Security Profiles

We pay appreciable consideration to the safety and stability of 1C: Enterprise within the service mode. Working on this mode generates duties that didn’t come up earlier than when 1C: Enterprise options have been operated by the client group itself. If, on account of an illiterate or intentionally malicious configuration, the operation of the application led to issues, then these have been the issues solely of the topic that exploits this utility resolution.

When working in service mode, this example appears to be completely different. A service supplier offering providers for utilizing utility options by way of the Web can deal not solely with their very own developments or with configurations developed by 1C. It might also present providers for utilizing utility options that different third-party suppliers can create. And on this case, the proprietor of the service has to be assured in opposition to the truth that a utility resolution of a third-party supplier, unintentionally or deliberately, can disrupt the operation of the complete service, the process of different utility options revealed within the service.

We added a brand new entity to the server cluster – safety profiles to unravel this downside. The safety profile serves to ban the applying resolution from performing actions that might be harmful to the functioning of the server cluster.

The cluster administrator can assign one of many safety profiles to any Infobase. After which, the possibly harmful performance of the utilized resolution can be restricted throughout the limits described on this profile.

By default, after creation, the safety profile prohibits the execution of all probably harmful actions:

These are actions corresponding to:

  • entry to the server file system;
  • launching COM objects;
  • use of exterior parts of 1C: Enterprise;
  • launching outer processing and experiences;
  • launching purposes put in on the server;
  • entry to Web sources.

Thus, it is straightforward to guard in opposition to undesirable actions of an unfamiliar utility resolution: you have to create an empty safety profile and assign it to the Infobase.

Additional, if crucial, you may develop this profile, describing the actions that can be allowed to be carried out by the utilized resolution.

For instance, you may enable a utility resolution to enter a sure space of ​​the server’s file system. To do that, you have to describe this permission within the Digital Directories part:

In this case, the code of the utilized resolution will function on the logical URL, however bodily, on the server, the reference to the listing specified within the Bodily URL property can be carried out. An exception can be thrown when a utilized resolution tries to enter a path apart from a logical URL.

Any COM objects put in on the server will run and use. For instance, for Microsoft Excel purposes:

To do that, within the permission, you need to specify the identifier of the COM class Excel. Software put in on the server. This info will be obtained from the Home windows registry. If the utilized resolution tries to use one other COM class, an exception can be thrown.

As well as, you may enable using some exterior parts of 1C: Enterprise. For instance, the external element Declination Full Identify:

In this case, the checksum of the file of this exterior element has to be specified within the permission. You could find it out utilizing one of many utilities obtainable on the Web or by writing a small piece of code within the built-in 1C: Enterprise language.

To permit working with an exterior report or processing, you additionally have to specify the checksum of the file of this report/processing within the permission:

To permit a utility resolution to launch a utility put in on the server, you have to specify the template for the launch line of this utility:

So the given instance permits the applying resolution to run on the server Microsoft Workplace Phrase 2007, whereas within the startup string template, the “%” image means an arbitrary sequence of characters.

And eventually, you may enable the applying resolution to entry some Web sources:

To do that, you have to specify the protocol by which the entry can be carried out and the positioning tackle.

Thus, you may steadily enable the applying resolution to work with the mandatory sources that don’t violate the required degree of safety.

It could be identified prematurely that, for instance, all exterior parts with which the applying resolution works are secure and don’t include malicious code. In this case, you do not want to create separate permission for every one of them. Within the properties of the safety profile, you may enable the launch of any exterior parts:

It won’t matter which permissions are set within the Exterior parts part.

Because of safety profiles, it’s now attainable to reliably isolate info bases working in service mode from one another, in addition, to separate areas of the identical database working in knowledge sharing mode from one another. As well as, using profiles typically will increase the reliability of the cluster by prohibiting probably harmful actions.

One other essential level related to the emergence of safety profiles is developing using the secure mode of program code execution. Now for him, you may enable some previously prohibited actions. For instance, working with short-term records data.

Previous articleNavigation system
Next articleNew search by string

Related Articles

Latest Articles