Bitrix Site Manager

Access permissions

The Bitrix Site Manager supports the following two access permission levels.

Level 1. Files and directories access

This access permission level is checked in the prologue and is assigned in the service file .access.php containing a PHP array in the following format:

$PERM[file/folder][user group ID] = "access permission ID";
In this line:

If the Site Explorer module is installed, you can assign permissions manually in the administrative section (menu Site Explorer->Manage->Access).

Note
If a user is a member of more than one group, the maximum permission among those groups is taken.

Note
If a current file or folder is not assigned the access permission explicitly, the access permission of a parent folder is taken.

Example
File /dir/.access.php
<?
   $PERM["index.php"]["2"] = "R";
   $PERM["index.php"]["3"] = "D";
?>

Upon attempt to open the page /dir/index.php, a user who is the member of the group ID=3 will have a permission D (deny), while a user from the group ID=2 will have a permission R (read). User who is the member of the both groups will have the maximum possible access permission R (read).

Example
File /.access.php
<?
   $PERM["admin"]["*"] = "D";
   $PERM["admin"]["1"] = "R";
   $PERM["/"]["*"] = "R";
   $PERM["/"]["1"] = "W";
?>
File /admin/.access.php
<?
   $PERM["index.php"]["3"] = "R";
?>

Upon attempt to open the page /admin/index.php, a user who is the member of the group ID=3 may be granted access, while a user from the group ID=2 cannot gain access. All users may access the page /index.php.

Level 2. Module logic driven rights

To common static public pages, the access level 1 may be only applied (see above).

If a user has a minimum permission R (read) to a file, and if the file is a functional part of a module, permissions of the access level 2 are checked. These permissions are assigned in settings of the corresponding module.

Example

When opening the Tickets techsupport page, the administrator views all tickets, while a techsupport member can view only those tickets for which he is in charge, and a common user can view his personal tickets only. This is the way the access permission functions within the Techsupport module logic.

Currently, two approaches are used with permissions of the access level 2:

The main distinction between these methods is as follows: if a user has more that one permissions, the maximum permission is selected; while if a user has more than one role, he is assumed to have a total scope of roles.

Roles are currently supported by the following modules: Techsupport and Advertising. All other modules use permissions.

Example