Edit Role

How to setup access rights?
Restriction templates
Sample templates

Roles define the privileges of various user categories for access to information processed by the system.

The left pane of the dialog box displays a tree of configuration objects for the selected subsystems. The right pane of the dialog box will display a list of rights for the object selected in the configuration tree, as well as a list of data field access restrictions.

Access rights may have two statuses: Allowed (checked) and Not allowed (unchecked).

Select a configuration object and grant or remove rights for each action type in the access right list.

Using the Actions menu you can grant or clear all the rights, allow or disallow selection by subsystems.

You can output the settings of rights for a selected role into a text or spreadsheet document using the Actions - Output List command.

If Set rights for new objects is checked, the user automatically has the rights granted for every newly created object.

When the Set rights for attributes and tabular sections by default checkbox is toggled, a prompt will be displayed to grant or remove rights to all attributes and tabular sections. Answering "Yes" will result in granting /removal of rights to all the attributes and tabular sections. Answering "No" will not change the rights. 

If Independent rights of subordinate objects is not checked, rights to a parent object are taken into account when determining the right to a specific object. If the parent object does not have the right, there is no right to the subordinate object either irrespective of the setting.
If Independent rights of subordinate objects is checked, only the right setting for this subordinate object is taken into account when determining the right to the object.

Parent object rights are checked before adding to rights of other roles. After rights are added, parent object rights are not checked additionally.
These rules are valid for the following objects:

• Attributes, Standard attributes;
• Tabular sections, Standard tabular sections;
• Attributes of tabular sections, Standard attributes of standard tabular sections;
• Commands.

The Restriction Templates tab is intended to create and modify the templates used in restriction access text.

Every access restriction template has a name and a text. The template name is compliant with the usual naming conventions of 1C:Enterprise 8 system.

In the template name it is possible to add parameter names that can be accepted by the template in brackets. In a template text you can use parameters with "#" for prefix.

Example:

Template(Field, User)
Template text:
WHERE #Field = "#User"

Part of the template text uses query language. Template text can also contain parameters marked by "#" character. The "#" character may be followed by:

• Parameter keyword followed by the parameter’s number in template in brackets;
• CurrentTable keyword indicates that the alias of the current table the restriction is generated for will be inserted into the text;
• # character - indicates that a single # character will be inserted in the text.

You can use the following predefined templates in the access restrictions statements:

• #CurrentTableName. The full name of the table the statement is applied to using the current 1C:Enterprise script version, enclosed in double quotation marks;
• #CurrentAccessRightName. The name of the right the statement is generated for. One of the following: "READ", "INSERT", "UPDATE", or "DELETE", enclosed in double quotation marks.

If a template parameter name matches a name of a predefined parameter, the value of the template parameter is used.

It is possible to use a preprocessor in access restrictions.

The following preprocessor statements are available:

#IF <Expression> #THEN

#ELSEIF <Expression> #THEN

#ELSE

#ENDIF

An expression may use comparison operations <,>,<=,>=, =, <>, logical operations AND, OR, NOT, session parameters. The following syntax is used to open a session parameter &Parameter, where Parameter is a session parameter name.

If in #IF statement the result of an expression will be TRUE, the resulting statement text will have a text after #THEN keyword.

When an expression results in FALSE, the text following #THEN keyword will not be included in the resulting text.

It is the same for the #ELSEIF statement.

The text following #ELSE will be added to the resulting text if none of the earlier criteria is met.

If an access restriction includes preprocessor statements, such restriction is not subject to syntax check during editing. Furthermore, when an access restriction includes preprocessor statements, this restriction cannot be edited with the wizard.

A preprocessor expression of an access restriction may include a function reading StringIncludes(String1,String2), where String1 is the parameter defining the string to search in and String2 is the string to search for.

You can also use "+" operation in a preprocessor expression to add strings.

Restriction templates are used in the access restriction texts as follows: the restriction text specifies the template name preceded by #. Template name is followed by comma separated template parameters in brackets. Each parameter value is encased in double quotation marks. If parameter text contains a quotation mark character, two double quotation marks are used.
1C: Enterprise 8 performs syntax check for the template texts, templates use and macrosubstitution of role access restriction template text into query text. Template macrosubstitution consists of:

• replacing parameters’ occurrences in template text with parameter values from template use expression in restriction text;
• replacing template use expression in query text with resulting template text.

Below you will find sample restriction templates: