Easy management of 1C database lists
“It’s better to lose a day and then fly five minutes later” (s) m / f. Wings, legs and tails.
On "Habré" there are three excellent posts about managing lists of databases in 8.x:
')
1. “Managing lists of 1C 8.2 databases” ;
2. "How to prepare hundreds of bases 1C and not go crazy" ;
3. "Managing the list of 1C 8.2 databases using Active Directory" .
Each of them contains its own piece of the puzzle from the full picture: Easy management of lists of 1C databases.
The given construction ideology makes it easy to scale the settings, both for simple offices with one domain and for a multi-domain structure within a forest. Everyone chooses the concrete implementation of the solution for himself, but here the foundation is laid to get the necessary flexibility without extra effort. The solution is easily inherited. There are no scripts. Not at all. At all.
So, with what we struggle:
There are a lot of users! - to bypass 40+ users with the sole purpose of registering a new database or changing the connection settings from the old one will take a decent amount of time. Well, those who have tech support fighters.
Baz has become a lot! - a zoo of bases, test bases with an easy feed of 1s of people who appear in production while still on the servers for testing. Multiply by the number of users and horrified.
Vague names of bases! - in this place, every time I imagine how with my own hands the soul of the next 1Snik for the base with the name " new2_baza2_copy " to which a lot of processing, reports and COM connections are tied. Because it seemed logical for him to call the new base. The organization is one and it does not suddenly grow. And he alone remembers. And never quit. And the documentation is weak. Yes, it's always possible to quickly remake!
Frequent user rotation! - each new user does not know what bases he needs (Often it sounds: “I need EVERYTHING”), employees often change positions, divisions, organizations and, as a result, their duties.
Load! Scripts! - sweet scripts scanning all AD forests in search of certain group names in order to connect one base. And who wrote it? On what? When? Where are the comments?
Where are my bases ?! - oops. Many solutions do not allow to save an individual list of 1C user bases and at the same time use a predefined set of bases.
Clusters 1C? DB server? - is there a difference? There may be more than one. Different versions of 1C, different databases. Technical support is trying to find tips that would accurately understand what exactly to register with the user on the PC.
I described the main pain.
Let's start?
Six stages to happiness:
We take the tabular editor and 1snikov. And we take a detailed inventory, perhaps even with our hands:
About such table is born:
Our task is to understand what is where. Structure. Detail paint.
Creating groups for databases in Active Directory, immediately write in the description the cluster used and the database server:
At the output we get detailed information about each database in the Active Directory structure. Specifying the database name in the AD group name makes it very easy to find a group for a specific database in large infrastructures. He selected users, chose to add to the group and indicated the necessary database name. Oh, and all there. At the same time, your colleagues (or heirs) will immediately see which AD group is responsible for which base and where the base is located.
Important:
In addition to creating AD groups for each base, you need to create an additional AD group “ _Bases 1C - Access to the configuration file 1CBases.cfg ” - it will help us to provide access to the file resource where the v8i configurations of all the databases we need are stored. We include in this group all AD groups for 1C databases. New groups AD for 1C databases just do not forget to add. We will also need the Domain Computers group in its composition to enable PC accounts to access the file share. About the nuances below.
The inventory was done, the AD groups for the databases were created, and now the v8i configuration files. They store the settings for connecting to databases: 1C cluster and the name of the database in this cluster.
Run 1C. If there is a generated list of databases, we call them nice and clear.
Organization - Configuration - Configuration Version
We save them by the right button into files, we name the files by the name of the base. Carefully we accumulate these wonderful v8i files in one directory. If the original list is not present, you can create one entry in the list, it will be a reference. From it we produce new v8i configuration files by hammering the necessary information directly with text to a file.
At the output we have a file with the following contents:
We save each file from the extra lines:
As a result, we get a certain number of v8i configuration files, as many as the bases.
The next step is to edit the general database configuration file for 1C.
By default, it does not contain a list of databases at all:
Let's carry out small manipulations, and in it paths are now indicated to all v8i configuration files of 1C databases.
Accessing files v8i works as with a simple network folder on a file server, and with a DFS resource. Load balancing, fault tolerance? Yes! We know. We fly.
As a result, we have a directory full of v8i configuration files for each base separately, plus a common configuration file in which all the paths to all v8i configuration files are specified.
Create a directory in which the v8i configuration files for connection to each specific database will be located, as well as a general list of databases - the 1CEStart.cfg file:
we name the Sync-1CBases directory .
The ideological approach to access to shared resources is different for everyone. Many people prefer to put Everyone - Full control on the shared resource itself, and then steer access at the file system level. It's easier. I prefer to cut off access at once at the level of the shared resource itself, without creating additional load on the file server with extra rechecks of accessibility.
We give read access to the group “ _Baz 1C - Access to the configuration file 1CBases.cfg ” to the new network resource.
Divine manuals in one picture. Instead of a thousand words.
Important:
Further we set up security at the file system level.
The very first step is to reset the default settings for Sync-1CBases directory objects. Disable permissions inheritance. We leave " SYSTEM ", local Administrators , Domain Administrators . Where there is a forest, you can add enterprise administrators and / or delegated administrators. The resulting result is applied with inheritance. Immediately, without departing far from the cash register, we add the AD group “ _Bazy 1C - Access to the configuration file 1CBases.cfg ” with the Read right and only to this directory without inheritance. At this step we get the opportunity to get to the root of the folder and get a list of files in the directory.
Still not getting used to such an interface setting permissions
Next is the salt:
For the 1CEStart.cfg file , we grant read permission only to the AD group “ _Bazy 1C - Access to the configuration file 1CBases.cfg ”
Then, for each v8i base configuration file, access is given for its Active Directory access group:
Repeat the last step until the v8i database configuration files run out.
Many people do not use group policies. Many use them disparagingly little. In vain in vain in vain. This is a very powerful tool to facilitate life at work, even in small offices.
Create a new group policy, link it to the domain root. We indicate that it works only with Domain Computers :
The main revelation (or nuance) here is that the list of databases is connected not by the user, but to the PC. Unfortunately, the user cannot, with his own rights, replace the configuration file located in C: \ ProgramData \ 1C \ 1CEStart \ and the PC will do it for him.
Edit the policy:
Here the task is to take the file from the share and replace the local file.
To do this only with a PC installed 1C, set the conditions for the implementation of group policy through the Item Level Targeting .
Check the presence of the installed 1C:
This is the most basic check. Checks for both x86 and x64 editions of operating systems. Does not distinguish between server and client OS.
But the test conditions themselves can be very widely varied by applying these settings to specific organizational units, depending on the conditions of availability of network resources and many other parameters, which makes it possible to narrow down the conditions for triggering this group policy.
The file is aligned when the PC is booted, or once every 90 + - minutes.
We take the user. And add it to the AD group:
After that, we make a user login to the system, run 1C, which reads the configuration file and connects all the v8i files to which the user has access. Result:
What actually sought.
In this case, this solution does not affect the file C: \ Users \% username% \ AppData \ Roaming \ 1C \ 1CEStart \ ibases.v8i which stores the databases that the user himself registered. However, it can always be reset to clear the list of databases from the user. Group politicians in your hands!
Formally, I gave one of the many options for implementation. I conveyed the ideology. Additional solutions to this article can be quite broad:
Automatic creation of a v8i file, adding it to cfg, creating an AD group for base 1C.
Editing access for 1C specialists for the same files.
Check if the cfg configuration file is up to date before replacing it with a PC.
For paranoids, you can create cfg files with predefined lists, and in v8i you can register more than one database. And in general, make v8i file names without specifying the database name.
You can change the way the cfg file is delivered to the PC, where the access rights to the file are changed in the PC configuration, and the user already overwrites it with his own rights.
And much more. Whatever you want. Everyone is free to decide for himself.
Total:
There are a lot of users! - it does not matter.
Baz has become a lot! - made the database 1sniki in the registry, users received it. They didn’t add - even the self-connected database will disappear from the user at the next login if zeroing the list of local databases is enabled.
Vague names of bases! - what's the difference? You always have up to date information. There is no complete information about the database - there is no database for users.
Frequent user rotation! - was the application to connect the base? There is a base! I changed the place or division, lost the base along with the reset of rights.
Load! Scripts! - where? What for? Balancing, accurate targeting, only current information, ease of maintenance and support.
Where are my bases ?! - not allowed! Well, or use please. Everyone is happy.
Clusters 1C? DB server? - no confusion. Everything is already set by the settings. Techies are busy with useful things, and not asking who, where and what to register, how to call it and how not to leave users in the morning without an accounting system due to the update.
I spent the day. That you flew in five minutes. Thank!
Update:
Hobrazhitel - sisaenkov rightly noted that instead of copying cfg files to the C: \ ProgramData \ 1C \ 1CEStart \ folder , for the client systems based on Windows XP you should use the variable "% ALLUSERSPROFILE% \ Application Data \ 1C \ 1CEStart \" , while as for systems based on Vista and older, you can use the option specified in the article, or the variable % ProgramData% \ 1C \ 1CEStart \
On "Habré" there are three excellent posts about managing lists of databases in 8.x:
')
1. “Managing lists of 1C 8.2 databases” ;
2. "How to prepare hundreds of bases 1C and not go crazy" ;
3. "Managing the list of 1C 8.2 databases using Active Directory" .
Each of them contains its own piece of the puzzle from the full picture: Easy management of lists of 1C databases.
Prologue
The given construction ideology makes it easy to scale the settings, both for simple offices with one domain and for a multi-domain structure within a forest. Everyone chooses the concrete implementation of the solution for himself, but here the foundation is laid to get the necessary flexibility without extra effort. The solution is easily inherited. There are no scripts. Not at all. At all.
So, with what we struggle:
There are a lot of users! - to bypass 40+ users with the sole purpose of registering a new database or changing the connection settings from the old one will take a decent amount of time. Well, those who have tech support fighters.
Baz has become a lot! - a zoo of bases, test bases with an easy feed of 1s of people who appear in production while still on the servers for testing. Multiply by the number of users and horrified.
Vague names of bases! - in this place, every time I imagine how with my own hands the soul of the next 1Snik for the base with the name " new2_baza2_copy " to which a lot of processing, reports and COM connections are tied. Because it seemed logical for him to call the new base. The organization is one and it does not suddenly grow. And he alone remembers. And never quit. And the documentation is weak. Yes, it's always possible to quickly remake!
Frequent user rotation! - each new user does not know what bases he needs (Often it sounds: “I need EVERYTHING”), employees often change positions, divisions, organizations and, as a result, their duties.
Load! Scripts! - sweet scripts scanning all AD forests in search of certain group names in order to connect one base. And who wrote it? On what? When? Where are the comments?
Where are my bases ?! - oops. Many solutions do not allow to save an individual list of 1C user bases and at the same time use a predefined set of bases.
Clusters 1C? DB server? - is there a difference? There may be more than one. Different versions of 1C, different databases. Technical support is trying to find tips that would accurately understand what exactly to register with the user on the PC.
I described the main pain.
Let's start?
Spoiler?
1. All presented infrastructure is test and virtual. Any matches with the names of legal entities are random.
2. Forgive me for the English interface on the screenshots from the servers. I could not otherwise.
3. Believe me, I am the head of the system administrators group, I know what I am doing! (with)
2. Forgive me for the English interface on the screenshots from the servers. I could not otherwise.
3. Believe me, I am the head of the system administrators group, I know what I am doing! (with)
Six stages to happiness:
Stage 1 - Inventory
We take the tabular editor and 1snikov. And we take a detailed inventory, perhaps even with our hands:
About such table is born:
Our task is to understand what is where. Structure. Detail paint.
Stage 2 - Groups AD for 1C bases
Creating groups for databases in Active Directory, immediately write in the description the cluster used and the database server:
At the output we get detailed information about each database in the Active Directory structure. Specifying the database name in the AD group name makes it very easy to find a group for a specific database in large infrastructures. He selected users, chose to add to the group and indicated the necessary database name. Oh, and all there. At the same time, your colleagues (or heirs) will immediately see which AD group is responsible for which base and where the base is located.
Important:
In addition to creating AD groups for each base, you need to create an additional AD group “ _Bases 1C - Access to the configuration file 1CBases.cfg ” - it will help us to provide access to the file resource where the v8i configurations of all the databases we need are stored. We include in this group all AD groups for 1C databases. New groups AD for 1C databases just do not forget to add. We will also need the Domain Computers group in its composition to enable PC accounts to access the file share. About the nuances below.
Stage 3 - Configuration Files 1C
The inventory was done, the AD groups for the databases were created, and now the v8i configuration files. They store the settings for connecting to databases: 1C cluster and the name of the database in this cluster.
Run 1C. If there is a generated list of databases, we call them nice and clear.
Organization - Configuration - Configuration Version
We save them by the right button into files, we name the files by the name of the base. Carefully we accumulate these wonderful v8i files in one directory. If the original list is not present, you can create one entry in the list, it will be a reference. From it we produce new v8i configuration files by hammering the necessary information directly with text to a file.
At the output we have a file with the following contents:
We save each file from the extra lines:
As a result, we get a certain number of v8i configuration files, as many as the bases.
The next step is to edit the general database configuration file for 1C.
By default, it does not contain a list of databases at all:
Let's carry out small manipulations, and in it paths are now indicated to all v8i configuration files of 1C databases.
Accessing files v8i works as with a simple network folder on a file server, and with a DFS resource. Load balancing, fault tolerance? Yes! We know. We fly.
As a result, we have a directory full of v8i configuration files for each base separately, plus a common configuration file in which all the paths to all v8i configuration files are specified.
Stage 4 - File or DFS resource
Create a directory in which the v8i configuration files for connection to each specific database will be located, as well as a general list of databases - the 1CEStart.cfg file:
we name the Sync-1CBases directory .
The ideological approach to access to shared resources is different for everyone. Many people prefer to put Everyone - Full control on the shared resource itself, and then steer access at the file system level. It's easier. I prefer to cut off access at once at the level of the shared resource itself, without creating additional load on the file server with extra rechecks of accessibility.
We give read access to the group “ _Baz 1C - Access to the configuration file 1CBases.cfg ” to the new network resource.
Divine manuals in one picture. Instead of a thousand words.
Important:
Further we set up security at the file system level.
The very first step is to reset the default settings for Sync-1CBases directory objects. Disable permissions inheritance. We leave " SYSTEM ", local Administrators , Domain Administrators . Where there is a forest, you can add enterprise administrators and / or delegated administrators. The resulting result is applied with inheritance. Immediately, without departing far from the cash register, we add the AD group “ _Bazy 1C - Access to the configuration file 1CBases.cfg ” with the Read right and only to this directory without inheritance. At this step we get the opportunity to get to the root of the folder and get a list of files in the directory.
Next is the salt:
For the 1CEStart.cfg file , we grant read permission only to the AD group “ _Bazy 1C - Access to the configuration file 1CBases.cfg ”
Then, for each v8i base configuration file, access is given for its Active Directory access group:
Repeat the last step until the v8i database configuration files run out.
Stage 5 - Group Policy
Many people do not use group policies. Many use them disparagingly little. In vain in vain in vain. This is a very powerful tool to facilitate life at work, even in small offices.
Create a new group policy, link it to the domain root. We indicate that it works only with Domain Computers :
The main revelation (or nuance) here is that the list of databases is connected not by the user, but to the PC. Unfortunately, the user cannot, with his own rights, replace the configuration file located in C: \ ProgramData \ 1C \ 1CEStart \ and the PC will do it for him.
Edit the policy:
Here the task is to take the file from the share and replace the local file.
To do this only with a PC installed 1C, set the conditions for the implementation of group policy through the Item Level Targeting .
Check the presence of the installed 1C:
This is the most basic check. Checks for both x86 and x64 editions of operating systems. Does not distinguish between server and client OS.
But the test conditions themselves can be very widely varied by applying these settings to specific organizational units, depending on the conditions of availability of network resources and many other parameters, which makes it possible to narrow down the conditions for triggering this group policy.
The file is aligned when the PC is booted, or once every 90 + - minutes.
Stage 6 - User
We take the user. And add it to the AD group:
After that, we make a user login to the system, run 1C, which reads the configuration file and connects all the v8i files to which the user has access. Result:
What actually sought.
In this case, this solution does not affect the file C: \ Users \% username% \ AppData \ Roaming \ 1C \ 1CEStart \ ibases.v8i which stores the databases that the user himself registered. However, it can always be reset to clear the list of databases from the user. Group politicians in your hands!
Epilogue
Formally, I gave one of the many options for implementation. I conveyed the ideology. Additional solutions to this article can be quite broad:
Automatic creation of a v8i file, adding it to cfg, creating an AD group for base 1C.
Editing access for 1C specialists for the same files.
Check if the cfg configuration file is up to date before replacing it with a PC.
For paranoids, you can create cfg files with predefined lists, and in v8i you can register more than one database. And in general, make v8i file names without specifying the database name.
You can change the way the cfg file is delivered to the PC, where the access rights to the file are changed in the PC configuration, and the user already overwrites it with his own rights.
And much more. Whatever you want. Everyone is free to decide for himself.
Total:
There are a lot of users! - it does not matter.
Baz has become a lot! - made the database 1sniki in the registry, users received it. They didn’t add - even the self-connected database will disappear from the user at the next login if zeroing the list of local databases is enabled.
Vague names of bases! - what's the difference? You always have up to date information. There is no complete information about the database - there is no database for users.
Frequent user rotation! - was the application to connect the base? There is a base! I changed the place or division, lost the base along with the reset of rights.
Load! Scripts! - where? What for? Balancing, accurate targeting, only current information, ease of maintenance and support.
Where are my bases ?! - not allowed! Well, or use please. Everyone is happy.
Clusters 1C? DB server? - no confusion. Everything is already set by the settings. Techies are busy with useful things, and not asking who, where and what to register, how to call it and how not to leave users in the morning without an accounting system due to the update.
P.S
I spent the day. That you flew in five minutes. Thank!
Update:
Hobrazhitel - sisaenkov rightly noted that instead of copying cfg files to the C: \ ProgramData \ 1C \ 1CEStart \ folder , for the client systems based on Windows XP you should use the variable "% ALLUSERSPROFILE% \ Application Data \ 1C \ 1CEStart \" , while as for systems based on Vista and older, you can use the option specified in the article, or the variable % ProgramData% \ 1C \ 1CEStart \
Source: https://habr.com/ru/post/250287/
All Articles