Managing access control
Managing access control
To simplify the configuration of security records, Pega provides the Access Manager. The Access Manager presents you with an easy-to-use interface for managing application security. In Dev Studio, navigate to the Configure menu and select Org & Security > Access Manager to open the Access Manager.
Manage access control with the Access Manager
The Access Manager provides three tabs for configuring security settings in an application.
- Use the Work & Process tab to configure access control for instances of a specific case type.
- Use the Tools tab to configure access to Pega tools such as the Clipboard and Live UI for end users.
- Use the Privileges tab to manage access to specific records, such as flow actions and correspondence records.
The following image shows the configuration for the HRApps:Administrators access group on the Work & Process tab of the Access Manager.
To configure the access control for a setting, expand the Case Type and click the icon in the column for the appropriate role. Select the level of access to grant — Full Access, Conditional Access, or No Access — from the pop-up window.
Note: The Access Manager displays Conditional Access for a case type when you select different access levels for the listed actions.
Explicitly deny actions on class instances
The Access Manager manages the Access of Role to Object and Access Deny records for case types for a selected access role. When you update a setting, the Access Manager updates the appropriate record.
Note: Access Deny records only manage actions on class instances, such as opening cases or running reports. You cannot use an Access Deny record to deny access to tools or individual records explicitly.
An Access Deny record overrides an Access of Role to Object record applied to the same class and role. Below the indicator icon, the Access Manager displays a link to the Access Deny record to indicate the use of an Access Deny record. In the following example, the Access Manager indicates the use of an Access Deny record to explicitly deny privileges to delete cases and run reports for the HRApps:User role.
For a description of each action, see the Help topic Configuring case type access.
Caution: The View History action applies to the class group, so the setting is the same for all case types in a class group.
If necessary, the Access Manager creates Access of Role to Object records to reflect your configuration. For example, when you create an application, Pega creates an Access of Role to Object record for the class group. Any case types you create for the application inherit the settings for the class group. When you update an access control setting for a specific case type, the Access Manager creates an Access of Role to Object record for the corresponding class for the specified role.
Caution: You must create an Access Deny record manually. The Access Manager creates only Access of Role to Object records.
Vary user access by system type
During development, you may want to configure more permissive access control to users to support debugging. However, you want to configure more restrictive access control on a production system. You can update individual Access of Role to Object and Access Deny records to automatically revoke access to actions and tools as the application advances towards production.
An Access of Role to Object record grants access for action on a scale of 0 to 5. A zero means the action is denied. The remaining ratings are compared to the production level value of your system. If the privilege level is equal to or greater than the production level value of the system, Pega allows the action. If not, Pega denies the action.
An Access Deny record denies access for an action on the same 0 to 5 scale. A zero means the action is allowed. If the privilege level is equal to or greater than that the production level value of the system, Pega denies the action. If not, Pega allows the action.
Production level values follow the software development life cycle. The greater the production level value, the closer the system is to a production environment.
Note: For additional information on production level values, and how to set these values for the server, see the help topic production level.
When you update an access control setting in the Access Manager, Pega updates the Access of Role to Object or Access Deny record with a value of either 0 or 5. To apply a different value, click the access role name in the Access Manager to open the Access Role Name record, then click the access class to update the entry on the record.
Caution: If you use access control levels other than 0 or 5, the Access Manager indicates the access level on the current system. For example, you set the access control level to 2 (Development system) for a role to delete instances of a case type. On a development system, the Access Manager indicates Full Access. On a production system, the Access Manager indicates No Access.
Configure conditional access
To conditionally allow access to an action, tool, or privilege, you configure an Access When record.
Unlike numerical access control values, Access When records are not tested against the production level of the system. If an Access When record returns a result of true, Pega grants access to the specified action regardless of the production level of the system.
To conditionally grant or deny access, click the Indicator icon and select Conditional Access, then enter the name of the Access When record. To create an Access When record, click the crosshairs icon to the right of the field.
You configure an Access When record as you do a When record. Create the when condition to evaluate on the Conditions tab of the Access When record form. For instructions on configuring the when condition of an Access When record, see the Help topic When form - Completing the Conditions tab.