Adding roles to an access control model
Adding roles to an access control model
When you create an application, Pega Platform™ provides a default access control model to support three processing roles: users, managers, and administrators. In complex business processes, you may divide these roles into more distinct roles. For example, an accounting application may reflect the following roles for requests such as expense reports and purchase requests:
- Users – Employees who submit requests
- Managers – Employees who approve requests for direct and indirect reports
- Auditors – Employees who review requests for compliance with company policy
Each role requires that users perform different actions on a request. To ensure that users of an application only perform the actions users are allowed to perform, you extend the access control model by adding roles, then configure the roles to allow or deny actions as appropriate.
Create a new role
You create a new role to customize access control for a specific set of users. For example, to differentiate between employees who submit accounting requests and employees who process requests, you define roles for each group of employees.
When extending the access control model with a new role, consider the following questions:
- What is the role of the user in processing a case?
- What actions do these users need to perform?
- How do these actions differ from the actions allowed for other users?
In Pega, you define an access role with an Access Role Name record, a label that describes a specific set of application users with a unique job function. You apply the role to Access of Role to Object (ARO) and Access Deny records to identify the actions allowed or denied to users assigned the role.
When you create a new access role, you must identify the appropriate permissions for that role. These permissions control how users assigned to the role interact with case and data instances defined for the application. For example, permissions identify whether role members can create cases or just update cases.
Often, users may share a common set of core permissions, with a small number of permissions varying between roles. An Access Role Name record can be configured with one or more dependent roles to simplify the configuration and management of permissions. The access role inherits the permissions set for each dependent role. If permissions for a class vary between the dependent roles, the access role name inherits the most permissive permission settings. To view the dependent roles applied to an access role, click Manage dependent roles on the Access Role Name record.
Caution: When creating an application, Pega Platform configures a base set of Access Role Name records for the application. Each Access Role Name record references at least one standard Pega Platform access role as a dependent role. For example, the <ApplicationName>:Administrators role for each application to manage security settings for developers is based on the standard PegaRULES:SysAdm4 role, which lists the default security settings for application developers.
Permissions configured on an Access Role Name record override the permissions configured for all the dependent roles.
Pega Platform provides two options to customize an access role based on one or more dependent roles.
- If you need to customize a small number of classes for an access role, manually add the impacted classes to the Access Role Name record and specify the necessary permissions.
- If you need to configure changes over many classes, clone the appropriate dependent role to override all the inherited permissions, and update each class as needed.
Note: To minimize the chance of introducing a security vulnerability, only add classes to the Access Role Name record if you intend to override one or more of the inherited permissions for that class.
Once you associate an Access of Role to Object record with an access role name, you can customize privileges from the Access Role Name record. When you do, Pega applies your changes to the corresponding Access of Role to Object record. To update an Access of Role to Object record, click the entry in the Access Class column to open a modal dialog that displays the contents of the Access of Role to Object record.
Caution: The Access Role Name record lists both Access of Role to Object records and Access Deny records by class name. To identify the type of record listed, click the link.
After you create an Access Role Name record, you add the role to the appropriate access group. Pega then applies the access control settings of the role to users on login. If necessary, create a new access group to apply the role to the appropriate set of users.