A persona defines how users align with an application in terms of business outcomes. A role defines how users interact with an application in terms of specific tasks. Roles determine what users can and cannot do within the application. Assigning application users to specific roles enables users to perform their work during case processing. Assign a user to a role to specify how that user interacts with an application.
For example, in a health care application, patients and doctors must perform different tasks. Define different roles for patients and doctors so that individual users with the appropriate role specified can see the correct user interface and access the desired application features.
In the following image, click the + icons to explore how Pega Platform™ uses roles to define permissions in an application.
Each role has a default channel interface that defines which screen a user will see upon logging in. Channel interfaces are also referred to as user interfaces. You can associate roles to Studio channels (App Studio, Admin Studio, and Dev Studio) and web channel interfaces (User Portal or an application-specific channel such as Doctor Portal).
The role-based access control model
Application and data security are major concerns due to risks of customer loss, data breaches, and legal and financial penalties. You can satisfy common security requirements by controlling the application features and functions users can access using role-based access control (RBAC). With RBAC, you configure access by defining roles with the desired authorization and privileges.
Note: Configuring appropriate access control is only one aspect of securing an application. For a complete list of security leading practices, consult the Security Checklist awareness module and the Security Checklist for Pega Platform deployment.
Access control depends on two factors: authentication and authorization. Authentication confirms the identity of a user and verifies that the user is allowed access to an application. In Pega Platform™, the record for the operator ID allows for authentication of a user. Authorization determines what data the user can view and what actions the user can perform. In Pega Platform, the records for the access group and application allow for authorization of a user.
In the following image, click the + icons to learn more about the records that facilitate authentication.
Access groups and access roles
You can create multiple access groups that reference the same application to achieve different levels of access control.
Note: Access groups in Dev Studio align with the role that developers can assign to users in App Studio.
An access role categorizes users according to their job function. Each access role represents how a set of users interacts with an application to create and process cases. For example, in an application for managing purchase requests, any user can submit a purchase request, but only a manager can approve a purchase request.
Each access group references one or more access roles. By allowing references to multiple roles on an access group, Pega Platform encourages the design of a modular application security model in which you combine granular roles to meet complex security needs.
For each access role, you configure permissions to control actions on instances of a specific class, such as the types of cases that a user can create or modify. If the roles referenced by an access group provide conflicting access control configurations, Pega Platform applies the most permissive setting across all the conflicting roles. In the following example, a manager belongs to an access group that includes both the User and Manager access roles. The Manager access role allows users to approve and submit a time-off request, while the User access role prohibits approval and submission actions. Because the Manager access group references both roles, members of the access group can approve and submit time-off requests.
In the center of the following image, drag the vertical line to view the differences between an example administrator access group and user access group record.
Check your knowledge with the following interaction.