Access control
Pega Platform™ provides Access Manager to simplify the configuration of security records. Access Manager presents you with an easy-to-use interface for managing application security. With Access Manager, you can quickly set or remove permissions for basic tasks, such as creating a case, deleting a case, or running reports. You set permissions for the access roles associated with a particular access group.
When an access group lists more than one role, Pega Platform applies the most permissive setting across all the listed roles. For example, the Manager role has permission to run reports, but the User role does not. If the Manager access group includes both the Manager and User roles, then all members of the access group can run reports.
Access control for a case type is managed through two types of records that can be edited from the Access Manager:
- Access of Role to Object (ARO) records are used to specify permissions for items of a specific class for members of a specific access group. Setting the ARO to No Access indicates that the user is denied access
- Access Deny records are used to override AROs to explicitly deny access in situations where regulations or policies require an explicit denial of permissions. Access Deny records provide an extra layer of security even when the ARO record is set to No Access.
Tip: Denial of access to the class can also depend on permissions defined for each Pega instance, at the system level. Access of Role to Object and Access Deny records are covered in more detail in an advanced topic.
In the following image, click the + icons to learn more about the Access Manager.
Access control and system type
In on-premises systems, administrators can define the operator access and permission a user has to make changes to the system. control the types of permitted changes and specify the purpose of the environment. For example, during development, you may want to configure more permissive access control to users to support debugging. However, you also require a more restrictive access control on a production system.
You grant permissions on a scale from 1 to 5, where the value corresponds to a possible production level, as seen in the following table. Specify a value of 0 to deny the action. With the exception of No Access control values, access is granted when the Access Control value is greater than or equal to the Production Level setting.
| Production level | Description |
|---|---|
| 5 | Production system |
| 4 | Staging system |
| 3 | Quality assurance system |
| 2 | Development system |
| 1 | Sandbox system |
| 0 | Deny the action |
Denial of access to the class can depend on the production level value (1 to 5) of your system and whether certain Access When rules evaluate to true. When you update an access control setting in the Access Manager, Pega Platform updates the Access of Role to Object or Access Deny records with a value of either 0 or 5. Access these records directly to specify access control levels other than 0 or 5. The Access Manager indicates the access level on the current system.
For example, you set the access control level to 2 for Authors to delete instances of a case type. On a development system, the Access Manager indicates Full Access. On a production system, the Access Manager indicates No Access. This avoids the need to reset permissions when migrating an application throughout the development or release cycles.
Check your knowledge with the following interaction:
This Topic is available in the following Module:
Want to help us improve this content?