Managing access to individual rules

In certain cases, you need to control access to specific user actions, such as individual flow actions. For example, a bank organizes its account support agents into two roles: level one agents and level two agents. Level one agents can respond to customer complaints and open an account dispute case. Only level two agents can reverse a charge to an account to resolve an account dispute. In this situation, you need to allow level two agents to perform the flow action to reverse the charge, but deny the action to level one agents.

You create a Privilege record to control user access to a rule. When you add a privilege to a rule, users can access the rule only if they are assigned a role that has been granted the privilege. When a user attempts to use a rule with a privilege applied, Pega verifies whether the user is granted the privilege. If the user is granted the privilege, Pega allows the user to use the rule. If the user does not have the privilege, Pega denies the rule to the user.

To allow users to use a rule that references a privilege, you add the privilege to a user role. In the previous example, to ensure that only level two agents can perform a charge reversal, you first apply a privilege to the charge reversal flow action. Then you grant the privilege to the user role for level two agents. Pega then denies the action to level one agents.

You create Privilege records to configure access control for specific rules, such as flows, flow actions, and correspondence. In Dev Studio, from the Create menu, under Security, select Privilege to create a new Privilege record. When naming the record, identify the action that the privilege governs. Doing so helps other system architects to select the correct privilege for other rules when configuring the access control model.

To add a required privilege to a rule, open the rule and list the privilege on the rule form. For most rules that support privileges, you add privileges to the Security tab. For flow rules, you add privileges to the Process tab. The following image shows a privilege applied to a flow action. At run time, Pega verifies if the user has been granted the privilege RuleObjFlowAction:pyCascadingApprove before allowing the user to perform the action.

You add a privilege to the user role on the Privileges tab of the Access Manager. In the Access Manager, you can deny, explicitly grant, or conditionally grant a privilege to users. To conditionally grant the privilege, you configure an Access When record to test when to grant and deny the privilege.

The following example shows a set of privileges configured for the HRApps:Manager role. Users with the HRApps:Manager role on their access group can use any rule that requires one of the listed privileges.

To view the set of privileges granted to a role, select the role and class. To add a privilege to a role, add the privilege to the table.

By default, the Access Manager lists privileges applied to the selected class. To view inherited privileges, select Show inherited privileges to display the privileges inherited from parent classes. For example, you can define privileges in the class group to extend to all case types in your application. These privileges are not displayed in the Access Manager unless you select Show inherited privileges.