05.12.2014

Setting a password at the entrance to 1C Salary and Human Resources.

The main administration mechanisms also include an authentication mechanism, which serves to identify a user who has connected to software products in this moment.

There are 3 types of authentication mechanisms, the choice of which directly depends on the goal pursued by the database administrator:

• 1C: Enterprise authentication;
• OS authentication;
• OpenID authentication.

1C: Enterprise authentication is one of the authentication mechanisms, for which you need to create a password in the 1C: Enterprise program configurator:

When using this mechanism, to enter the system, you must select a username and enter a password for this account:

If an incorrect password is entered (does not match the one stored in the database), the user will be denied access to this software product.

An authentication mechanism can also be created in 1C: Enterprise. To open the mode of creating and editing a password, select "Service" in the program menu and then go to "User parameters" - a dialog box will appear on the monitor.

In the window that appears, you must enter the full and short username, and in order to exclude the possibility of guessing the password, its repeated confirmation is entered.

The next authentication mechanism for 1C: Enterprise is authentication operating system.

This authentication mechanism implies the selection of one of the existing users in the configurator:

When logging into the system using this authentication mechanism, entering a username and password is optional. The task of the system is to analyze the username and determine the 1C: Enterprise 8 user who starts working with the software product. Thus, there is no need for a dialog box to appear unless a special condition is created. command line.

What is OpenID Authentication? This mechanism is not based on the data of a certain information base, but on the data of an external OpenID provider, which contains information about users.

The undoubted advantage of this authentication mechanism is the convenience of working with big amount information bases.

If you use 1C: Enterprise authentication, it becomes necessary to enter your username and password every time you connect to the database.

In the case of using OpenID authentication, this need no longer arises: once having passed the authentication procedure when connecting to the databases, you can constantly get access without entering a username and password. User authentication will be done automatically thanks to the information stored by the provider.

The following diagram reflects the algorithm of actions when passing the authentication procedure:

In this diagram, we see that the 1C: Enterprise database acts as an OpenID provider ( special parameters You can find on the web server).

1 - user starts using database 1,

2 - database 1 sends a request to the OpenID provider to authenticate the user,

3 - the provider performs user identification: in case of confirmation of the login and password in cookies the connection confirmation is saved,

4 - thanks to the confirmation of the connection, the user logs in and starts working with the database 1,

5, 6 - if the user wants to connect to a different database, there is no need to re-pass the authentication procedure - using the saved confirmation in the cookie, the OpenID provider will authenticate without involving the user.

The settings of the OpenID provider allow you to adjust the validity period for remembering the authenticity, if the user has not accessed the databases for a long time.

To access the software product, the user must have at least one of the types of authentication.

Simple processing on managed and regular forms for the 8.2-8.3 platform, which allows you to change the 1C: Enterprise Authentication password and return it back. It will be useful for administrators, programmers associated with 1C.

Recently I ran into a problem that required a simple solution. Actually, the problem can be squeezed into one question: how to help the user without knowing or resetting his password?

In many offices, in order to reproduce the error, administrators, programmers and other technical specialists used 1C: Enterprise Authentication. That is, the user "complained" about the error, the specialists came under him and tried to reproduce the error. Get an error and fix it in the code.

With the development of the mobile platform and mobile clients, 1C: Enterprise Authentication becomes "busy" by the user, since the synchronization takes place through it. That is, not every user wants to divulge their passwords or use the password that was "assigned" to him. Our office is also more and more connected with mobile clients. This is where the previously mentioned question arose.

I rummaged through the Internet, found a bunch of descriptions of how to break passwords in a file database or in server versions.
In case of file version you do not need any rights, it is enough to install the * .1CD database file viewer and change the passwords in the V8USERS table. It should be noted that passwords are not stored there in pure form, and the hash of the password is stored. The hash itself is not known password changes to a hash of a known password. In the case of server databases, you need to know the login of the database administrator, and it’s not tricky to change the password there. But how to explain to the user the authentication error after such hacks? And why such difficulties?

I also found a processing that picks passwords while requiring the same rights as my processing. Well, she picks up the password 123 or even 123456 quickly, but what if the password is real? She writes for about 90 days I will pick up. This is not a gate! Such a situation may come out, while the password was being picked, the user changed the password. Moreover, it can change more than once.

In general, I propose a little processing that changes the hash of the unknown password to the hash of the desired password, and then replaces it back. It works as in Managed forms and under usual forms... It can be embedded through "additional processing and reports", a procedure is added to the object module with a description of the processing.

Well, or you can embed it through the "Configuration Extensions" - very useful opportunity, currently allows you to add processing and reports to the configuration without removing it from support. That is, the typical configuration remains the typical configuration even if processing is added.

Principle of operation:

For the user, we get a hash of the password.

// User catalog item Users
UserIB = UsersInformationBase.FindByUniqueIdentifier (User.IBUserID);
// StoredPasswordValue stores the hash of the password
UserPassword = UserIB.PasswordStoreValue;
// Name stores username
UserLogin = UserIB.Name;

Enter the desired password and get its hash.

We change the hash of the user to the hash of the desired password.

We log into the system with a new password. We change everything back.

2009 r.

Section "Modernization of management and financial and economic mechanisms at different levels of the education system using 1C technologies"

"25. Methods and means of ensuring information security in the" 1C: Enterprise 8.1 "system" (P.B. Khorev, Russian State Social University (RSSU), Moscow)

Presentation

Continuous development information technologies and systems leads, unfortunately, to the exacerbation of old and the emergence of new problems. One of these problems is the problem of information protection - reliable ensuring its safety and established status use. Therefore, ensuring the security of information and information processes is a mandatory function of modern information systems.

The main methods of protection against unauthorized access to objects of information systems are

• identification and authentication of users of information systems and processes activated by them;
• authorization of subjects (determination of the subject's access rights to an object with confidential information);
• audit of events related to security information system.

This report will consider methods and means of ensuring information security available in the 1C: Enterprise 8.1 system.

The database administrator in the 1C: Enterprise 8.1 system can create and then edit the list of users who are allowed to work with the system. When adding a new user (initially the list of users is empty), the following properties of the created account are specified (on the "Basic" tab):

• the name under which the user will be registered in the system;
• full name (it is advisable to use this property to set the last name, first name and patronymic, position and department name of an employee of the organization in which the system is used);
• authentication sign "1C: Enterprise" (when this "box" is checked when a user tries to log into the "1C: Enterprise" system, his identification and authentication will be performed by means of the system itself);
• user password, which will be required for his identification by means of the 1C: Enterprise system:
• confirmation of the user's password (required to exclude the possibility of an error when entering a password, since password characters are replaced by * characters when entering);
• a sign that prohibits the user from changing his password when he is authenticated by means of 1C: Enterprise;
• the sign of displaying the username in the list when trying to log into the system and authenticate it using 1C: Enterprise;
• a sign of Windows authentication (when this checkbox is enabled, when a user tries to log into the 1C: Enterprise system, the name under which the session with the operating room is performed Microsoft system Windows, and in the list of users of the "1Enterprise" system, a name is looked for, which corresponds to the name of the "current" Windows user);
• operating room username Windows systems with which is associated given user system "1C: Enterprise" when using authentication by means of the Windows operating system (the name can be specified in the format \\ domain name \ user account name or selected using the appropriate button from the list of local and global accounts known on this computer ).

The database administrator can use the infobase settings to set the minimum length of system users' passwords (if the checkbox “Check the complexity of user passwords” is checked, then the minimum password length cannot be less than 7 characters) and require that user passwords meet the complexity conditions, matching password complexity requirements Windows users(additionally, the password must not be a sequence of characters).

Most in a safe way authentication of users when they enter the 1C: Enterprise system will be a combination of authentication by means of 1C: Enterprise and Windows tools... In this case, it is advisable to uncheck the "Show in the selection list" box in the "1C: Enterprise" authentication property group, and in the Windows security settings, enable the requirements for the minimum length and complexity of passwords, limit their maximum expiration date, password non-repeatability and their minimum expiration date, and set the threshold the value of the counter of unsuccessful attempts to log on to Windows.

To forcibly display the user authentication dialog using 1C: Enterprise (if the Windows authentication checkbox is enabled), you must use the / WA + command line parameter when starting 1C: Enterprise.

It should be borne in mind that the list of users of the 1C: Enterprise system is not part of its configuration, but is created separately for each organization in which this system is installed.

A role in the 1C: Enterprise system is a set of access rights to various database objects. Roles are usually created for individual job duties, and each user of the system can be assigned one or several roles. If the user is assigned several roles, then granting him access to the database object will be done as follows:

1. If the requested access is allowed in at least one of the roles assigned to the user, then it is granted to the user.
2. If all the roles assigned to the user are not allowed appropriate access, then the requested access is not granted.

To create and edit roles, the 1C: Enterprise system configurator is used. In the process of creating a configuration, a set of typical roles is created, which can then be edited.

When creating or editing a role, a window with two tabs is used - "Rights" and "Templates of restrictions". The "Rights" tab contains a hierarchical structure of configuration objects for all subsystems and a list of access rights applicable to the selected object (to enable a right, you must set the corresponding "checkbox").

In the 1C: Enterprise system, there are two types of rights - basic and interactive. Basic rights are checked at any access to the objects of the information system. Online rights are checked when performing interactive operations (for example, viewing and editing data in a form).

The 1C: Enterprise system allows checking access rights by means of the built-in language. For example, when adding new commands to a form, the developer should additionally provide for checking that the user has the appropriate interactive rights.

When editing a role, it is necessary to take into account the inheritance (hierarchy) of rights: canceling a parent (senior) right cancels its "child" ("minor") rights, and setting a "child" right sets its "parent" right as well. For example, if you cancel the "View" right, the "Edit" right of the corresponding object is also canceled.

Using the checkbox "Set rights for new objects", you can provide for the edited role automatic installation access rights to new (added later) configuration objects.

The following access rights can be set for the root configuration object:

• administrative functions (includes opening a configuration, opening a list of users, setting up a logbook, updating a configuration, and other administrative actions);
• updating the database configuration;
• monopoly regime;
• active users (opening their list);
• logbook (opening this log);
• external connection (work with the system via COM interface);
• automation (work with the system as an automation server);
• interactive discovery external treatments;
• interactive discovery external reports;
• output printing, saving, using the clipboard when working with the system).

For the convenience of administration, the 1C: Enterprise system provides a window for viewing and editing all roles created in this configuration. If for some role it is necessary to cancel or set all access rights to the selected object, then you can use the checkbox in the "All rights" line for the column with the name of the edited role. If for a certain access right it is necessary to cancel or set it in all roles, then you can use the checkbox in the row with the name of the corresponding right for the "All roles" column.

To delimit access to database objects at the level of individual fields and records, the 1C: Enterprise system provides a mechanism for restricting access to data (using the rights to read, add, modify and delete these objects). For the read right, it is possible to set several restrictions on access, and for the rest of the specified rights - only one restriction.

For each restriction of access to data by the right to read, it is possible to select a field by the value of which the access restriction condition will be checked, or to specify "Other fields", which will ensure that the condition for each field is checked.

A data access restriction condition can be defined using the designer or manually by creating and editing named access restriction templates on the Restriction Templates tab of the role editing window.

In order to facilitate the user's work and additional restriction his rights in the 1C: Enterprise system provides for an interface mechanism. With the help of these objects, sets of commands of the main menu and elements of the toolbar are created, with which the user will be able to work. Using the designer of the main menu of the interface, the administrator creates a list of submenus and a list of commands for each submenu.

After defining the structure of the main menu, one or several toolbars can be added to the created interface. These panels can be located at the top, bottom, left and right in the 1C: Enterprise program window.

Note that after creating roles and interfaces, it is necessary to update the database configuration so that new users of the information system can be assigned the created roles and interfaces.

Events that should be registered in the 1C: Enterprise system log can be specified by the administrator using the function of its settings. Here you can also select a time period after which the log will be saved in a new file, as well as shorten the log records before the specified period expires by deleting them and possibly saving them to a file.

Literature

1. Radchenko M.G. "1C: Enterprise 8.1. Practical developer's guide. Examples and typical techniques. M .: LLC "1C-Publishing", St. Petersburg: Peter, 2007.
2. 1C: Enterprise 8.1. Configuration and administration. M .: Firm "1C", 2007.

This section contains a description of known errors that can occur when connecting SysTecs programs to the 1C: Accounting infobases (editions 1.6, 2.0 and CORP), as well as the reasons for their occurrence and how to eliminate them.

Errors when using old versions of 1C: Enterprise 8.1 and 8.2 platforms

Problems in establishing a connection to your infobase may be caused by the use of outdated versions of 1C: Enterprise 8.1 or 8.2 technological platforms. Below is a list of platform releases that are recommended to be used to ensure guaranteed and trouble-free operation of a COM connection:

• 1C: Enterprise 8.1- releases starting from 8.1.15.14 (from 30.10.2009)
• 1C: Enterprise 8.2- releases starting from 8.2.13.202 (from 10.12.2010)

Errors when setting up a connection to a 1C: Enterprise server

Errors when connecting to the 1C: Enterprise 8.1 (8.2) server in most cases are caused by a discrepancy between the versions of technological platforms installed on the server and on workstation, with which the connection to the 1C: Accounting 8 infobase is established. In this case, you should install the same platform versions on the client and server. When doing this, consider the following:

• If 1C: Accounting 8 runs on platform 8.1- it is necessary to ensure the identity of the 8.1 platform releases on the server and the workstation, and the 8.2 platform version, on which the SysTecs program runs, in in this case won't matter.
• If 1C: Accounting 8 runs on platform 8.2- you should also ensure the identity of the 8.2 platform releases on the server and workstation, while the version of the release used cannot be less than 8.2.13.202.

Errors caused by incorrect specification of connection parameters

Connection parameter errors are identified by the program, and if they occur, the user is issued a warning containing a description of the problem that has occurred, which looks like this:

A list of possible errors and how to fix them is given in the table below.