Two levels of assignment of access privileges are supported in the Bitrix Framework system:
- Access to files and catalogs.
- Rights within the module logic.
Access to Files and Catalogs
This level of rights is verified in the prologue and is set using a special file .access.php containing a PHP array of the following format:
$PERM[file/catalog][user group ID] = "access right ID";
- File/catalog – a file or catalog name for which access rights are assigned;
- User group ID – user group ID to which this right applies (the symbol * may also be used which means – for all groups);
- Access right ID – presently the following values are supported (in ascending order):
- D - denied (in case of file query the access will always be denied);
- R - read (in case of file query the access will be permitted);
- U - document flow (the file may be edited in the document flow mode);
- W - write (the file may be edited directly);
- X - full access (means the right to “write” and modification of access rights).
In the administrative part of the site the access rights to files and catalogs may be granted using Site Explorer.
If a user belongs to several groups, the maximum right from all access rights set for these groups shall be selected.
If the level of rights is not expressly set for the current file or catalogue, the level of rights set for the superior catalogs shall be selected.
$PERM["index.php"]["2"] = "R";
$PERM["index.php"]["3"] = "D";
Attempting to open the page
/dir/index.php, a user from the ID=3 group will have the access right D (denied), a user from the ID=2 group will have the right R (read), and a user who belongs to both groups will have the maximum access level – R (read).
$PERM["admin"]["*"] = "D";
$PERM["admin"]["1"] = "R";
$PERM["/"]["*"] = "R";
$PERM["/"]["1"] = "W";
$PERM["index.php"]["3"] = "R";
Attempting to access the page
/admin/index.php a user from the ID=3 group will have access and access to a user from the ID=2 group will be denied. All visitors will have access to the page
Rights within Module Logic
As to regular static public pages, only the file and catalog access level 1 is applied to them.
If a user has at least the right R (read) to a file and if this file is a functional part of a certain module, the 2nd level of rights set in the settings of the relevant module shall be verified. For example: when visiting the page List of queries in the technical support, the administrator can see all the queries, an employee of the technical support – only those that such an employee is responsible for, and a regular user sees only their own queries. This is the way the access right works as a part of the Technical support module logic.
Two methodologies are used to assign 2nd level access privileges (level of rights within the module logic):
- Methodology of right;
- Methodology of role.
Their difference consists in the following. If a user has several rights, the maximum right is selected. And if a user has several roles, such a user will have combined capacities of these roles, accordingly.
The modules that support roles can be seen in the filter Module on the page Control Panel > Settings > Manage users > Access levels in the Administrative section. Rights are used in all other modules and in all other settings of the system.
- Rights. If you belong to groups for which the rights of Full administrative access and, for example, View of statistics without financial indicators are set in the Statistics module, you will have the maximum right – Full administrative access.
- Roles. If you belong to groups for which the roles of Client technical support and Demo access are set in the Technical support module, you will simultaneously have the capacities of these two roles. I.e., you will be able to see all the queries in the demo access mode and at the same time create your own queries as a client of the technical support.