The issue with access rights arises due to the need to limit the rights of a user in 1C (or a group of users), which implies a ban on performing any actions with certain objects, for example, viewing, recording, editing, etc. Or, on the contrary, due to the need to grant (expand) user rights in 1C, which in reality most often follows a system message about an access rights violation (for example, insufficient viewing rights) and the user’s request to administrators about this.

To make adjustments to the access rules and change the rights to view a particular section or for any other action, you need to go to “User and Rights Settings”, which can be done with user mode enabled on the “Administration” tab (provided, of course, that there are rights to this).

As already mentioned, access groups include specific users, and the groups themselves have access group profiles that combine roles. Essentially, a role is metadata, the variety and quantity of which depends on the configuration. As a rule, there are quite a lot of roles and it is easy to get confused in them. It is worth remembering that one extra assigned role can open access to objects to unwanted users.

A description of user rights is available on the “Description” tab.

Roles are viewed through the “Users” directory element, which can be accessed by clicking on a specific user.

A report on access rights is also generated here, which displays the status of access to specific system objects.

The rightmost column “Record-level restrictions” are additional conditions that restrict actions with database objects. Essentially, this is a query that is executed at the time of operation and tells whether it is possible or not to work with the object.

The screenshot shows that the document “Input initial balances» is available to the user, but access is only possible to certain warehouses.

Thus, you can establish access or change rights in 1C by adding a user to a particular group in user mode.

The group itself can also be changed, for example by adding a value to the access restriction.

Administrator rights allow you to manage rights in the configurator mode, where standard roles are already defined. For example, a role with a very explanatory name “Basic rights”, as a rule, provides the ability to only read or only view an object.

To manage rights to change objects, special roles for adding/changing data are provided.

If you know which object the user does not have enough rights to, you can:

• From the opposite: look at the “rights” tab for a specific object, at the top we will see all the roles available in the configuration, and in the lower window - the rights. The presence of certain rights to the object is marked with a tick. Rights for new objects are set in the same way.

• Open the role assigned to the user, and by selecting a specific object in the left window, see the list of rights in the right window, that is, the actions that a user with this role can do with this object - reading, adding, viewing, etc.

Thus, all possible rights in the system are predefined. Read, add, modify, view, edit and other rights can be turned on or off in any role for any object. It is impossible to assign rights separately without using roles. To differentiate user rights, you must assign the appropriate role. The “All roles” table, created in the configurator, becomes a convenient tool for analyzing rights and roles.

The screenshot shows that the “Full Rights” role has the maximum amount of rights. And if the task of limiting users’ rights is not worth it at all, you can safely assign this role to all users, forever getting rid of user questions.

In practice, as a rule, in most cases, “fool protection” is still necessary. All more or less large companies need to insure themselves against unwanted data changes. This is where the roles built into 1C come to the rescue. Understanding the diversity of roles is not easy and takes a lot of time. Therefore, creating your own role to solve practical problems can often be the only way out. Let's consider this point in more detail. You can add a role in the metadata tree.

In the new role, you can differentiate rights by simply checking the boxes next to the corresponding right.

The checkboxes at the bottom of the window indicate that rights will be automatically assigned to new metadata objects/details and tabular parts object for which rights are assigned, and also whether rights relative to the parent object will be inherited.

Access rights restrictions are set in the lower right window of the new role. This is a powerful tool that allows you to restrict rights at the record level, i.e. provide access to exactly the necessary data. If a simple assignment of rights can only “straightforwardly” give or take away rights to act with an object, then the restriction mechanism allows you to flexibly configure access rights regarding data. For example, limit reading and viewing data for only one organization.

The data access restrictions designer allows you to create a condition by which access will be limited.

Restricting access rights is described in the form of language constructs. To facilitate their creation, the use of constraint templates is provided. It should be noted that the use of this mechanism directly affects performance, because the system, when accessing any object, needs to read and comply with these restrictions. This process takes up computer resources and slows down work.

In conclusion, I would like to note that 1C, as a developer, has taken care of the availability of ample opportunities for administrators in terms of editing rights in their software solutions. And if at first glance these tools may seem complex and redundant, then later, especially when trying to build an effective access scheme in the context of a multi-level, branched personnel structure in an enterprise or organization, it becomes clear that the functionality of the program fully corresponds to real needs.

To the data. When we talk about restrictions, we mean a list of users working with information and assigning them specific rights. What does this give? First of all, it creates information security The organization, secondly, will make the work easier and simpler for information users, leaving them with access only to the necessary documents.

The list of 1C:Enterprise 8 programs has two types of rights → they are called basic and interactive. Basic rights are always checked, regardless of the method of opening infobase objects. The main ones are the rights to “Read”, “Change”, etc.

Interactive rights are considered to be “View” and “Edit” rights. Interactive rights are checked while the user performs interactive actions → when viewing data in the form, when editing data in the form, etc. If the user tries to perform an action for which he does not have rights, the system will issue a warning: “Access rights violation!”

The list of rights has a hierarchy, resulting in a chain of relationships that is monitored by the system. This means that after removing permission for a certain right, the system removes permissions for the rights that depend on it, and vice versa. For example, an object has “View” and “Edit” rights. When removing the rights for “View”, the right for “Editing” is automatically removed.

In “1C: Accounting 8 for Ukraine” several lists of rights have been created, each of which is necessary for a specific role. The set of roles can be seen in the Configurator when opening the database, which is displayed in “Database Configuration”.

On the left side of the window there is a tree of application solution parameters. On the right side of the window → list of rights that are allowed for the object selected on the left side of the window. All operations with a checkmark next to them are allowed. That is, for the “Accountant” role, when working with the “Advance Report” document, the actions “Read”, “Add”, “Change”, etc. are allowed.

If a user does not have the right to access a specific directory, then he also does not have the right to view and edit all those fields of objects of the application solution that uses an element of this directory. For example, a prohibition on access to the “Counterparties” directory allows the user to view and edit documents that indicate the counterparty, but cannot view or change information about the counterparty. In these documents, instead of information about the party to the transaction, the message “Object not found” will be displayed in the required field.

Database configuration

Programs created on the basis of the 1C:Enterprise 8 platform have specified settings for access rights to information stored in the database. This setting is performed by specialists in the query language "1C: Enterprise 8" in the fields "Data Access Restriction" ("Database Configuration").

a list of users

To restrict access to the database to unauthorized persons, you need to create a list of users who have permission to work with the system. This can be done both in the Configurator and in 1C:Enterprise mode. In the Configurator, it is opened by the command "Administration - Users", in the "1C:Enterprise" mode → in the "Users" directory through the menu "Tools - User and Access Management - User List".

Both lists are linked by the user name (directory code) and have the same data. Administration of basic settings can be performed in both modes. The “List of Users” displays a window for the list of users in the Configurator, and a window for changing settings for the user Bondarenko (administrator) is also open.

In the “Basic” tab, in the “Name” field, a short user name is entered. It is this that is displayed by the selection dialog during startup and by it the user, who is specified in the Configurator, is identified with the “Users” directory element, in the “ Full name"It is possible to enter any user name.

a list of users

User authentication

The program has two options for user authentication: using the 1C system itself (checkbox next to “1C Authentication: Enterprise”, “List of Users”) and when the user is authorized using operating system(checkbox next to “Windows Authentication”), then any user operations to enter the “Username” and password are not needed, because in this case, when launching the application solution, the system selects the MS Windows user name, and then, based on it, selects the required 1C: Enterprise user.

In addition, the window for changing user settings makes it possible to enter a password for the right to start the program on behalf of this user and activate the prohibition on changing the specified password (the checkbox next to “The user is prohibited from changing the password”). The checkbox next to the “Show in selection list” setting adds a new user to the selection list when starting the configuration.

Role selection

By creating a list of users, one user can receive several roles that are available while working with the application solution. This can be done in the “Other” tab by checking the box next to the required roles in the list of “Available roles” (“Select an object. Interface”). Also remember: if at least one user role allows a certain action on an object, then access is allowed.

There are three main roles in the configuration: “Accountant”, “Chief Accountant” and “Full Rights”. Other roles (“Administration Right,” “Additional Forms and Processing Right,” and others) are auxiliary and can be used to grant rights to a user who does not have full rights (the “Accountant” and “Chief Accountant” roles).

The roles “Accountant” and “Chief Accountant” differ in their rights to change data that relate to the organization’s accounting policies. For example, “Accountant” cannot enter parameters for accounting, accounting policies, etc.

To start a program normally, you need a minimum list of rights. This set has the role "Accountant". If an ordinary user does not have full rights (and this is usually the case), he should be assigned at least this.

Selecting an object. Interface

Each directory group has the ability to specify a list of users, which will be saved in the table of the directory element (“User Groups”). In this case, one user can be a member of several user groups, and the created user groups can be used when setting up access rights to different objects along with elements of the “Users” directory. That is, in the mechanism for setting access rights in the “Organizations” directory, instead of assigning access to certain users, it is worth entering not a user, but a group of users. Thanks to this, all users who are members of the group will have access to the selected enterprise.

In addition, the directory contains a predefined element “AllUsers”, the list of users of which cannot be changed and is empty.

Group of users

Data prohibition date

There is another mechanism that helps insure data against accidental or intentional correction (deletion). This is the “Data modification prohibition date” in the “Service → User and access management” tab. In the pop-up dialog box, you have the opportunity to enter a date before which you cannot add, correct or delete documents in the database. The “Date of prohibition of changing data” displays a demo example in which the date of prohibition of updating information is set to “01/31/2011”. This is due to the entry into force of Section III of the Tax Code.

Data prohibition date

There are a number of ways to enter a ban date for changing data:

→ “General date”

→ “By organizations”

→ “By organizations and users.”

Attention! A user with the “Accountant” role cannot adjust the ban date for changing information, and the restriction on the ban date does not apply to users who have access to the “full rights” role.

Then, after entering the prohibition date, when entering a new document with the date of the closed period, the software will display the message: “Editing data for this period is prohibited. Changes cannot be recorded..."

They find us: setting up user rights in 1s 8 2, editing user rights 1s 8 2, restricting rights in 1c 8 2 accounting, setting restrictions on document editing in 1c, limiting access to data in 1c 8 2 accounting, 1c setting up roles, viewing rights in accounting, how to set up limited user rights in 1s 8 2, as in the program configurator 1 p 8 3 limit user rights, how to change the user’s work period in the configurator

By default, when creating a database on the cloud from a template, you must select a user to enter the program Administrator, with empty passwords.
It is not recommended to use this account for everyday work.
To differentiate access rights and increase the level of security, it is recommended to create user accounts and specify certain permissions for working with the database.

Creating users for 1C 8.2 databases

To create a list of users, open the database in Configurator.

Go to the "Administration / Users" menu. To manage the list of users, you must have Full rights in the database.


Click the "Add" button.

In the window that opens, fill in the fields:
Name- the name that will be displayed in the user selection list.
Full name - the name that will appear in the database when performing operations.
flag Authentication 1C:Enterprise- allows you to set a password under which the user will log into this database.
flag Show in selection list- allows you to hide or show the user in the launch window. If the user is hidden in the selection list, then you can log in using his data by directly entering his name and password.


flag Operating system authentication allows you to link your 42 Cloud account to account in the 1C database.
When installing this option, you will need to select from the list your login on the 42 Clouds website(tip: start typing your username to search the list).


On the "Other" tab, you need to specify for users the roles that they can perform in the database.
The list of roles depends on the user's responsibilities.
Note! To launch the database on the cloud, check the "Launch thick client" and "Launch thin client".

After specifying the required settings, click OK. Now the created user can work in the database.

Creating users for 1C 8.3 databases

Creation of new users in such configurations as Trade Management 11.1, Enterprise Accounting (edition 3.0) occurs in the mode of working with the database, in the Users directories. Created users will be included in the Configurator automatically after creation.

Go to the menu “Administration / Setting up users and rights / Users”. Click the Add button. To manage the list of users, you must have Full rights in the database.

Enter a name, give permission to access the database (by checking the box) and select an authorization method (either entering a login and password, or logging into 1C under a domain account). Fields" Individual""Division" are optional, used for analytics.

To work with the database, you need to add rights to the user in the “Access Rights” section. The set of groups can be changed and edited in the User Group Profiles directory.

Disabling access to the database

To disable access to the 1C user database, just uncheck the "Access to information base allowed" or change the password.
When setting up a user through the Configurator (for 1C 8.2 databases), it is enough to remove the user from the list.

Creating users for 1C 8.3 databases (Taxi Interface)

To configure access rights, log into the database in 1C Enterprise mode on behalf of the Administrator and go to the User and rights settings / Access group profiles section, click Create group.

Enter the group name and check the boxes available to users this role group. Example of a group that will allow users to use external treatments includes the following roles:

• Interactive opening of external reports and processing
• Using additional reports and processing

Click Burn and Close

Return to menu Users and select an employee from the list, click Access rights. In the list of profiles, select the previously created profile. Click Record.

2016-12-01T13:37:17+00:00

Correctly setting up the list of users and their access rights to the 1C: Accounting 8.3 (revision 3.0) database is necessary for any number of people working with the program. Even if you are the only one working with it!

This setting allows you to later answer questions such as “Who made certain changes to the database”, “How to give view-only access to the database for the inspector”, “Who allowed the assistant to change the accounting policy settings” and the like.

In the third edition, this setup, in my opinion, has become simpler and more intuitive. Today I will tell you how to better configure users and their rights. I will try to consider the most general case.

So, we will configure the following users:

• Administrator : a user who has full rights to the database and has no restrictions. There is no need to use this user for daily work. The administrator password should be given to programmers and administrators who configure or update the database. Since only they will work under this user, in the future we will always be able to separate their changes in the database from the work of other users in the log. This can be useful in the case of “debriefing”.

• Chief Accountant : a user who has no less rights than an administrator, but is a separate role with its own password. You will work under this user yourself.

• Accountant: If you have assistants or other accountants under you, then this user is suitable for them. What restrictions does this role impose:
  • Prohibition on changing accounting parameters.
  • Prohibition on changing accounting policies.
  • Prohibition on changing the chart of accounts.
  • Prohibition on editing the list of users.
  • Prohibition on setting up item accounting accounts.
  • Prohibition on deleting items marked for deletion.
  • Prohibition on changing the date of prohibition of changing data.

• Inspector : This user will only have rights to view the database. He won't be able to change anything about her.

1. Go to the "Administration" section and select "User and rights settings" ():

2. In the panel that opens, select "Users":

3. By default, the "Administrator" user should already be in this list. Double click on it to open its settings.

4. Make the setting as below picture. Create a password yourself - you need to repeat it twice. Please note that each user must have their own password. All that remains is to click “Save and close”. Ready!

Chief Accountant

4. In the rights settings window, select the checkboxes next to the “Administrator” and “Chief Accountant” items. All you have to do is click the “Record” button. Ready!

Accountant

1. Return to the list of users and click the "Create" button on the toolbar.

2. A window with a new user will open. Specify the settings as shown below, just create your own password.

4. In the rights settings window, select the checkboxes next to the “Accountant” item. All you have to do is click the “Record” button. Ready!

Inspector

1. Return to the list of users and click the "Create" button on the toolbar.

2. A window with a new user will open. Specify the settings as shown below, just create your own password.

If you have a new employee or if you have installed a new clean 1C 8.2 configuration database, you will need to create a new user.

If the database is clean, then a prerequisite for the correct operation of the program is the creation of at least one user with full rights.

If there is not a single user in the database and employees work without authorization, errors in the program often occur. Let's add a new user to the demo configuration database for 1C Enterprise Accounting 2.0.

Launch 1C and select the configurator launch mode:

If your database is not empty, then to add new users you need to log into the configurator as a user with full rights. Select and click “OK”. If the database is empty, then you will immediately be taken to the configurator.

Select “Users” from the Administration menu.

A list of users appears. Click add.

In the window that appears, you need to set a name for the user. If necessary, you can set a password for it. A password can also be set for a user by logging into the database in Enterprise mode under this user and clicking “User Options” from the Tools menu.

You can prevent the user from changing the password and remove it from the selection list when starting the program. Removing from the selection list may be necessary when the user is used, for example, to exchange data.

You can uncheck the 1C: Enterprise Authentication checkbox and put it in Operating System Authentication by selecting the Windows user under which the employee works on the computer. In this case, the user will be determined automatically based on which computer and under what Windows user the employee is included in the program.

When everything is filled out, go to the “Other” tab.

Here you need to select the available user roles. For an empty database, the “Full Rights” role is required. This role includes all others from the list, except for the “User” role. If it is present on it, you also need to tick it.

For an active database, you need to decide which roles to assign to the user. The lack of roles for a user is essentially the lack of certain rights in the program, i.e. restricting access to perform certain operations.

Here you can assign the main interface for the employee. The interface is selected based on the user’s roles and the tasks he performs in the enterprise. For a clean database user with full rights, you need to install the full interface.

The default language is set by the operating system and you do not need to select it. When everything is filled in, click “OK”.

We see that a new user has appeared in the list of users. We close the configurator and can log in to it in Enterprise mode.