separation of open and encrypted information- — [] Topics information protection EN red black isolation …
dividing (text) into blocks (in cryptography)- dividing (text) into blocks forming blocks (messages) - Topics information security Synonyms forming blocks (messages) EN blocking ... Technical Translator's Guide
separation of capabilities (users) for encryption and decryption in public key cryptosystems- Many can encrypt a message that only one person can decipher, or vice versa, one person can encrypt a message that many can read. … … Technical Translator's Guide
sharing of privileges- The principle of opening a data protection mechanism, in which to access it it is necessary to specify not one, but two passwords (for example, by two persons). [Domarev V.V. Information technology security. Systematic approach.] Topics: information protection EN... ... Technical Translator's Guide
dividing the signal spectrum into separate bands- - Topics information protection EN band splitting... Technical Translator's Guide
Separation of powers is a political and legal theory according to which state power should be divided into branches independent from each other (but, if necessary, controlling each other): legislative, executive and judicial.... ... Wikipedia
SEPARATION OF POWERS- political-legal doctrine and constitutional principle underlying the organization of power in a democratic state. According to him, state power must be divided within itself to implement a system of “checks and balances.” Idea … Large current political encyclopedia
Divided Korea The division of Korea into North and South Korea occurred in 1945 after the defeat of Japan, which previously ruled Korea, in World War II ... Wikipedia
Separation of powers- the principle of separation of powers into judicial, legislative and executive in practice makes sense only if there is a fourth power standing above them and capable of putting the “presumptuous” branch in its place at any moment. Performance … Theoretical aspects and foundations of the environmental problem: interpreter of words and ideomatic expressions
cryptographic separation- Separating information using different encryption keys. Technical Translator's Guide
Topics: information security EN cryptographic separation… electrical protective circuit separation - 3.27 electrical protective separation of circuits: Separation of electrical circuits from each other using a separating transformer, the windings of which are separated from each other by main, additional or one reinforced insulation. Source …
Dictionary-reference book of terms of normative and technical documentation
- Books
Information theory. Textbook for applied bachelor's degree, Osokin A.N.. The manual discusses the stages of information circulation in information systems, methods and models for measuring the amount of information, sensors, description of signals (spectral and wavelet representation... Data sharing mechanism
allows you to store data from several independent organizations in one information base.
This becomes possible due to the fact that the general details of configuration objects can be used not only as “the same property that all objects have,” but also as an identifier that the data belongs to one of several independent areas. This can be explained with the following example.
Let's say there is a general attribute "Organization" in the configuration. This means (simplified) that each directory, document or other configuration object will also have an “Organization” attribute.
Moreover, any user of the information base has access to all data stored in this database, regardless of which organization is indicated, for example, in a particular document.
Now let's indicate that the general attribute "Organization" will serve as a separator.
Then (simplified) several independent data areas will be created in the information base, each of which will store data only for one specific organization:
Now, when entering the program, the user will not have access to all the information that is in the information base, but only to the data of “his” area, in this case to documents, reference books, etc. of his organization.
Another option for using this mechanism is possible, when there are several independent data areas in the information base and, along with this, there is data that is available to all users of the program. For example, they contain a directory of banks, which is the same for all organizations.
The data sharing mechanism is quite flexible and universal:
- it allows you to use not one, but several separators;
- there are different modes of using shared data; they differ in how the situation is handled when the delimiter value is not specified;
- the use of a common attribute as a separator can be controlled during program operation from the built-in language without changing the configuration; this is called conditional division.
1.Preamble.
There was a need to organize accounting for two organizations in one information security system. The situation is not unique, but it so happened that our very unusual 250 gigabyte USB drive worked quite slowly, so instead of RLS we decided to try data separation. What it is is described, for example, or. In short, if RLS adds conditions to SQL queries, then the data separator is an additional column in tables at the DBMS level, due to which the separator mechanism should work faster than RLS.
So, to the database where records were kept for LLC No. 1, it is necessary to transfer information from the separate database of LLC No. 2 and organize joint work. Just like in the picture:
Mere mortals work only with their own LLC, and the chief accountant sometimes looks at data for two legal entities. In the access mode to both LLCs, you can only read the data, so the chief accountant should be able to interactively switch between the “read all”/“write only one organization” modes and select the LLC (i.e., set the value of the common details) to carry out, for example, cost calculation.
2. Implementation
Platform 8.2.19.90, without compatibility mode. DBMS - MSSQL Server 2008 R2 Standard.
We created the general attribute OrganizationSeparator of type "number", agreed with the proposal to create session parameters, filled out the composition of the details (included several directories, all documents, accumulation, accounting and calculation registers). Data separation - "Independent and joint". The value of the session parameter is set from the standard user settings in the SettingSessionParameters procedure in the session module:
Organization = UserManagement.GetDefaultValue(chCurrentUser,"PrimaryOrganization");
SessionParameters.OrganizationSeparatorValue = Organization.SeparatorValue;
In the chief accountant’s interface, they made a form with the ability to switch between organizations and turn on/off the separation mode:
When separation is disabled, when SessionParameters.OrganizationSeparatorUsage = False, the platform refuses to write documents, crashing with errors like “SDBL error: expression expected (pos=12)”, so you cannot allow the user to write documents in this option. For reliability, we created subscriptions to the “Before recording” event for objects that are part of the general attribute:
IfSessionParameters.OrganizationSeparatorUsage = False Then
#If Client Then
Warning("Cannot write because data sharing is disabled!");
#EndIf
Refuse = True;
endIf;
Our action plan was as follows: prepare the receiver configuration of IS No. 1, set the values of the general attribute = 1, load data from IS No. 2, after loading, for all objects with an empty (equal to 0) separator value, set OrganizationSeparator = 2.
The configuration has been prepared, the question arose: how to set the value of the general details for documents and their movements in closed periods, quickly and without the risk that the numbers in the balance sheet will fly? It is impossible to write a separator separately from the object through the 1C object model, so I had to violate the license agreement to get out and write a query for MS SQL. Since there are many objects in the general attribute, and there are even more tables in the table for these objects, we wrote a processing that generates a query for SQL (for each metadata object included in the separator, we wrote "update" + DB_Name + ".dbo._" + TableName + "set _" + FieldGeneralAttributes + "= 1";)
We entered the value, transferred some of the data from IS No. 2, and began testing.
The result was disappointing. Firstly, problems with the accounting register. When separation is enabled, the analyst is not visible:
This is due to the fact that the accounting register at the DBMS level is stored as several tables, and not all tables had the value of the general attribute entered (processing was used to view the structure).
Okay, let’s enter the separator value using MS SQL, and we’ll see the analytics. Reports no longer work. It turns out that there are problems with queries to the virtual tables of the accounting register “Turnover” and “TurnoverDtKt”:
(Fld27033 is just a general attribute in the accounting register table)
The separator is installed in all tables, this is visible at the DBMS level, it is not clear what the error may be. We deploy a standard empty SCP, make the configuration changes described above, enter a couple of documents (in this option, the platform itself enters the separator value in all accounting register tables), but the errors are reproduced. It’s bad, but we exclude accounting registers from the general details and continue testing.
Further, it turns out that the displacement mechanism of the calculation registers has stopped working. We did not separate the plans for calculation types; we are trying to look for the problem in the tables of the calculation register and in recalculations. We check, enter the value of the main details, do T&I - to no avail.
Along the way, we diagnose the problem when writing information from the list form to independent registers. In this case, the data is recorded and can be seen after a restart. The problem is also reproduced on the test base:
It was not possible to “fix” the information registers by manipulating with SQL (the separator value in all tables is set), so we simply excluded them from the general attributes. After several days of experimentation, attempts to restore the functionality of preemption also turn out to be unsuccessful.
At this point, we decide to turn off data separation and use RLS. When setting the partition to “do not use,” we encounter the errors “Microsoft OLE DB Provider forSQL Server: CREATE UNIQUE INDEX terminated because a duplicate keywas found for index...”. That is, it is not so easy to return to the state before the division. Problem with indexes of conversion tables, settings for storing totals and others. The fact is that the tables store identical rows, differing only in the value of the general attribute. When you delete a common attribute, non-unique records appear. You will have to delete unnecessary records directly in MS SQL, something like this (for the conversion table):
Use base;
ALTER TABLE_CRgRecalc1399
ADD id INT IDENTITY(1,1);
GO
DELETE FROM_CRgRecalc1399
WHERE id< (SELECT MAX(id)
FROM _CRgRecalc1399 AS T1
WHERE _CRgRecalc1399._RecorderTRef = T1._RecorderTRef and
_CRgRecalc1399.[_RecorderRRef] = T1.[_RecorderRRef] and
_CRgRecalc1399.[_CalcKindRRef] = T1.[_CalcKindRRef] and
_CRgRecalc1399.[_Fld1400RRef] = T1.[_Fld1400RRef] and
_CRgRecalc1399.[_Fld1401RRef] = T1.[_Fld1401RRef] and
_CRgRecalc1399.[_Fld1402RRef] = T1.[_Fld1402RRef]
);
GO
ALTER TABLE_CRgRecalc1399
DROP COLUMN id;
And only after cleaning several dozen tables is it possible to turn off data separation. After turning off the separation there are no problems.
3. Conclusions.
There was a glimmer of hope that the problems were solved in 8.3. We weren’t too lazy, we checked it on 8.3.4.482 (with compatibility mode disabled). We looked at an almost standard control unit, with changes in the configuration only for general details. On this test base, separation was enabled before information was entered, i.e. the platform had to correctly write the separator value into all tables; they did not write anything directly into MS SQL themselves.
Result:
The problem with queries to the virtual tables "Turnover" and "TurnoverDtKt" is reproduced.
The problem with repression is reproduced.
The problem with writing to independent information registers is reproduced.
The problem with turning off the separation is that you can’t get rid of it with one click of a button!
Thus, we were unable to replace RLS with a new mechanism. This mechanism was apparently conceived for cloud services, and in the case of using shared data “independently”, maybe the division will work, but we need a common master data. It remains to be seen that 1C will correct the errors, or even better, implement a standard mechanism for separating by organization in standard configurations.
A relatively new functional feature of 1C, classified as cloud technology. After the functionality appeared, the 1C company modified the BSP. The same improvements were included in standard configurations based on BSP, for example, UNF and UT11.
It was necessary to organize the receipt of general reports from several branches with the same configurations. I decided to try the developments from BSP in the field of data separation. The idea was to load each branch's data into its own data area and generate reports for all areas at once. I’ll say right away that the problem has not yet been solved, but the attempt to solve it revealed problems and dubious functionality in the BSP.
Attached to the article is a processing that transfers the hidden functionality of operations with data areas to a separate form.
The BSP provides two accounting separators: Data Area Main Data and Data Area Auxiliary Data. It remains a mystery why these 2 delimiters refer to the same session parameters: DataAreaValue, DataAreaUse.
Turning on the mechanism
If your self-written configuration is based on the BSP, then most likely, before turning it on, you need to implement the mysterious library “1C: Service Technology Library”. It’s strange that even Google doesn’t know about such a 1C product. And in typical configurations, the Check Possibility of Using Configuration in the Service Model procedure in the Work In Service Model module does not exist. Most likely, you can find the missing parts from this library in standard configurations made on the basis of the BSP. In particular, one of the subsystems is called StandardSubsystems > WorkInServiceModel > UploadLoadData.
The data separation mechanism is enabled by setting the Use Separation By Data Areas constant. Can be set via the All functions menu item.
Creating Data Region Users
This item is not required if you are using a form to enter the data area. Users are created in configurator mode. One user with administrative rights must have all unset data separators in the Data Separating tab. For other users, the Data Area separator must be set to Basic Data in the Data Separation tab. This separator must be explicitly specified on the command line when starting 1C.
Launching 1C with a command line parameter
This item is not required if you are using the login form to enter the data area.
1C can be launched immediately in data separation mode. The /Z command line option is provided. For example, the parameter “/Z-,+1” indicates that 1C is launched with the Data Area main data value equal to 1, the Data Area auxiliary data separator is not set.
The method is very unreliable. When starting, an error occurs in the WorkInServiceModel procedure. When checking to enable Safe Data Sharing Mode. I couldn't find anything better than to comment on this procedure. The procedure checks whether the user has the right to change the current data area, whether his rights are limited and has security implications.
Then, upon startup, several errors occur, including: “Separated users cannot be assigned the System Administrator role,” “Separated users cannot be assigned the role Running a thick client.”
The user was not found in the Users directory - the problem could not be resolved. In the traditional scenario, the User registers upon first login. I suspect that when sharing data, Users are created through another 1C Fresh application.
Fill in the information register Data areas
For each area, you need to fill out an entry in the Data Area information register, assigning numbers to the areas and the “In Use” status. Processes can check for entries in this register before starting execution.
Entering the data area
Administration - Service - Login to the data area (GeneralForm.LoginDataArea)
Allows the user to change the current data area. Logging into the area is possible as a user running without specifying delimiters. When changing a data area, checks its status in the information register of the Data Area.
Uploading data from an area
The current area is unloaded through the GeneralForm. Uploading Data. Before using it, you must log in to the desired data area. The form is not displayed in the user interface in the Administration section.
The data is serialized by the configuration into XML format and packed in ZIP. That is, archiving does not take place using the 1C configurator, like traditional uploading.
Load data into area
GeneralCommand.LoadDataArea
To appear in Administration-Service, you need to set visibility through the Configurator as part of the Settings and Administration subsystem.
Data is loaded into the selected area. Before this, they must be downloaded into XML format.
conclusions
The system could not be started by specifying delimiters on the command line. The system refused to work due to an unregistered user in the Users directory. It was not possible to get to the directory because the system does not allow users with administrative rights. I think that this scenario requires a mandatory connection with 1CFresh.
Experiments with entering different areas, unloading and loading areas were successful. An attempt to complete a get all organizations request for all data areas failed. Error: "You cannot use a table without specifying all delimiters with independent use of shared data." The report works for one area if you enter any area.
The problem that remains unclear is how to unload data from a database without delimiters into a specific data area of another database.
It would be interesting to know about the cunning idea of the BSP authors regarding the general session parameters for two separators, if the call is with the parameters: “/Z-,+1”, “/Z+1,+1” and “/Z+1,-” .