already working in 1C: Functionality settings, internal report settings, etc., so as not to waste time and type everything manually:

We mark the settings for transfer to the new user Accountant Petrova from the Administrator user:

Transferring personal settings, printing settings and Favorites:

Press the button. Select “Copy and close” in the settings selection form. All settings for a new user from the Administrator user have been transferred.

Setting up access rights with adding new profiles in 1C 8.3

We create a new profile with limited access to directories and documents. Access Group Profiles – Create:

It is convenient to create a new profile for 1C subsystems. For example, for the rights of the Accountant we can note the following functionality:

Reflection of salaries in accounting;
Reading taxes and contributions;
Mutual settlements with employees;
Personalized accounting;
Payroll accounting:

According to the book Only selected roles a list of selected user roles is displayed. Personnel accounting can be set separately for the HR profile.

How to configure additional access rights to existing standard profiles in 1C 8.3

You can add functionality to a specific 1C user with a selected profile. For example, for the user Petrov, in the Accountant profile, the command is not available All functions, but we can add it to this user. Go to Administration – User and rights settings – Access group profiles. Book Create – All functions mode – add rights “All functions” mode:

We add a new profile to accountant S.B. Petrova:

Setting up additional access rights to individual documents and directories in 1C 8.3

This setting allows you to work with the configuration extension. Let's say you need to set up access for a 1C user to an arbitrary set of documents and reference books. The set of these documents and reference books may be different - 1C developers are not able to provide all the options for suitable roles that users may need in practice. Moreover, requests for access to data can be completely extraordinary.

In 1C 8.2 we had to remove the editing ban from the configuration and add new role into Role objects, assigning access to the necessary directories and documents, and accordingly difficulties arose with the subsequent update of 1C. Such configurations were no longer automatically updated, so only users of organizations with 1C programmers on staff could afford such a pleasure.

In 1C 8.3, due to the appearance new opportunity work with configuration applications, we can realize our task of delimiting user rights without removing the editing ban from the main configuration and leaving it completely standard. Let’s look at how to do this now:

For reference Users Let’s enter an additional attribute “Access_Sale_Products”, which will take the values “Yes” or “No”.

Go to Administration – General settings–Additional details and information. We enable the ability to work with “Details and information with a general list of values”:

Opening the hyperlink Additional details.

In the left column of the lists of configuration objects we find Users and click on the button. Add. Fill out the form that opens as shown below. The new attribute will have two values: “Yes” and “No”. Let's combine the values into the “Access” group. Fill out the Main tab:

Fill in the Values tab:

Now let's fill in this information for our users.

“Petrov’s Accountant” – No:

"Administrator" - Yes:

All necessary actions made in the 1C 8.3 database, now we will work with Configuration extension.

Enter the database configurator: Configuration – Configuration extensions:

We add a new configuration extension according to the book. +:

We agree with the default extension data or set our own:

Open the extension configuration using the book. :

Now we will transfer the data necessary for work from the main configuration. The created configuration extension “Extension 1” is still empty:

In the main configuration, we find in the documents – the document Sales of goods and services, and transfer the form with which we will work. For example, let’s add “Product Document Form” to the configuration extension by clicking on the name of the form and right-clicking on it. mice. From the drop-down menu, select the “Add to extension” command:

Open the form in the configuration extension and create event processing BeforeRecording. When creating an event handler, the 1C 8.3 program will ask you to indicate where to create the program code. Select: Create on the client and a procedure on the server without context:

When an event is created, we will see in the empty cell of the “BeforeRecord” events the event processing procedure assigned by the 1C 8.3 program: “Ext1_BeforeRecord”:

Go to the form module and insert the following program code:

We update the changes and run the database in user mode to check the changes made. Log in as the user Accountant Petrova and edit the document Sales of Goods and Services, click the button. Write down:

For the administrator, editing the document will be no problem.

The given program code can be placed in the 1C 8.3 configuration extension for any document and reference book, and this will allow you not to change the standard configuration, but at the same time solve the problem of access to database objects for different users.

How to provide access to a report version with individual settings for other users in 1C 8.3 ZUP, see our video:

It's time to talk about the differentiation of rights in 1C. Since our configuration has grown a little, it is advisable to differentiate the rights. To begin with, at least add an Administrator.

As an example, I will use the database that we created over the course of previous articles. You need to add the Administrator role to it. Since on at the moment Any user can log in to it. We need to create a new user and a new role.

Adding a role in 1C

As I already said, you first need to create a new role. To do this, go to the configuration, look for the role branch, right-click and select add. We write the name in the properties of the Administrator role. Next you need to specify the rights. In the Role Administrator window, in the Role field, check all the boxes.

Now you need to set rights to configuration objects (View, edit). Since we are creating the Administrator role, we need to mark all configuration objects. To do this, click on the Actions item and select Set all rights.

In the future we will add various objects and so that every time we create new reference books report documents, etc. do not edit the role at the bottom, you need to check the Set rights for new objects checkbox.

So we created the Administrator role. User roles are created in the same way, only in this case you will need to specify rights for each element.

Adding a user to 1C

After the role is created, you need to add the user. To do this, go to the Administration tab and select Users.

In the list of users window, click Add.

In the User window, write the name Administrator and check the box next to 1C Enterprise Authentication. Also, don’t forget about the Show in selection list item. This is necessary so that we don’t have to enter the username and enter the password every time.

Go to the Other tab and mark the Administrator role at the bottom, indicate the language and click OK.

Restart 1C and see what happens. If you did everything correctly, then 1C should ask for a login and password.

Well, that's it, we created a new role and created a new user.

Software products based on the 1C platform have many functions, both specialized and applied, that is, administrative. The core functionality (of course, depending on the purpose of the solution) concerns areas such as the purchase of goods, their sale, warehouse, operational and management accounting, accounting, CRM, and in the case of complex solutions - all together.

Naturally, one employee is not able to control all the business processes of an organization, even if they are automated. Therefore, 1C system administrators have to deal with tens and hundreds of users working with certain system functionality. Each of them has to set up special rights so that they have at their disposal all and only the documents, functions and reports they need at the same time. And here we begin to consider the applied or administrative functionality of 1C solutions, which specifically includes setting up user access rights.

User settings 1C 8.3

In 1C 8.3, special objects of the configuration structure - “Roles” - are responsible for user rights. Most typical configurations already have a certain list of standard roles created. You can use them when creating accounts and setting access rights for them. If the standard set does not suit you, then you can change it or add your own roles.

Each user can be assigned several roles that are responsible for specific rights. In order to configure 1C user rights, you need to find out what roles they currently have. This information can be obtained in two ways:

Through the configurator. This option is suitable for any configuration;
In some configurations through the "Enterprise" mode.

Launch your 1C database configurator under a user name with full rights and open the “Administration” -> “Users” menu. To find out the rights of a specific user, you need to double-click on the line with his last name and go to the “Other” tab. The roles that are available to the user will be checked. To add or remove a specific role, change the checkboxes and click OK.

If, after analysis, you realize that standard roles cannot fully satisfy the requirements for the delimitation of rights, then you need to change them. To do this, find the desired role in the configuration tree and double-click on it. On the left side of the window that opens, you will see a list of all configuration objects. On the right side, checkboxes indicate those actions, the rights to which are assigned to this role, in relation to the selected object on the left.

You can not only give and remove permissions for certain actions with configuration objects by checking and unchecking the boxes. In addition, the 1C platform has a very convenient mechanism built into it that is responsible for limiting user rights at the record level - RLS. It allows you to set a condition, only when fulfilled the user will see infobase data. Using RLS, user rights in 1C 8.3 can be configured so that, for example, each specific warehouseman will see information only for his warehouse.

Another way to add rights to an object to a user without changing standard roles is to create a new role. To do this, click on the “Add” button while in the “Roles” configuration branch and name the new object. In the window that opens, find the required configuration objects on the left, and set the necessary rights and restrictions on the right. After saving the new role, you need to update the configuration, go to the list of users and add a new role to certain users.

The responsibility of the 1C information base administrator is not limited to creating users and assigning rights. Employees may change, responsibilities may be redistributed, and administrators must respond quickly to all these changes. If the employee performing certain functions in 1C, quit, then you need to disconnect the 1C user in order former colleagues didn't use it account. The list of users, which can be opened in the configurator in the “Administration” menu, will help us with this.

Having opened the 1C user settings, you need to uncheck the boxes responsible for finding the employee’s name in the selection list and authentication. This way, you will prohibit logging in under the last name of the departed employee and save the access rights settings in case the employee returns. These settings will also be useful if all powers are transferred to a new employee - you will not have to configure the roles again.

It is also not recommended to completely delete a user because the system contains links to the responsible user in various documents. If you delete an entry, there will be broken links and confusion about who created specific documents, which can lead to confusion. It is much more effective to disable the 1C user from logging into the system, and in some cases completely remove rights (roles). Also, some companies have a practice of not marking active users a specific icon in the “Name” field, for example: “*IvanovaTP”.

In some cases, the 1C administrator may urgently need to “throw out” users from the 1C database. This can be done in two ways:

Through "Enterprise" mode from a user with administrative rights. Not supported by all configurations;
Through the application server using the console of a 1C server cluster.

To use the first option, you need to go to “NSI and Administration”, open “Maintenance” and launch the “Active Users” form. We will see a list of active users and a “End” button at the top, clicking on which will forcefully terminate user sessions. In addition, in this list you can see the computer name and start time, which will help track down frozen sessions.

The second option for disabling active users requires more attention and responsibility, since most often the cluster console is hosted on the application server. If you have access to this server control panel, you can end the user session as follows:

Open the cluster console;
We go to the list of information bases and open sessions for the one we need;
Find the required user in the list;
Calling context menu, by clicking the right mouse button, there will be a function - “Delete”.

In the 1C platform, developers have included a convenient mechanism for setting up rights and managing users. Therefore, the described capabilities are available to owners of all configurations, even those written independently. Another advantage is that it does not require deep knowledge of the 1C system. Any responsible and attentive administrator is able to cope with these operations.

Hello dear blog readers. I had to delay the next article a little due to intensive reporting and a large number incoming questions regarding this matter. By the way, you can ask your questions in the chat or send messages directly to me by email. But enough advertising) Today we will talk about the new useful and interesting opportunities that it gives us new platform 1C Enterprise 8.3 and configurations built on its basis: Salary and HR Management 3.0 And Enterprise Accounting 3.0.

The article will talk about how to configure user access yourself only to those documents, reference books and reports that he needs for work and limit access to the rest. This will help us command interface with flexible settings, which appeared in 1C programs version 3.0. Discuss features differentiation of access rights on program objects we will be based on the 1C ZUP 3.0 configuration, but the same mechanism can be successfully used for software product 1C Enterprise Accounting 3.0. Actually, I studied this issue when I assisted in setting up users in Bukh 3.0.

How to create a user in normal user mode of 1C edition 3.0

✅

I would like to immediately note that we will have to work with both the normal user mode of operating the program and the configurator mode. There’s nothing scary or complicated about this, you don’t have to program) I’ll also immediately note that the screenshots in this article will be presented from something new that recently appeared in programs 1C edition 3.0 of the Taxi interface. To switch to it, just open the service menu and find the parameter settings there. In the settings window, in the radio button group " Appearance“You should select the “Taxi” interface and restart the program. Although, for those who are comfortable staying in the normal interface, all documents, reference books and settings that I will discuss in the article are identical in these interfaces.

Let's look at a situation where you don't yet have the required user. You must create a user in normal user mode. Go to the “Administration” section of the main menu and there we find the “User and Rights Settings” item.

If required, you can immediately set a password.

Now, regarding the access rights for this new user. There is no need to install them. You can access the access rights settings directly from the form in which the user is configured. Just click on the “Access Rights” link at the top of the page. So, it is necessary that in the access rights (and on the tab "Access groups", and on the bookmark “Allowed actions (roles)”) everything was empty. We will configure rights not in user mode, but in the 1C configurator, a little later.

But in this regard there is important feature. It is necessary that there is at least one user in the database who has administrative rights. My user is Administrator. He is a member of the access group "Administrator" and has roles "System Administrator" And "Full rights."

Now we should go to the configurator mode and continue configuration there. To do this, when starting 1C, select the desired database and click the “Configurator” button. Just don't log in as a new user. He does not yet have any rights, and work will be impossible. You must log in as a user with full rights, in my case it is “Administrator”.

After opening the configurator window, let's make sure that the new user we created is also displayed here. The list of users in the configurator is stored in the main menu section “Administration” -> “Users”.

Please note that the user has question mark. This means that no role is defined for it, i.e. in other words, no access rights are specified. "Roles" is a configuration object. Each role establishes a set of documents, directories, and reports that a user with this role has access to. We can see all available roles if we open the user and go to the “Other” tab.

Let me remind you that we need to configure an employee’s access to a random set of documents, reference books and reports. At the same time, I didn’t even specify which set we're talking about, it's not that important. But the important thing is that for such cases there is not and cannot be a suitable role in the configuration. 1C developers are not able to provide for everything possible options restrictions on access to objects that are encountered in practice. And the end user’s requests can be very extravagant.

Editing mode for a standard configuration in 1c

✅ Seminar “Lifehacks for 1C ZUP 3.1”
Analysis of 15 life hacks for accounting in 1C ZUP 3.1:

✅ CHECKLIST for checking payroll calculations in 1C ZUP 3.1
VIDEO - monthly self-check of accounting:

✅ Payroll calculation in 1C ZUP 3.1
Step by step instructions for beginners:

As you probably already understood, I am leading to the fact that we will have to create your own role. In this case, one important detail should be discussed. Creating a new role means making a change to the standard configuration. For those whose configuration has already been finalized and is not standard, nothing will change. To begin with, I’ll tell you how to determine whether the configuration is standard or not.

First, you need to open the configuration. To do this, in the “Configuration” section of the main menu, click "Open configuration". After this, a window with a tree structure of all information base objects will appear on the left side of the configurator. Secondly, also in the “Configuration” section of the main menu, go to “Support” -> “Support Settings”. A window of the same name will open. If the window looks like in the screenshot, then your configuration is standard. By this I mean the presence of the inscription "Configuration is being supported" and the presence of a button.

So, if you have a standard configuration, then we will have to enable the ability to change it, otherwise we will not be able to create a new role. Separately, I would like to note that from the point of view of updating there will not be any special difficulties, since we will be creating a new role and not changing existing ones, therefore all standard configuration objects will remain standard. To enable the ability to edit the configuration, you need to in the window "Support Setup" press the button "Enable editability".

Perhaps in future publications I will write in more detail about this kind of update. So, in this window we need to answer “Yes”.

Next, the “Support Rules Settings” window will open, where you need to select the “Supplier object is edited while maintaining support” radio button. For our task this will be quite sufficient. Just keep in mind that after clicking “OK” you will have to wait a bit before continuing.

After this, the locks should disappear in the tree of configuration objects (remember, when we opened the configuration, it opened on the left side of the configurator), and the message “Support Settings” will appear “The configuration is being maintained with the possibility of change.”

How to create a new role in the 1C configurator

✅ Seminar “Lifehacks for 1C ZUP 3.1”
Analysis of 15 life hacks for accounting in 1C ZUP 3.1:

✅ CHECKLIST for checking payroll calculations in 1C ZUP 3.1
VIDEO - monthly self-check of accounting:

✅ Payroll calculation in 1C ZUP 3.1
Step-by-step instructions for beginners:

Now we can start creating a new role. Let me explain once again what a “Role” is - this is a set of rights that determine the ability to view or edit directories, documents and other configuration objects. View and edit are the most understandable permission options, but there are many others. To make it clearer, let’s select the “Full rights” Role in the object tree (General -> Roles -> Full rights). The settings window will open. In this window, all program objects (directories, documents, reports, etc.) are listed on the left, and on the right are the rights that are defined in this role for each of the objects. You can see this in the screenshot.

Now let me remind you of the problem. We need to ensure that the user can work only with a limited range of documents, reports and reference books. The most obvious option is to create a new role and define access only to the necessary objects. However, the configuration has large number any service objects, such as constants, general forms, common modules, registers for various purposes, and for normal user operation it is necessary to have access to these common objects. There are quite a lot of them and it is very easy to miss some object. Therefore, I will propose a slightly different approach.

Let's create a new role by copying the default Full Rights role. Let's call this new role “Role_Frolov”. To edit the role name, you need to go to the properties and specify a new name without spaces.

Now let's set this role for the user “Frolova”. Before this, we need to save the information base so that the newly created role appears in the list of available user roles. Press the F7 key or click the corresponding button in the toolbar. After this, we can set this role for our user. Go to the list of users (Administration -> Users) and on the “Other” tab, check the box next to the “Frolov Role” role. Click "Ok".

For now, this role is completely identical to the original one (“Full rights”). We will leave it this way. Bye. And we will set up access to documents and reference books, using the flexible configuration capabilities of the 1C program command interface.

How to configure command interface elements in 1C

Now we have to return to normal user mode, i.e. as during normal work in 1C. We need to launch under our new user - Frolov S.M. This can be done from the configurator. However, you must first set the setting so that when you start the Enterprise from the configurator, you are prompted by the user under which it should be launched. To do this, in the main menu, select “Tools” -> “Options” and on the “Launch 1C:Enterprise” tab in the “user” section, set the “Name” switch, click OK and we can launch the user mode directly from the configurator. To do this, use the command from the main menu “Service” -> “1C:Enterprise”. And don’t forget that we must select the user Frolov.

When the program starts under the user Frolov, all objects will be available to him, since his role was created by copying full rights, and we did not change anything. Let's assume that this user only needs to retain the capabilities of personnel records, but not everything, but only admission, transfer and dismissal. First, you need to remove all unnecessary sections and leave only one - “Personnel”.

To do this, go to the service menu View -> Setting up the section panel. In the window that opens, move all unnecessary sections from the right column to the left.

Now note that we will only have 2 sections “Main” and “Personnel”. We cannot remove the “main thing”, so it is necessary to leave only the necessary links in this section. To do this, go to this section and click in the upper right corner "Navigation settings". This window is similar to the one in which we removed unnecessary sections, and it has the same principle of operation. In the right column we leave only necessary documents and reference books.

And as a result, in the “Main” section we will have only the set of documents, reports and reference books necessary for the personnel officer.

As for the “Personnel” section, it can be left in its original form or configured more finely if, for example, the personnel officer does not have to deal with sick leave, vacations and maternity leave. In the same way, these documents can be removed from the navigation panel. I will not dwell on this in detail, since it already depends on the specific task.

I’ll just point out one more element that also needs to be configured to prevent the user from accessing data that is closed to him. This element is « Home page "or whatever they call it "Desktop". It automatically opens when you start user mode. To set up the home page, open the service menu View -> Set up home page. A window will open in which you can configure the composition of the left and right columns from the list of available forms. The choice of available forms is not so large. So, for example, for our situation, where an employee is engaged in personnel, we should not give him access to such a form as “Salary calculation: Form”. But I decided to remove all forms altogether, so as not to tempt the user again. The start page will be blank.

Final setup of the user role in the 1C configurator

So, let's assume that we have configured access to all necessary documents and reference books for our personnel officer, using the capabilities of the command interface. Now the main question is how to make it so that the user himself cannot open the interface settings and give himself access to prohibited documents. To do this, return to the configurator and select General -> Roles -> Frolov_Role in the configuration object tree. Let's open this role. Now in the window that opens, position the cursor on the inscription “Salary and Personnel Management”, and in the “Rights” column we look for the setting "Saving user data". Uncheck the box next to this setting. This means that the user himself will not be able to customize the contents of the section panels, navigation bar and desktop, and therefore will not have access to prohibited sections from the command interface.

To verify this, you can go to the database under the user Frolov and try to open the settings for sections or navigation. However, you will not find the “View” item in the service menu. It became unavailable because we removed the right to “Save user data” from the user role Frolov.

Thus, we limited the user's visibility of objects to only those directories, documents and reports that he really needs for work. At the same time, in the configurator mode, only one checkbox was edited in the rights of this employee.

However, that's not all. We have limited explicit access to prohibited objects. However, the user may end up in an unwanted directory or document from a document accessible to him. So our personnel officer Frolov can open the “Organizations” directory from the “Hiring” document and accidentally or purposefully change some data there. To prevent a similar situation from happening, you should review and analyze all objects that are associated with documents and reference books available to the user. And then in the configurator, open the role of our user and prohibit editing or even viewing unwanted objects. The specific option is up to you to choose, depending on the task at hand.

That's it! We solved a rather complex problem in a not very complicated way. Anyone who has read to the end can rightfully be proud of themselves) If I missed something and you have any comments, I will be glad to see it in the comments to the article.

New interesting materials will appear soon on.

To be the first to know about new publications, subscribe to my blog updates: