How to disable secure mode in 1C 8.3. Installed safe mode

The software opening of the external processing is carried out using the global context object of external processing, which has a type External processingmen. For each 1c platform mode (normal application, and managed application mode), various object methods are used to work with external processing.

Start external processing in normal application mode

In the usual application, you must use the Create () Object Object, which passes the full name of the external processing file. The method returns the type object External processing, This object is open external processing. If you want to open the external processing form, then the obtained object is called the Options () method (), which will return the basic shape, and then call the Open () method for opening it.

Processing \u003d external processing. Create (full);
Processing. Forecorm (). Open ();

In external processing, the main form should always be the usual, and the optional optional, otherwise the Options will not work () in the usual application mode.

Run external processing in managed application mode

In the mode of controlled forms, the algorithm is separated by the context of execution. On the client we get binary data on the full name of the external processing file. We transmit the received binary data to the server and put them in a temporary storage. Next, you need to call the connection () object of the external processing object in which the address is transmitted to the temporary storage. The method returns the name of the connected external processing. Return the name of the external processing to the client, form a string path to the processing form and using the openform method () open the external formation form.

&On server
Function to be obtained by appearances (binary)
AddurbationRexuality \u003d Position-based reserve (binary);
Returning external processing. To connect (addresseed by time);
Endfunction

& Svalette
Fullness \u003d ""; // The full name of the external processing file.
Puttails \u003d New bichelted (full);
Imaging \u003d reconnecting (spelling);
Openform ("external processing." + Imaging + ".Form");

Safe mode for external treatments

Methods to create () and connect () Object external processing have the incoming security parameter - a sign of connecting external processing in safe mode. If the parameter is not specified, the connection will be implemented in safe mode.
Safe operation mode is designed to protect the system from executing the "unreliable" program code on the server. Potential danger represent external processing or program code entered by the user to use in the methods to perform () and calculate ().
The following restrictions are superimposed in safe mode:

the privilege mode is canceled if it was installed;
attempts to go to the privileged mode are ignored;
prohibited operations with COM objects;
it is forbidden to download and connect external components;
prohibited access to the file system (except temporary files);
forbidden access to the Internet.

Processing, open interactively, not performed in safe mode, so it is recommended to implement the opening mechanism of external treatments in safe mode, as well as at the level of rights to prohibit the user an interactive opening of external treatments.
To prohibit the interactive opening of treatments, in all roles assigned to the user, it is necessary to remove the right "interactive opening of external treatments" (see Figure 1).

Figure 1. Interactive opening rights of external treatments / reports

The right "Interactive Opening External Processings" does not affect the external processing facility.

Software opening of external reports, similar to external treatments, only the object of the global context should be used, which has a type Foreign trade.

Start external processing in normal application mode

In external processing, the main form should always be the usual, and the optional optional, otherwise the Options will not work () in the usual application mode.

Run external processing in managed application mode

&On server
Function to be obtained by appearances (binary)
AddurbationRexuality \u003d Position-based reserve (binary);
Returning external processing. To connect (addresseed by time);
Endfunction

Safe mode for external treatments

the privilege mode is canceled if it was installed;
attempts to go to the privileged mode are ignored;
prohibited operations with COM objects;
it is forbidden to download and connect external components;
prohibited access to the file system (except temporary files);
forbidden access to the Internet.

Figure 1. Interactive opening rights of external treatments / reports

The right "Interactive Opening External Processings" does not affect the external processing facility.

Software opening of external reports, similar to external treatments, only the object of the global context should be used, which has a type Foreign trade.

The fact is that when using a client-server version of 1C, external processing / reports are opened in a safe mode, which is prohibited to use the privileged mode. A privileged mode is used very often in typical configurations: the formation of printed forms, various service checks (exchange checks), etc. As a result, even using the usual report on the CCM without a form (by default, the shared form "form date" is used) and saving user report settings (to the appropriate directory), you will get an error about the insufficiency of access rights to various constants and session parameters used for service purposes After string Establishly deregulated (truth);

The "correct" solution will be the connection of external treatments and reports through the "Additional Reports and Processing" BSP mechanisms with disabling the safe mode or by adding permits (in my opinion, from the BSP version 2.2.2.1). But if for some reason you need to use external reports / processing files, you can configure the cluster security profile used as a secure mode security profile for a specific information base.

I would like to immediately notice that this option is not preferred, but by virtue of different circumstances, you can use it in such a simplified form. For example, I have several databases in different cities, a common local to sit with rigidly limited rights, closed USB, etc., is used somewhere in Accounting 2.0, and somewhere 3.0, almost all reports I do the means of CCM without forms that They opened in both versions. To serve all these reports for different versions and different bases, the case is laborious and unpromising, because The plans are the transition to a single configuration and database ...

Create a profile.
In the cluster console, create a security profile in which you install flags "Can be used as a security profile of a secure mode" And "in the section" Allowed full access: " "To the privileged mode".

In many cases, the use of reports and simple treatments this method will be applicable. For more complex situations, it makes sense to describe the process, because It is stated in the documentation (the ability to configure security profiles for specific external files through the indication of its hash-sum, etc.).

P.S. I thought that security profiles function only when using licenses for the platform and server-level server, but this functionality works on the 1C platform: Enterprise 8.3 (conditionally can be called prof similar with the standard configurations Basic / Prof / Corp)

With the release of the platform 8.3.9.2033 a new mechanism appeared "Protection against Hazardous Action".

Thanks to this innovation, 1C is now to open processing (and not only) began to swear:

Security Warning

Opened "My External Processing" from the file "My_Protype.epf"

It is recommended to pay attention to the source from which this file is received. If there is no agreement with the source on the development of additional modules, or there is doubts about the contents of the file, it is not recommended to open it, as this may harm the computer and data.

Allow open this file?

So 1s decided to fight the malicious code!

Where will this "malicious code" in the enterprise until the riddle)

To potentially dangerous actions included:

Loading an external report, processing or configuration expansion.
Downloading or updating configuration / expansion.
Access from external report / processing or expansion to the following features:
Execution of the operating system command.
User management (Recording or removing information about the user of the information base).
Calling the Method Connect () External Processing Manager (Reports).
Calling an extension method. To recruit ().
Work with COM objects.

How does this "miracle" turn off?

To do this, run 1c enterprise in the configurator mode.
Select the "Administration" menu - "Users".
In the window that opens, you need to open the User Settings window and install the bird in the "Basic" bookmark "Protection against Hazardous Action"

There are other ways to disable it:

Implemented the ability to specify a list of information databases when working with which protection against dangerous action will be disconnected.
The disableunsafeactionprotection parameter in the conf.cfg file is responsible for this function, which allows you to disable the protection mechanism for hazardous actions for all users of certain information databases, whose connection strings satisfy the masks specified in the DisableunsafeactionProtection parameter.

In this parameter, you can specify several masks shared by the ";" symbol, for example:

DisableunsafeactionProtection \u003d Test _. *; Stage _. *;

In addition, the protection against dangerous user actions can be disabled programmatically, for which there are the following parameters and properties:

Property Safety Parameters Connect () External Processing Managers (Reports)
The properties of the protectiveness of the expansion object object before calling the method to write () of this object.

Checking the need to use protection against dangerous action is performed in the following order:

1. If the current user has been reset the "Protection against Hazardous Action" checkbox, the defense is considered to be disconnected.

2. If the connection line with the information base satisfies one of the templates specified in the conf.cfg disableunsafeactionprotection parameter, the protection is considered to be disconnected.

3. If the protection is explicitly disabled using the external processing or report protection parameter.

4. If the protection is explicitly disabled using the Property Property Property.

When you start the program, downloading documents under the usual user error occurs "Installed Mode. Performing operation is prohibited."

This complexity occurs because To start external processing is not right. To configure access rights, go to the base in 1C mode on behalf of Administratorand go to the section User settings and permissions / access group profiles,click To create a group.

Enter the name of the group and check the roles available to users of this role.

Interactive opening of external reports and treatments
Using additional reports and treatments

Click Record and close

Return to the Users menu and select an employee from the list that will work with the program Loading Documents. Click Access Rights. In the list of profiles, mark the earlier profile. Click Record.

For users to start processing, it is recommended to add downloads to the list of external processing. To do this in the menu Administration / Printed Forms and Processing / Additional Reports and Processing Create a new processing. Specify the path to the "Download .epf" file and assign a name. Specify the placement of processing in the menu, from where the user can run it later, for example, select Menu Directories

By clicking on Quick Access, you specify that processing is available from users:

After setting, click Record and close. To start processing, users will sufficiently go to the database and open it from the access menu (in the example - reference books) and click Perform.

Open Menu - all functions ... And locate the Safety Profiles in the list.

It is enough to remove the flag from the option "Use security profiles".

After that, the program will start successfully.