Security settings

Data access is delimited and controlled (including at the level of records and database fields), and the history of data changes is preserved.

The cryptography support mechanism in 1C Platform provides a set of objects that allow interaction with external cryptography modules from third-party manufacturers, and allows application solutions to use cryptographic operations to process application data.

Various authentication methods for users of application solutions are supported: authentication using the 1C Platform: authentication by means of the operating system, authentication according to the OpenID and OpenID Connect standards. Two-factor authentication and biometric authentication for mobile application are also supported.

The administrator has the ability to manage a list of users working with the application, configure their access rights, and monitor their activities. User management is handled in the Users list, which can be grouped, for example, by company departments.

The application provides a quick and secure way to reset user passwords. The administrator can view and edit user information within the database.

The application meets modern information security requirements. To enhance protection against unauthorized access, the following features are available:

Password complexity configuration and control;
Scheduled or manual password change requirements. Password changes can be enforced periodically or on demand;
Password repetition control;
Limiting the validity period of user accounts.

Users #

To enable the use of groups in the Users list, check the User Groups box in the Admin Panel – Security settings – Users section.

Using groups is convenient when the application has many users:

To organize a large number of users (e.g., when selecting a user);
To set access rights for all users in a group at once.

When there are few users or only one, groups are generally not needed.

To access the Users list, use the link in the Admin Panel – Security settings – Users section.

If the User groups box is checked, the list is divided into two parts:

The left part of the Users list allows you to create the necessary number of groups and add users to them. The user groups list is hierarchical;
The right part of the list displays the users of the selected group. By default, the current group is All Users, meaning all application users are visible.

To view all users included in subgroups, check the Show users that belong to subgroups box at the bottom of the list.

Check the Show inactive users box at the bottom of the list to display users marked as Inactive, who are not shown in the Users list. For more details.

Next to each user’s name in the list, their status is displayed, with a status description at the bottom:

Login restricted – the user’s login is restricted until a certain date or a maximum inactivity period has been set for the user.
Login blocked – the user has login permission disabled, has no roles, or does not have the rights to launch the application (e.g., thin client, web client, etc.). Additionally, a warning message will appear in the user’s card if the relevant roles are not assigned.
Not configured – the user has no login configuration (the login name is empty).

The contact information of the selected user and their photo are displayed at the bottom of the list. If necessary (for example, if part of the users list does not fit on the screen), you can hide the contact information using the button.

In the list, you can:

Add new users using the Create button. If there are groups in the list, you can immediately add a user to the desired group. To do this, select the group and then click the Create button;
Add user groups using the Create Group button.

Adding a New User #

Please note: This process is for On-premise only. For Cloud please use Partner’s Personal Account to add users.

To add a new user, click the Create button in the Users list.

Fill in the user’s basic information:

Enter the user’s full name, which will be displayed in the application in various fields such as Author, Responsible, etc. (this field is mandatory).
For new users, the Inactive checkbox should be unchecked by default. For existing users, this checkbox may be checked when the user no longer works with the application for various reasons (e.g., if they were terminated, created by mistake, etc.). However, it is not recommended to delete the user because they may be referenced in the application (e.g., as the author of documents, executor of tasks, responsible for record keeping, etc.). This checkbox allows you to hide an inactive user from selection lists while still keeping them in previously entered documents or lists. The Inactive checkbox can only be toggled by an administrator; other users can only view the status of the checkbox. To Show inactive users, you can use the checkbox at the bottom of the Users list.

The application allows you to insert a user’s photo. To do this, click the photo area with the left mouse button and specify the path to the file on your computer.

To grant access to the application, enable the Login Allowed checkbox. This checkbox can be disabled later at any time, for example, when an employee leaves or for other reasons. It is not recommended to delete inactive users because they may be referenced in documents and lists. In such cases, the Inactive checkbox should be enabled (see above), which automatically disables the Login Allowed checkbox.

Login Restriction #

Using the toggle, you can set a login restriction for this user only:

As configured in common settings – as specified for all users (by default) in the setting User inactivity timeout.
No Time Limit – unlimited access, only for this user.
Expiration date (set the date manually or select it from the calendar using the button). This is useful if the employee temporarily uses the application. To protect against unauthorized access, any user can have an expiration date that automatically disables them after the specified date.
Deny login after inactivity of [n] days – if the user does not log into the application for more than the specified number of days, they will be unable to log in. In this case, the user will need to contact the administrator to resume using the application. This is also convenient for temporary workers.

Main information #

Next, fill in the fields on the Main tab:

Enter the Username required when launching the application. The application automatically suggests a default login name based on the full name.
Enter the Email Account. If the application allows users to reset their passwords, the email field is mandatory, as the application will compare the entered email address with the one stored and send the necessary information for password recovery. For more details, see the Password Recovery section.
Enter the Phone. The application also allows you to make calls and send SMS messages to phone numbers.

If the user needs to log in to the application with a password verified by the 1C: Enterprize application, enable the 1C: Enterprise authentication checkbox on the Main tab (this is enabled by default along with the Login allowed checkbox). The status of 1C: Enterprize authentication is displayed below the checkbox.

Click the Set password button.

Enter a New password for logging into the application and re-enter it in the Repeat password field. For information security, it is recommended to set passwords for users and not leave this field blank.
Click the Set Password button.

Also, you can use Generate password button to create a strong password.

For easier administration and security, all users have a User must set password on next login checkbox, which ensures that the user changes the administrator-assigned password to their own. Enable this checkbox so that the user is required to enter a new password that only they will know.

If necessary, enable the OpenID authentication checkbox. OpenID is an open, decentralized user authentication system that allows users to have a single login-password for various websites. This type of authentication is available in the web client and the thin client running through the web server. For proper application functionality in this case, the 1C: Enterprise authentication checkbox must also be enabled.

OpenID-Connect authentication allows the system to verify the user’s identity based on authentication performed by a third-party provider. As a result, users can use their credentials from other sites supporting OpenID-Connect Authentication to access the 1C: Enterprise application.

Access token authentication uses JWT tokens (RFC 7519 standard). Compared to previously used authentication methods, JWT tokens offer several advantages, such as generating a link that provides the user with temporary interactive access to the application (without entering a username/password).

To simplify the login process, you can enable the Operating system authentication checkbox. In the User field, select the name under which this user works in the operating system. This name will be used to log in to the application.

If no authentication checkbox is enabled, the Login allowed checkbox will automatically be disabled.

On the Addresses and phones tab, you can enter phone, Email, or create custom contact information type and other available contact information.

On the Comments tab, if necessary, add additional information about the user.

Password Recovery Setup #

Please note: This process is for On-premise only. For Cloud please use Partner’s Personal Account to restore forgotten password.

The application includes a feature for quick and secure password recovery for users. If a user forgets their password, they can reset it without contacting the administrator.

Enable the checkbox Show the “Need Help?” hyperlink in authentication dialog, and enter a URL for online help. The “Need Help?” button can be used to provide a link to a website with information on what to do when a user cannot log in, has forgotten their username, or is not registered in the database (e.g., where to call, email, or register). You can test the link immediately using the button provided.

Enable the checkbox Show the “Forgot Password?” hyperlink to allow users to recover a forgotten password during login.

Use the buttons to specify how the password should be recovered:

Via email
By following the link (the password can be reset on the website specified in this field).

Email Password Recovery Settings #

The application provides three methods for password recovery via email:

Standard sending service – Uses the standard password recovery service from AccountingSuite.
Email account – Sends recovery emails using the email settings stored in the application. You will need to select from a list the email address from which the recovery email will be sent, e.g., Support Service (support@mycompany.com).
Specified mail server – Requires entering the server parameters for sending emails. If Configured Email Settings is selected, the mail server data will be filled in automatically by the application.

Mailing account #

To configure the mail service, go to Organizer.

Navigate to the Service Email Account link. Set up the mail service and fill in all necessary fields.

If only sending emails from the application without receiving them or vice versa is required, uncheck the relevant boxes to reduce the number of settings needed. Then click the Create button. The mail settings will be selected automatically.

If the settings are not found automatically, you can enter them manually by clicking Manual Setup and filling in the required fields. You can check the mail connection settings with the mail administrator or through the mail’s web interface.

Message Template #

During password recovery setup, you can create a message template: compose the email text that will be sent to the user with the code for password recovery. The message template can only be used when sending emails via the Email account and Specified mail server options.

The message text is customizable, but there are essential parameters that must be included for the email to be sent. Use the button to Insert Parameter into the text:

Verification Code (&VerificationCode) – A required parameter; the application generates this code automatically when sending the message.
User Name (&UserPresentation)
Configuration Name (&ApplicationPresentation)

Verification Code Settings #

If necessary, adjust the settings for the verification code length and password recovery attempts:

Code Length – The length of the verification code for password recovery, an integer between 8 and 50.
Timeout between recovery requests – The duration of the block on requesting a new verification code (in seconds).
Maximum number of failed input attempts – The maximum number of attempts to enter the verification code. If this limit is exceeded, the user will need to request a new recovery code.

Login settings #

Set the password requirements using checkboxes:

Password must meet complexity requirements – Ensure that the new password is at least 7 characters long, includes at least 3 of 4 types of characters: uppercase letters, lowercase letters, numbers, special characters, and does not match the username (for login).
Minimum Password Length – Default is 8 characters.
Maximum password lifetime – Defalut 30 days
Minimum password lifetime – Defalut 1 day
Prevent re-use of this many recent passwords – Default is 10 previous passwords. This ensures control over password reuse.
Notification lead time before password expires – Default is 5 days before the password expires. A warning window appears at login prompting the user to change their password.
User inactivity timeout – The period after the last user activity, after which login is prohibited, default is 45 days.

On the Additional tab, you can configure Show in choice list in the user’s card.

Enabled for new users – This means that in a new user’s profile, the Show in choice lis checkbox will be enabled.

If Disabled for new users is selected, the Show in choice list checkbox in the new user’s profile will be disabled.

If Hidden and enabled for all users is selected, the user selection list will be fully displayed when logging into the application, and the Show in choice lis checkbox in all user profiles will be enabled and hidden.

Hidden and disabled for all users – The user list will be empty when logging into the application, and the Show in choice lis checkbox in all user profiles will be cleared and hidden.

You can also set up a notification for users to let them know that their access to the program will end after a certain number of days. Check the Notify user this many days before access expires box to enable this function.

User monitoring #

Provides the application administrator with reports to monitor the operation of the program.

The Errors and Warnings report shows the administrator a list of all errors that occurred during the specified period.

The Scheduled job runtime report gives information about scheduled tasks, allowing you to specify the period and see which tasks were completed and at what time.

Access Groups #

Access groups allow you to set up and manage general access rights settings for a group of users performing similar functions in the application. Only application administrators, listed in the predefined Administrators access group, have the rights to edit the Access Group list. Additionally, a user designated as Responsible in the access group can modify the group membership.

To create a new access group, go to the Access Groups list in the Admin Panel – Security settings – Access groups section.

Click Create.
Fill in the Description field.
- It is recommended to name the access group in the plural form, ensuring that the name includes the profile (specified in the “Profile” field) and clearly characterizes the defined access rights settings.

In the access group card, select one of the available Access group profiles.

Allowed members of the access group are determined by the profile according to the selected purpose.

On the Group members tab, list the users (and user groups) to which the access rights settings should apply. The lists from which you can select group members are listed in the Allowed users field at the bottom of the tab.

To add users click Pick button.

Select the needed users. The selection window consists of two parts:
- In the left part, choose the necessary user group (you can select the entire group at once) and the desired users from that group.
- Use button to add users to the selected list.
- In the right part, the selected users are listed.

Then, click Pick and close to return to the access group setup.

In the Valid till field, specify the date after which the member will automatically be removed from the access group. This allows you to automatically limit the duration of temporarily granted rights.

Access Group Profile #

An access group profile is a set of roles (permitted actions) and access types that define data access restrictions within the program.

Creating and modifying access group profiles is done via the menu command: Settings – Users and Rights – Access Group Profiles. Selecting this command displays the list of access group profiles. Some profiles are available by default in the program.

If necessary, the administrator can define additional profiles as required. When creating an access group profile, specify the actions (roles) permitted for users in the group on the Allowed actions (Roles) tab.

Here is a list of the basic types of actions that can be granted:

Start rights – allows the user to launch the application. Choose which type of client your user will use. Type “start” in the search bar to see a full list.

Basic rights – without these permissions, the user will not be able to log into the application, even if the Login allowed checkbox is checked on their profile. To view all basic rights type “basic rights” in the search bar
- Basic edit/read ACS rights
- CTL: basic rights
- SSL: basic rights

Permissions to view objects – allow users to see systems, objects, and links. For example, if your employees do not need to work with purchases, you can turn off the visibility of this module for them. To see a list of all view rights type “view” in the search bar.
Edit permissions – users with these permissions can interact with objects to add or edit them. To prevent mistakes, only give editing permissions for documents that your employee will work with. If they only need to view objects, but not change them, give them read-only access. To see a list of all editing actions type “edit” in the search bar.
Read-only access – these rights allow the user to view cards of objects but not to edit them. Grant these rights to new employees to prevent them from editing sensitive information. To see a list of all read rights type “read” in the search bar.

Access Restrictions by Class #

For additional fine-tuning of access restrictions, certain Classes can be specified either in the Access group profile OR in the Access Group. This ensures, that users will not have access to the denied Classes or will only have access to the data for allowed Classes. It is a Record-Level Security or Row-Level Security (RLS) access approach.

Please note: If access is granted to the parent Class, then the access is also granted for all Classes that have been assigned with this parent.

To restrict the access to data in the Access group profile, on the Access restrictions tab select: “All denied, configure exceptions in profile” or “All allowed, configure exceptions in profile” in the Access values. Specify the exceptions below,

To restict the access to data in the Access groups, on the Access Resctrictions tab of the Access group profile select: “All denied, configure exceptions in access groups” or “All allowed, configure exceptions in access groups” in the Access values.

Then, navigate to the Access group and select the exceptions for Classes there.

Sales rights only example #

As an example. If you want to create User with Sales rights only, start with mandatory common roles for it.

Please noted that to work with documents it needs to add: Add Edit Tax Invoice Issued and Edit Posted Documents.

After adding mandatory common roles use Find field to filter by ‘sales’ and select roles you need.

Check user right, and stay there only new group ‘Sales’.

This user will have limitation of sales documents and reports only.

Creating User and Granting Login Permissions #

To create a user, you need to log in to AccountingSuite with an account that has administrator rights.

Let’s start by creating an access group. Go to Admin Panel – Security Settings. Here, find the Access Groups link and click on it.

In the form that opens, click the Create button.

In the creation window, enter the group name and select an access profile. AccountingSuite has three pre-created profiles for you:

Auditor – a read-only profile. Users with this profile can only log in and view data but cannot add or modify anything.

Login-only User – this user can only launch the program but cannot perform any actions within it.

Standard User – this profile grants access to all lists, documents, and reports. Users with these rights can view, edit, and add new data but do not have access to admin settings. This profile is the most suitable for your typical user

Select the profile you need and save the changes. If you already have an existing user, you can add them by clicking the Pick button and selecting them from the user list.

If the user does not exist yet, proceed further.

Next, go to Admin Panel – Security settings and click on the Users link.

Here, click on Create.

In the open form, fill in the required fields and check the Login allowed box. Adjust any other settings if you want. Then, click on Access Rights.

The application will prompt you to save the data first, so click OK.

Once the data is saved, click Add to group and select the desired role.

By default, only administrators group is available. Any custom groups you have created will appear in the list.

Record-Level Access Update #

Access updates are automatically scheduled when options for restriction types (by item, by individual, etc.) are changed, when migrating to new application versions, or when installing, updating, or removing application extensions that affect access to lists.

Row-level security (RLS) allows database administrators to define policies to control how specific rows of data display and operate for one or more user roles.

Access updates are carried out evenly across all lists in small portions lasting 1-2 seconds. For lists without dates, portions are selected by ascending link ID (e.g., for directories). For lists with dates (e.g., documents), portions are selected by descending dates (from the most recent to the oldest data). Data for the last 7 days is processed first, then for the last month, the last quarter, and finally, by years into the past.

For progress updates, the Upadate automatically checkbox is enabled with a 3-second interval. If the actual update time exceeds this interval, which usually occurs with large databases, the interval will automatically increase to match the actual update time. If needed, the interval can be reduced to the required value. Use the link to Refresh progress bar or Cancel at any moment.

Enable the checkbox to Calculate progress by amount of data. The Customize progress view link allows you to modify the view of the processed data list by enabling the necessary checkboxes:

Show number of items;
Show number of access keys;
Show processing delay;
Show table name;
Show processed lists.

There may be situations where access updates are completed, but access differs from what is expected. To resolve such an issue, open the More actions menu and use the Configure access manually command:

If the problem is with a specific object (document, list, etc.), select it (choose the data type, then select the specific item from the opened list) and click the Update Access button. The update will be performed, and a result message will be displayed: whether the access was updated or no update was necessary (calculated rights are current).

If the problem involves multiple objects or register entries, you should schedule an update for the entire list.
- Schedule updates for the entire list or for selected parts:
  - Update data item access keys;
  - Update rights for access keys;
  - Remove obsolete internal data.

If it is unclear where the update is needed, then it is recommended to update all three parts.

When opening, all lists are checked for updates. Such an update may take a long time, especially when updating access rights to keys. Therefore, only the required lists should be selected using checkboxes.

After that, click Schedule Update. The update will be performed in the same order as in the case of automatically scheduled updates. You can close the window and click Run now to avoid waiting for the scheduled task Record-Level access update to run.

If necessary, you can Stop and deny access update using the More action menu command.

If access updates are prohibited, a warning and a Allow link will appear in the window. Attempting to start a scheduled task when access updates are prohibited will result in a task launch error. To enable the update via the scheduled task, click the Allow link. When clicking Run now, a prohibited update is permitted.

Personal User Settings #

These settings are managed by an administrator.

Available links:

Copy Settings: Use this link to copy user settings.
Clear Settings: Use this link to delete settings for all or selected users.
User Settings: Follow this link to access the list where user settings management is performed.

Copy Settings #

Copying settings might be needed when configuring several new users in a group where users already exist.

Select the user from whom you want to copy settings, such as an administrator.

Choose the target users:

Choose Selected users — this will make the Select link available. Click Select, then use checkboxes to specify which users should receive the copied settings. The left side of the list automatically counts the number of users selected and the groups they belong to.

Click Active Users to see the list of users currently active in the application.
Click Select to proceed to the next step.

The selection is saved, and the link will show the number of selected users. You can then proceed to select and copy settings.

All Users: In this case, proceed to specify which settings will be copied.

Choose what to copy:

All settings: This option copies all settings. After making your selection, proceed to copy the settings.
Some settings: This option makes the Select link available. Click the link, choose the necessary settings from the list using checkboxes, and then click Select.

The application counts the number of selected settings. After finishing your selection, you can proceed with copying the settings. The link will display the number of selected settings.

To copy the settings and return to the application, click Copy and close. To continue copying settings without closing the window, click Copy. To return to the application, click Close.

You can also copy settings from the User Settings list.

Note: Not all user settings can be copied, even if you select All Settings. If you attempt to copy report options for users who do not have access rights to those reports, the application will not copy the settings and will display a warning: Not all report options and settings were copied. The user lacks sufficient rights. For more detailed information, click Show Report.

Personal report options cannot be copied. To make a personal report option available to other users, it must be resaved with the Only for Author checkbox unchecked.

Clear Settings #

Sometimes it is necessary to delete user settings, for example, if incorrect settings make the application unusable. You can clear all settings, including personal report options.

To delete user settings, click the Clear Settings link.

You can clear settings (select using the switch):

All Users.

If you attempt to select Specific settings for all users, the application will display a message indicating that this is not possible.

Selected Users:

To clear settings for multiple users, click Select. Choose the user list, then click OK.
In the Select users to clear settings list, check the boxes for the desired users. Confirm by clicking Select.

The selection is saved. However, when clearing settings for multiple selected users, you can only clear All settings.

To clear several identical settings for all or some users, you can open the User settings list.

To clear specific settings for one user, select them from the list, then use checkboxes to choose which settings to clear. The selection is saved.

After finishing the selection, click Clear and close to clear the settings and return to the application. Click Clear to continue clearing settings for other users. Click Close to return to the application without clearing settings.

User Settings List #

Click the User settings link to open the list intended for managing user settings.

In the User field, select the desired user.

You can filter the user’s settings by name or part of the name using the Search field.

The list of user settings consists of three tabs:

Interface settings tab includes settings for the desktop appearance and various application lists.
Report Settings tab allows you to manage report option settings. Personal report options and their settings cannot be copied to other users.
Other Settings tab reflects personal settings, favorites settings, quick access settings to additional reports and processes, and other settings.

Available options in the list:

Copy to other users: Use this button to copy the selected user’s settings to one or more application users. Select the desired users from the list using checkboxes. In the selection list, you can use the Active Users button to view the list of users currently active in the application.
Clear: Use this button to clear the selected settings. Confirm your choice by clicking Yes.
Clear all: Click the button, then choose what to clear: All Settings or Report and interface settings of the specified user. Confirm your choice by clicking Clear.
Copy from: Click this button to copy settings for the specified user from another application user. Select the user from whom to copy the settings. Choose the settings that need to be copied.

Data Access Audit #

The data access log allows the application administrator to conduct an audit of access to certain data to determine who and when viewed it.

First, you need to set up data access by enabling the checkbox Enable data access logging. Then go to the Settings link.

Next, select the objects you need to track.

After performing these actions, the application will automatically log who accessed the data and when, displaying this information in red in the Data Access Log.

You can use the Filter button to sort the events and find who made the changes and from which computer.

Additionally, if tables or their fields with access control settings were deleted or renamed in the application’s Configurator, a pending task to update the settings will appear for the administrator.

Getting Started

Lists

CRM

Sales

Purchases

Inventory

Projects & Time

Bank

Accounting

Payroll

Asset management

Reports

Settings

Tools

Glossary