Last Modified: 25.01.2023
Bitrix Framework supports two levels of access permissions:
Access to files and catalogs/directories
This level of access permissions is verified in the prolog and defined using special file .access.php, containing PHP array of the following format:
$PERM[file/catalog][user group ID] = "Access permission ID";
- file/catalog - file or catalog name with assigned access permissions;
- User group ID - user group ID to apply this permission (* character is also permitted, meaning: for all groups);
- Access permission ID - presently, supports the following values (in ascending order):
- D - denied (access will be always denied when interacting with a file);
- R - read (access always allowed when interacting with a file);
- U - workflow (file can be edited in the workflow edit mode);
- W - write (file can be edited directly);
- X - full access (permission to "write" and update access permission).
Site admin section can assign access permissions to file using file manager.
When user belongs to several groups, maximum access permissions among all these groups are assigned to this user.
If the current file or catalog doesn't have clearly defined level of access permissions, the system assigns the level of permissions defined for abovelisted catalogs in the catalog tree.
$PERM["index.php"]["2"] = "R";
$PERM["index.php"]["3"] = "D";
When attempting to open the page
/dir/index.php, the user belonging to the group ID=3 will have the access permission D (denied), user from the group ID=2 will have the permission R (read). A user, belonging to both groups will have the maximum level of access - R (Read).
$PERM["admin"]["*"] = "D";
$PERM["admin"]["1"] = "R";
$PERM["/"]["*"] = "R";
$PERM["/"]["1"] = "W";
$PERM["index.php"]["3"] = "R";
When accessing the page
/admin/index.php, a user in the group ID=3 will have access, and the a user ID=2 will have access denied. When accessing the page
/index.php all visitors will have access.
Access permissions within module
In case of standard static public pages, they have only the first level of access applicable to files and catalogs.
When user has at least a minimum R (read) access permission to a file and if this file is a functional part of a specific module, the system checks 2nd level of permissions, specified in the settings of corresponding module. For example: upon entering List of tickets within techsupport administrator sees all messages, techsupport employee - only those messages such employee is responsible for, and a standard user can view only her/his own tickets. Such example shows how access permission works within the logic of Helpdesk module.
The are two methodologies for assigning access permissions of 2nd level (level of permissions within module logic):
- access permissions;
The main difference is when a user has several permissions, the maximum permission is selected. When user has several roles, such user accordingly will have summarized capabilities of these roles.
Modules that support roles can be browsed in the Module filter at the page Settings > Users > Access Levels in the Admin section. The remaining modules and in the rest of system settings - use access permissions.
- Permissions. If you belong to the groups that have Full administrative access defined in the Statistics module and, for example, View statistics without any financial parameters, you will have the maximum permission - Full administrative access.
- Roles. If you belong to groups have roles techsupport client and demo access defined in the Helpdesk module, you will simultaneously have capabilities of these two roles. It means that you can view all tickets in the demo access mode and at the same tie you can create you own tickets as a techsupport/helpdesk customer.