• Differentiation of access rights in the network, shared disk space in the local network. Differentiation of access rights and user authentication

    In my web development practice, I very often came across situations in which customers set a specific goal, namely the division of parts of the admin panel regarding accessibility to certain users. Moreover, the development of this module was carried out in the context of an expandable system, that is, with an unfixed number of modules to which access is organized, and, accordingly, an unlimited number of system users.

    Well, on my own this topic It’s quite heavy and requires some time to analyze and formulate the problem.

    In the context of this article, we will develop in the context of some abstract information system, with its own infrastructure and architecture, while this system provides the user with the opportunity to expand the functionality, that is, install new modules, and accordingly set access rights to them for one or another user registered as the system administrator.

    Let's discuss the architecture of a modular system on our chosen pseudo-system from the very beginning.

    All modules are presented in the form of inserts connected to the main document (index file). The plugin request comes from the QUERY_STRING query string, and the name of the plugin is passed as the act argument. At some point in the file index, this parameter is retrieved and processed. Afterwards, if the user has sufficient rights to access the module in the reading context, the existence of the module specified in the query line is checked, and if it exists, it is connected to the index file.

    I mentioned the “reading context” for a reason, since our system assumes the existence of two contexts for working with the system, namely reading and writing. In this case, reading implies direct access to the module and to those parts of it that do not involve making changes to the data structure in the database. By recording, we mean directly making changes to the information stored in the database.

    To implement this mechanism, we will check the value string variable request `do`, which is processed in the module itself and carries information about which section of the module the user should be given access to.

    The value of do will be fixed, this variable will take the following values:

    • main - the main part of the module (available in reading context)
    • config - module configuration section (available in the recording context)
    • create - perform some actions to add information to the database (available in the context of a record)
    • delete - access to a section that provides the ability to delete some information in the context of a given module (available in the context of a record)
    • edit - access to edit information in the context of a module (available in the context of a post)

    In general, this list can be increased, but everything depends only on the scale of the project and its functional needs.

    Now directly about the modules. In addition to the physical existence of a certain module in the context of the project file system, the module must also be added to a special database table, which will contain information about all existing modules in the system. Adding and changing data in this table is usually done directly in the context of modules, that is, during their installation in the system. However, this is already a deepening into the principles of viewing expandable systems, which we will talk about some other time, and therefore, we will limit ourselves to manual update and adding module data.

    Thus, a record about a system module will contain the following information: the English identifier of the module name, which will be identical to the value of the environment variable GET - act (the module will be directly requested in relation to it), the Russian identifier of the module, which will be used in the list of modules.

    In addition to the modules, we will have two more tables, namely a table in which data regarding access rights profiles will be stored and a table with information about users directly.

    The security profile table will consist of only three fields - a profile identifier (the numeric value of the record identifier), a text module identifier (intended for users), as well as a specially generated text label containing information about user rights in the context of each module.

    Well, let's take a look at this particular structure. It will be as follows: [module_indefier: + \: + \;] *

    That is, there is a list of pairs: module name ":" read rights "," write rights ";". In this case, this label is updated when changes are made to the user’s access rights to the system. If information appears in the system about a module that is not included in this label, then you just need to carry out the editing procedure, and the data will be saved automatically.

    Now we just have to look at the structure of just one database table, and we can get down to implementing the algorithmic part, namely the table with information about system users, because assigning access rights to them is our main task.

    I will not add anything extra to it, but only what will be used in the context of the topic of this article. The user table will contain the following fields: user ID (numeric counter), login, password (hash of the original password), user security profile (user group ID, relative to rights in the system), and that’s it. It seems to me that this information is quite enough for you and me to implement the task, and I give the opportunity to do all the other add-ons ourselves.

    So, we discussed the structure, and, I hope, everyone already has some idea of ​​how we will implement the task set in the topic of the article. Now I will provide auxiliary SQL code for the tables described above, after which I will immediately move on to implementing the algorithm for checking user access rights, as well as creating and changing access profiles. After each individual module, we will discuss in detail any questions that readers may have.

    `modules` table:

    CREATE TABLE `modules` (`id` bigint(20) NOT NULL auto_increment, `indefier` text collate utf8_unicode_ci NOT NULL, `title` text collate utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

    `secure_groups` table:

    CREATE TABLE `secure_groups` (`id` bigint(20) NOT NULL auto_increment, `title` text collate utf8_unicode_ci NOT NULL, `perms` text collate utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci ;

    Table `users`

    CREATE TABLE `users` (`id` bigint(20) NOT NULL auto_increment, `login` text collate utf8_unicode_ci NOT NULL, `passwd` text collate utf8_unicode_ci NOT NULL, `groupId` int(1) NOT NULL default "0", PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci ;

    temp=array(); $this->temp["_result"]=0; $this->temp["_uid"]=explode("::",$_COOKIE["site_hash"]); $this->temp["_uid"]=$this->temp["_uid"]; $this->temp["_gid"]=$this->getUserSecurityAccess($this->temp["_uid"]); $this->temp["_conn_id"]=mysql_connect("host","user","passwd"); mysql_select_db("database"); $this->temp["_q1"]=mysql_query("SELECT perms" ."FROM `secure_groups`" ."WHERE id=".$this->temp["_gid"]); $this->temp["_access_stamp"]=mysql_fetch_assoc($this->temp["_q1"]); $this->temp["_access_stamp"]=$this->temp["_access_stamp"]["perms"]; $this->temp["_access_stamp"]=explode(";",$this->temp["_access_stamp"]); $this->temp["_access_stamp"]=array_slice($this->temp["_access_stamp"],0,-1); foreach($this->temp["_access_stamp"] as $this->temp["v"])( $this->temp["_mod_access"]=explode(":",$this->temp["v "]); $this->temp["_mod_indefier"]=$this->temp["_mod_access"]; if($this->temp["_mod_indefier"]==$module)( $this->temp[ "_perms"]=explode(",",$this->temp["_mod_access"]); switch($act)( case "r": $this->temp["_result"]=($this-> temp["_perms"]==1)? break; case "w": $this->temp["_result"]=($this->temp["_perms"]==1) :0; break; ) ) mysql_close($conn_id); return $this->temp["_result"]; ) ) ?>

    This class implements functions designed to implement the algorithmic task described above. We will now discuss each function separately.

    secure::getUserId() function

    By using this function, we mean that during user authorization in the system variable environment$_COOKIE the `site_hash` variable was set, consisting of the user identifier in the system and a hash to verify its authenticity in the system. The function simply removes the value of the identifier, returning its value as output.

    Function secure::getUserSecurityAccess($id)

    Output this function returns the security profile ID of the current user on the system.

    Function secure::checkUserPermission($module,$act))

    A request is made to the database regarding the user's rights to perform read/write actions in the context of the module passed as a parameter.

    All that remains is to describe the procedure for creating a variable in the $_COOKIE environment, and the topic of the article can be considered solved.

    The authorization procedure will look like entering the user’s personal data (login and password) into special form, after sending which the data transmitted by the user will be processed using the checkAuthData() function method, and, if the data is correct, the user data will be saved in the form of a recording cookie for a period user installed, or in the absence of a specified value for the default period.

    To check the authenticity of the data stored in the $_COOKIE environment variable, we will use the EatCookie() function, which will validate the data by returning a Boolean verification result (true - false).

    I do not provide the form to submit, since this is not part of the programming theory, indicating only the field identifiers.

    • `ulogin` - user login
    • `upasswd` - user password
    • `stime` - session time set by the user (from 1 to 5 hours)
    • `auth` - submit button name

    That's all. All that remains is to try, experiment, make mistakes and find a solution, which I leave entirely to you.

    I hope that we will meet soon, and for those who have a question for me regarding the article, and not only - write to [email protected], or on [email protected].

    Sincerely, Kirill Karpenko, head of the IT department of INPP.


    In the vastness of Russia, many firms and small enterprises do not have their own staff system administrator on an ongoing basis or coming from time to time. The company is growing and sooner or later one shared folder on the network, where everyone can do whatever they want, becomes not enough. Access control is required for different users or user groups on the MS Windows platform. Linux users and experienced admins, please do not read the article.

    Most best option- hire an experienced administrator and think about buying a server. An experienced administrator will decide on the spot whether to raise MS Windows Server With Active Directory or use something from the Linux world.

    But this article was written for those who have decided to suffer on their own for now, without using modern software solutions. I will try to explain at least how to correctly implement the differentiation of rights.

    Before we begin, I would like to cover a couple of points:

    • Any operating system "recognizes" and "distinguishes" real people through their accounts. It should be like this: one person = one account.
    • The article describes the situation that the company does not have its own admin and has not purchased, for example, MS Windows Server. Any regular MS Windows simultaneously serves no more than 10 people for WinXP and 20 people for Win7 over the network. This was done by Microsoft specifically to prevent Windows clients from crossing the road. Windows servers and you didn't ruin Microsoft's business. Remember the number 10-20 and when your company has more than 10-20 people, you will have to think about buying MS Windows Server or ask someone to install a free Linux Samba server for you, which does not have such restrictions.
    • Since you do not have a competent administrator, then your ordinary computer with client MS Windows will pretend to be file server. You will be forced to duplicate user accounts on it from other computers in order to access the shared files. In other words, if there is an accountant Olya in the company PC1 with an olya account, then on this “server” (hereinafter I will refer to it as WinServer) you need to create account olya with the same password as on PC1.
    • People come and go. Staff turnover is everywhere, and if you are the poor person who is not an administrator and is assigned (forced) to support the company’s IT issues, then here is some advice for you. Create accounts that are not tied to a person. Create for managers - manager1, manager2. For accountants - buh1, buh2. Or something like that. Has the person left? Someone else won't be offended if they use manager1. Agree, this is better than Semyon using the olya account, since it’s broken or there’s no one to redo it and everything has been working for 100 years.
    • Forget words like: “make a password for the folder.” The days when passwords were imposed on resources are long gone. The philosophy of working with various resources has changed. Now the user logs into his system using an account (identification), confirming himself with his password (authentication) and is given access to all authorized resources. Login once and have access to everything - that's what you need to remember.
    • It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

    Preparation.

    In Explorer, remove simplified access to the things we need.

    • MS Windows XP. Menu Tools - Folder Options - View. Uncheck Use the Sharing Wizard
    • MS Windows 7. Press Alt. Menu Tools - Folder Options - View. Uncheck Use simple general access to files.

    Create a folder on your WinServer computer that will store your wealth in the form of files of orders, contracts, and so on. For me, as an example, it will be C:\dostup\. The folder must be created on a partition with NTFS.

    Network access.

    On at this stage need to make available over the network(share) a folder for other users to work with on their computers local network.

    And most importantly! Share the folder with full permission for everyone! Yes yes! You heard right. But what about access control?

    We allow everyone to connect to the folder via the local network, BUT we will limit access using security measures stored in the file NTFS system, where our catalog is located.

    • MS Windows XP. On the desired folder(C:\dostup\) with the right mouse button and there Properties. Access tab - Full access.
    • MS Windows 7. On the desired folder (C:\dostup\) right-click and select Properties. Access tab - Advanced settings. Put a tick Share this folder. Fill out the Note. Click Permission. The Everyone group must have network rights Full access.

    Users and security groups.

    You need to create the necessary user accounts. I remind you that if on numerous of your personal computers different user accounts are used, then they all must be created on your “server” and with the same passwords. This can only be avoided if you have a competent administrator and computers in Active Directory. No? Then carefully create your accounts.

    • MS Windows XP.
      Local users and groups - Users. Action menu - New user.
    • MS Windows 7. Control Panel - Administration - Computer Management.
      Local users and groups - Users. Menu Action - Create user.

    Now it's time for the most important thing - the groups! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and access control.

    The “imposition of rights” on directories and files will be explained below, but for now the main thing is to understand one idea. Rights to folders or files will be granted to groups, which can be figuratively compared to containers. And groups will already “transfer” rights to the accounts included in them. That is, you need to think at the level of groups, and not at the level of individual accounts.

    • MS Windows XP. Control Panel - Administration - Computer Management.
    • MS Windows 7. Control Panel - Administration - Computer Management.
      Local users and groups - Groups. Menu Action - Create group.

    Needs to be included in necessary groups the required accounts. For example, on the Accountants group, right-click and there Add to group or Properties and there the Add button. In the field Enter the names of the selected objects enter the name of the required account and click Check names. If everything is correct, the account will change to the form SERVER NAME\account_entry. In the picture above, the buh3 account has been mapped to WINSERVER\buh3.

    So, the necessary groups have been created and user accounts are included in the necessary groups. But before the stage of assigning rights to folders and files using groups, I would like to discuss a couple of points.

    Is it worth bothering with a group if there is only one account in it? I think it's worth it! The group gives flexibility and maneuverability. Tomorrow you will need to give another person B the same rights as to a certain person with his account A. You simply add account B to the group where A already exists and that’s it!

    It is much easier when access rights are granted to groups rather than to individuals. All you have to do is manipulate the groups and include the necessary accounts in them.

    Access rights.

    It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is included in the Administrators group.

    So we’ve reached the stage where the magic of delineating access rights for different groups, and through them, users (more precisely, their accounts) actually happens.

    So, we have a directory at C:\dostup\, which we have already made available to all employees over the network. Inside the C:\dostup\ directory, for the sake of example, we will create the folders Contracts, Orders, MC Accounting. Let's assume that there is a task to do:

    • the Agreement folder must be read-only for Accountants. Read and write for a group of Managers.
    • the AccountingMC folder must be accessible to Accountants for reading and writing. The Managers group does not have access.
    • the Orders folder should be read-only for Accountants and Managers.

    On the Agreement folder, right-click and there Properties - Security tab. We see that some groups and users already have access to it. These rights were inherited from the parent dostup\, and that in turn from its parent C:

    We will interrupt this inheritance of rights and assign our own desired rights.

    Click the Advanced button - Permissions tab - button Change permissions.

    First, we interrupt the inheritance of rights from the parent. Uncheck the box Add permissions that are inherited from parent objects. We will be warned that permissions from the parent will not apply to this object(V in this case this is the Agreement folder). Select: Cancel or Delete or Add. Click Add and the rights from the parent will remain our inheritance, but the rights of the parent will no longer apply to us. In other words, if in the future the access rights of the parent (the dostup folder) are changed, this will not affect the child folder of the Agreement. Note in the box Inherited from costs not inherited. That is the connection parent - child torn.

    Now we carefully remove unnecessary rights, leaving Full access for Administrators and System. We select in turn all sorts of Verified and just Users and delete it with the Delete button.

    Add button in this window Additional options security is intended for experienced administrators who will be able to set special, special permissions. The article is aimed at the knowledge of an experienced user.

    We tick Replace all permissions of a child object with permissions inherited from this object and click OK. Let's go back and again Ok to go back to simple view Properties.

    This window will make it easier to achieve what you want. The Edit button will display the Group Permissions window.

    Click Add. In the new window, write Accountants and click “Check names” - OK. By default, “read” access is given in a simplified form. The checkboxes in the Allow column are automatically set to “Read and Execute”, “List folder contents”, “Read”. We are happy with this and click OK.

    Now, according to our technical specifications, we need to give read and write rights to the Managers group. If we are in the Properties window, then again Change - Add - enter Managers - Check names. Add the Change and Write checkboxes in the Allow column.

    Now we need to check everything!

    Follow the thought. We have ordered that the Treaty folder does not inherit rights from its parent dostup. Ordered child folders and files inside the Agreement folder to inherit rights from it.

    We have imposed the following access rights on the Agreement folder: the Accountants group should only read files and open folders inside, and the Managers group should create, modify files and create folders.

    Therefore, if a document file is created inside the Agreement directory, it will have permissions from its parent. Users with their own accounts will have access to such files and directories through their groups.

    Go to the Agreements folder and create a test file agreement1.txt

    On it, right-click and there Properties - Security tab - Advanced - Effective permissions tab.

    Click Select and write the account of any accountant, for example buh1. We can clearly see that buh1 has received rights from his Accountants group, which has read rights to the parent Agreement folder, which “extends” its permissions to its child objects.

    Let's try manager2 and see clearly that the manager gets read and write access, since he is a member of the Managers group, which gives such rights for this folder.

    In exactly the same way, by analogy with the Agreement folder, access rights are imposed for other folders, following your technical specifications.

    Bottom line.

    • Use NTFS partitions.
    • When you restrict access to folders (and files), manipulate groups.
    • Create accounts for each user. 1 person = 1 account.
    • Include accounts in groups. An account can be a member of different groups at the same time. If an account is in several groups and one group allows something, then it will be allowed for the account.
    • The Deny column (denying rights) takes precedence over Allow. If an account is in several groups and one group prohibits something, and another group allows it, then it will be prohibited for the account.
    • Remove an account from a group if you want to deny access that this group provides.
    • Think about hiring an admin and don’t offend him with money.

    Ask questions in the comments and ask, correct.

    The video shows special case, when you just need to deny access to a folder, taking advantage of the fact that denying rules take precedence over allowing rules.

    Access control.

    An automated system, depending on its complexity and the tasks performed, can be located in one, two, three, etc. rooms, floors, buildings. Due to the difference in functional responsibilities and work with different documents it is necessary to ensure differentiation of user access to their workplaces, equipment and information. This is ensured by placing user workstations in separate rooms, closed with various types of locks on entrance doors with security alarm sensors installed on them or the use of special automatic system access control to premises using tokens or cards with the individual code of its owner recorded in its memory.

    Access control in automated system consists in dividing the information circulating in it into parts and organizing access to it for officials in accordance with their functional responsibilities and powers. The goal of such differentiation of access to information is to reduce the number of officials who have no relation to it when performing their functions, i.e. protection of information from intruders among legitimate users.

    The main task of access control and differentiation (ACRD) is to block unauthorized, control and limit authorized access to information subject to protection. At the same time, differentiation of access to information and software for processing it must be carried out in accordance with the functional responsibilities and powers of official users, service personnel and work managers.

    The basic principle of constructing the PCRD is that only such access to information is allowed and carried out, which contains the corresponding signs of authorized powers. For these purposes, identification and authentication of users, devices, etc., division of information and functions of its processing are carried out in accordance with established access control requirements, installation and entry of user rights

    The division of information and its processing functions is usually carried out according to the following criteria:

    By degree of importance;

    According to the degree of secrecy;

    According to the functions performed by users and devices;

    By document name;

    By types of documents;

    By type of data;

    By name of volumes, files, arrays, records;

    By username;

    By information processing functions: reading, writing, execution;

    By time of day.

    Taking into account that access is carried out from various technical means, differentiation can begin by limiting access to technical means by placing them in separate rooms. All preparatory functions of equipment maintenance, repair, prevention, reboot software and others must be technically and organizationally separated from the main tasks of the system. The automation equipment complex and the organization of its maintenance should be structured as follows:

    Maintenance of the IS during operation must be performed by special technical personnel without access to the information to be protected;

    Information security functions must be performed by a special unit in the organization that owns the IP, computer network or ACS;

    The organization of user access to IS memory should provide the ability to differentiate access to information stored in it with a sufficient degree of detail and in accordance with specified levels of user authority;

    Registration and documentation of technological and operational information must be separated.

    As personal identifiers to implement differentiation, the use of password codes, which are stored in the user’s memory and the IS, is widespread. To help the user in systems with increased requirements, large values ​​of password codes are recorded on special media - electronic keys, tokens, smart cards, etc.

    The fundamental possibility of distinguishing by specified parameters must be provided by the IP project. And the specific distinction in the operation of the information system is established by the consumer and entered into the system by his department responsible for information security.

    For these purposes, when designing computing tools for building an IS, the following is carried out:

    Development operating system with the ability to implement access control to information stored in the memory of a computer, PC, server;

    Isolation of access areas;

    Dividing the database into groups;

    Procedures for monitoring the listed functions.

    Development and implementation of functional tasks for delimiting and controlling access to equipment and information both within this IS and the automated control system (network) as a whole;

    Development of hardware for user identification and authentication;

    Development software control and management of access control;

    Development of separate operational documentation for identification, authentication, demarcation and access control means.

    The choice of specific access control features and their combinations is made in accordance with terms of reference when designing software for an automated system.

    Information to be protected must be located in non-overlapping memory areas. Any of these areas stores a collection of information objects, each of which is subject to protection. Protection in this case comes down to the fact that access to information object is carried out through a single guarded entrance. The “security” function includes user identification by name (or conditional number) and provided password code. If the result of the check is positive, his access to information is permitted in accordance with the powers allocated to him. These procedures are performed every time the user makes a request, issues commands, etc. In order not to type the password every time, it is convenient to store the presented password on a special physical media(key, map), which is in front of the entrance to computer system must be inserted by the user into a special socket of the workstation. In addition, after removing the media with the password from the slot, login to the system is immediately blocked.

    If the requirements for information protection for a particular system allow the use of manually entering a password, it is necessary to make sure that the presented password for repeated calls in the process of working with information is in the memory of this workstation. Storage in a central computer is allowed only if it is linked to the conditional number of a given workstation, i.e. all subsequent requests to the central computer must be accepted for processing only with the conditional workstation number from which the stored password code was presented. Upon completion of work, to exclude the possibility of unauthorized access from outside outside users It is necessary to enter the appropriate command from the workstation, by which the previously presented and stored password is erased. A message about the fact of erasure should be displayed on the user's workstation. To check the last operation, it is useful to repeat one of the previous calls without a password and verify this by the negative reaction of the computer system.


    Introduction.

    Statement of the problem.
    Implementation of the task.




    End of Procedure


    endIf;



    Function ProvDostRight(Right)

    Request = New Request;

    Query.Text = "SELECT

    | ValuesAdditionalRightValue

    Selection.Next();

    Return Sample.Value;

    Return False;

    endIf;

    EndFunction


    Procedure OnOpen()

    End of Procedure




    Conclusion.
    References.
    Application.




    Introduction.

    To date, on Russian market Accounting automation is leading applied solutions developed on the basis of a platform developed by the Russian company 1C. According to sociological studies published on the Internet, in Russia and the CIS countries, 90% of organizations use these systems to automate accounting. Also, these systems have no analogues for full automation of accounting according to RAS. Since accounting and tax reporting, processed and stored in such systems constitutes confidential information any organization, then this information must be protected at the proper level. In addition to accounting, many areas of accounting were automated using these systems (for example, personnel records and payroll, operational and management accounting, customer relationships, etc.).


    Statement of the problem.

    In this work, I want to describe methods and methods for protecting information in databases built on the basis of 1C Enterprise systems.

    IN present moment 3 versions of 1C are actively used, namely versions 7.7, 8.1 and 8.2. Version 7.7 has already become obsolete and outdated, and I see no practical point in considering this system as an example. Since version 8.2 went on official sale quite recently, I settled on version “1C Enterprise 8.1”. As an example, we took the previously developed educational system to automate operational and accounting tasks and payroll calculations.

    Because the system operates on the organization’s local network, or on local computer, then protecting this system from possible external attacks falls on the network administrator. In this example, I will mainly describe the mechanism for limiting access to information for specific employees of the organization.

    This system allows you to purchase goods from a warehouse and sell them, while it is possible to provide some services to the buyer. When carrying out purchase and sale transactions, the system automatically accumulates accounting and operational accounting data. Also, to implement accounting tasks, it is possible to enter manual transactions, i.e. entering correspondence accounts, indicating the necessary analytics, quantities and amounts on the relevant accounts. For the task of calculating wages, the system has implemented the ability to enter salary accruals, bonuses, travel accruals and enter absenteeism.

    The following rights to access objects must be set:

    Create administrator rights for full access to all data.

    For the head of the organization, grant rights to reports and rights to view all documents.

    For accounting employees, provide the right to access accounting documents and reports.

    For employees of the operational department, provide the rights to create incoming and outgoing documents, while each employee can create and view documents only for the counterparty to whom he is assigned as a responsible person.

    For HR department employees, provide access only to objects necessary for payroll processing.

    For all employees except management, prohibit the printing of unpublished documents.

    Set the appropriate rights for all users and provide identification using a password or using the operating system.


    Implementation of the task.

    Access control using roles.


    The role mechanism allows you to set rights to read, view, change, delete, conduct, etc. for each configuration object. Configuration objects mean directories (storage reference information, for example, nomenclature, counterparties, etc.), documents (intended to reflect business transactions, such as invoice, payroll, etc.) and registers that accumulate any information. Figure 1 shows some of the main objects considered in this example.

    Figure 1. Main configuration objects.

    You can create an unlimited number of roles in the system, in each role you can set rights for one object, and each user can set several roles. When assigning several roles to one user, his rights are set based on the following rule: An action is available if it is allowed in at least one role, and an action is not available if it is prohibited in all roles. You can provide a particular role only visually, and only at the stage of configuring the configuration. At the execution stage, roles cannot be changed in any way.

    Figure 2 provides an example of establishing full rights for the system administrator.


    Figure 2. Setting all rights for a role.


    For other users you need to install necessary rights, this is illustrated in Figure 3.


    Figure 3. An example of establishing rights for a specific user.


    Segregation of rights at the record level.


    A mechanism for separating rights at the record level is necessary to restrict access to records in tables information base, according to certain criteria. For example, access only to those entries in the directory of counterparties in which the current user is responsible. As an example, Figure 4 shows program text that restricts user access to entries in the list of invoice documents.


    Figure 4. Example of record-level access restriction.


    The user is identified using the “Current Contractor” session parameter; information about users is stored in the “Employees” directory. The "Current Executor" session parameter is set when the program starts using the following program text:

    Procedure When System Starts()

    Session Parameters.CurrentExecutor= Directories.Employees.FindByCode(UserName());

    End of Procedure


    Access control using software methods.


    In addition to the role mechanism, the program can configure access to data by writing procedures and functions in the language built into 1C Enterprise. An example is the ability of the system to open a form ( visual element which the user is working with) is only viewable if certain conditions are met, for example:

    IfSessionParameters.CurrentUser =

    Directories.Employees.FindByName("Ivanov") Then

    ThisForm.ViewOnly = True;

    endIf;


    More complex example serves as a mechanism that allows, in program execution mode, to issue the necessary rights to the user, for example, permission or prohibition of printing unpublished documents. To implement this task, an enumeration was created that stores a list of additional rights, and a table (Information Register) that stores the values ​​of additional rights. The following procedure has been created in the general module to obtain the right value for the current user:


    Function ProvDostRight(Right)

    Request = New Request;

    Query.Text = "SELECT

    | ValuesAdditionalRightValue

    | Information Register.Additional Rights Values ​​AS Additional Rights Values

    | ValuesAdd.Employee = &Employee

    | And ValuesAdditionalRight.Right = &Right";

    Request.SetParameter("Employee",

    SessionParameters.CurrentExecutor);

    Request.SetParameter("Right", Right);

    Result = Query.Run();

    If Not Result.Empty() Then

    Selection = Result.Select();

    Selection.Next();

    Return Sample.Value;

    Return False;

    endIf;

    EndFunction


    On the Invoice document form there is a “Print” button, which is responsible for generating a printed form of this document. When opening this document, we will set the availability of this button for the user using the following program text:

    Procedure OnOpen()

    Form Elements.MainFormActions.Buttons.Print.

    Availability = ProvDostRight(Enumerations.

    Additional Rights.Print of Unposted Documents);

    End of Procedure


    Assigning roles and means of user identification.


    Users who are allowed to work with the program are created in task configuration mode, or the user can be created programmatically. Figure 5 shows an example of creating a user and assigning the appropriate rights to him.


    Figure 5. List of users, roles and identification tools.


    Conclusion.

    In this work, we looked at a fairly simple example of an accounting task, and a simple example of setting up user rights in this task. But this example allows you to clearly illustrate the capabilities of the system in terms of separation of rights, which is very important in many organizations, and provides each employee with access only to the information that he needs.

    The appendix contains screenshots while the program is running, illustrating the settings made.


    References.

    Gabets A.P., Goncharov D.I. 1C:Enterprise 8.1. Simple examples development. – M.: LLC “1C-Publishing”; St. Petersburg: Peter, 2008. – 383 pp.: ill. + CD-ROM.

    1C:Enterprise 8.2. Developer's Guide. Part 1. – M.: ZAO “1C”, 2009 – 638 pp.: ill.

    Radchenko M.G. 1C:Enterprise 8.1. Practical guide developer. Examples and typical techniques. M.: 1C-Publishing LLC, 2008. 874 p.: ill.

    Belousov P.S. Methodological materials for the training course “Configuring the 1C:Enterprise 8.1 platform.” – M.: ZAO “1C”, 2007 – 272 p.: ill.


    Application.

    An example of an unauthorized login attempt.



    An example of access control by restricting access through roles, the illustration shows an attempt to open a directory that the user does not have rights to read.

    An example of delimiting rights at the record level.



    Example software implementation the “Print” button is unavailable in the “Invoice” document.



    After identification and authentication have been completed, it is necessary to establish the powers (set of rights) of the subject for subsequent control of the authorized use of computing resources available in the AS. This process is called access control (logical control).

    Typically, the subject's powers are represented by: a list of resources available to the user, and access rights to each resource from the list. Computing resources can be programs, information, logical devices, memory, CPU time, priority, etc.

    Typically, the following access control methods are distinguished:

    Access control based on lists;

    Using the Authority Establishment Matrix;

    Password access control.

    When restricting access based on lists, the following correspondences are specified:

    For each user - a list of resources and access rights to them or

    For each resource – a list of users and their access rights to this resource.

    Lists allow you to set rights down to the user. It is not difficult to add rights or explicitly deny access here. Lists are used in most operating systems and DBMSs.

    The use of an authorization matrix implies the use of an access matrix (authority table). In the specified matrix (see Table 2.7), the rows are the identifiers of subjects who have access to the AS, and the columns are the objects (information resources) of the AS. Each matrix element can contain the name and size of the resource provided, access rights (read, write, etc.), a link to another information structure, specifying access rights, a link to the program that manages access rights, etc.

    Table 2.7

    Fragment of the authority establishment matrix

    Program

    User 1

    User 2

    w from 9:00 to 17:00

    c – create, d – delete, r – read, w – write, e – execute.

    This method provides a more unified and convenient approach, since all information about permissions is stored in the form of a single table, and not in the form of different types of lists. The disadvantages of the matrix are its possible cumbersomeness and not entirely optimal use of resources (most cells are empty).

    Access restrictions by privacy levels and categories consist in the fact that AS resources are divided in accordance with privacy levels or categories.

    When distinguishing by level of secrecy, several levels are distinguished, for example: general access, confidential, secret, top secret. The permissions of each user are set in accordance with the maximum privacy level to which he is admitted. The user has access to all data that has a level of secrecy no higher than he has.

    When distinguishing by categories, the rank of the category corresponding to the user is set and controlled. Accordingly, all AS resources are decomposed by level of importance, and a certain level corresponds to a certain rank of personnel (such as manager, administrator, user).

    Password separation obviously represents the use of methods for subjects to access objects using a password. All methods are used password protection. Obviously, the constant use of passwords creates inconvenience for users and time delays. Therefore, these methods are used in exceptional situations.

    In practice they usually combine various methods access restrictions. For example, the first three methods are strengthened with password protection.

    At the end of the subsection, we note that governing documents can regulate two types (principles) of access control:

    Discrete access control;

    Mandatory access control.

    Discrete access control is the delimitation of access between named subjects and named objects. An entity with a certain access right can transfer this right to any other entity. This type is organized based on the methods of delimitation by lists or using a matrix.

    Mandatory access control regulates the delimitation of access of subjects to objects, based on the information contained in the objects, characterized by a confidentiality label, and the official permission (admission) of subjects to access information of this level of confidentiality. Otherwise, to implement mandatory access control, each subject and each object is assigned classification labels that reflect their place in the corresponding hierarchy. Using these labels, subjects and objects must be assigned classification levels, which are combinations of hierarchical classification level and hierarchical categories. These labels should serve as the basis for the mandatory principle of access control. It is clear that methods of restricting access by security levels and categories are examples of mandatory access control.

    Read more: