Skip to main content

Access control

Pega Platform™ provides the Persona access landing page in App Studio and the Access Manager in Dev Studio to simplify the configuration of security records. Both pages present you with an easy-to-use interface for managing application security. When possible, use the Persona access landing page instead of the Access Manager to configure access control. However, you can only set certain permissions - for example, granting a Persona permission to delete a Case instance - from the Access Manager.

On the Persona access landing page and in the Access Manager, you set permissions for the Access Roles associated with a particular Access Group.

When an Access Group lists more than one role, Pega Platform applies the most permissive setting across all the listed roles. For example, the Manager role has permission to run reports, but the User role does not. If the Manager Access Group includes both the Manager and User roles, then all members of the Access Group can run reports.

Access control for a Case Type

Access control for a Case Type is managed through two types of records that can be edited from the Persona access landing page or in Access Manager: 

  • Access of Role to Object (ARO) records are used to specify permissions for items of a specific class for members of a specific Access Group. Setting the ARO to No Access indicates that the user is denied access.
Role plus class is equal to Access of Role to Object
  • Access Deny records are used to override AROs to explicitly deny access in situations where regulations or policies require an explicit denial of permissions. Access Deny records provide an extra layer of security even when the ARO record is set to No Access.
    Tip: Denial of access to the class can also depend on permissions defined for each Pega instance, at the system level. Access of Role to Object and Access Deny records are covered in more detail in an advanced topic.
Note: As a best practice, when possible, use the Persona access landing page or Access Manager instead of directly modifying the Access of Role to Object or Access Deny Rule form permission settings. Configuring the application in App Studio makes it easier to keep your application up-to-date.

Persona access landing page

To access the Persona access landing page, in the navigation pane of App Studio, click Users > User management, and then select the Persona that you want to edit. 

In the following image, click the + icons to learn more about the Persona access landing page for the Manager Persona:

Access Manager

To access the Access Manager, in the header of Dev Studio, click Configure > Org & Security > Access Manager.

In the following image, click the + icons to learn more about the Access Manager:

Access control and system type

In on-premises systems, administrators can define the operator access and permissions that a user has to make changes to the system. Production levels control the types of permitted changes and specify the purpose of the environment. For example, during development, you may want to configure more permissive access control to users to support debugging. However, you also require a more restrictive access control on a production system.

You grant permissions on a scale from 1 to 5, where the value corresponds to a possible production level, as seen in the following table. Specify a value of 0 to deny the action. With the exception of No Access control values, access is granted when the Access Control value is greater than or equal to the Production Level setting.

Production level Description
5 Production system
4 Staging system
3 Quality assurance system
2 Development system
1 Sandbox system
0 Deny the action

Denial of access to the class can depend on the production level value (1 to 5) of your system and whether certain Access When Rules evaluate to true. When you update an access control setting in the Access Manager, Pega Platform updates the Access of Role to Object or Access Deny records with a value of either 0 or 5. Access these records directly to specify access control levels other than 0 or 5. The Access Manager indicates the access level in the current system.

For example, you set the access control level to 2 for Authors so that they can delete instances of a Case Type. In a development system, the Access Manager indicates Full Access. In a production system, the Access Manager indicates No Access. This avoids the need to reset permissions when migrating an application throughout the development or release cycles.

Check your knowledge with the following interaction:

This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice