Managing access to individual rules
Managing access to individual rules
In certain cases, you need to control access to specific user actions, such as individual flow actions. For example, a bank organizes its account support agents into two roles: level one agents and level two agents. Level one agents can respond to customer complaints and open an account dispute case. Only level two agents can reverse a charge to an account to resolve an account dispute. In this situation, you need to allow level two agents to perform the flow action to reverse the charge, but deny the action to level one agents.
You create a Privilege record to control user access to a rule. When you add a privilege to a rule, users can access the rule only if they are assigned a role that has been granted the privilege. When a user attempts to use a rule with a privilege applied, Pega verifies whether the user is granted the privilege. If the user is granted the privilege, Pega allows the user to use the rule. If the user does not have the privilege, Pega denies the rule to the user.
To allow users to use a rule that references a privilege, you add the privilege to a user role. In the previous example, to ensure that only level two agents can perform a charge reversal, you first apply a privilege to the charge reversal flow action. Then you grant the privilege to the user role for level two agents. Pega then denies the action to level one agents.
Create a privilege record
You create Privilege records to configure access control for specific rules, such as flows, flow actions, and correspondence. In Dev Studio, from the Create menu, under Security, select Privilege to create a new Privilege record. When naming the record, identify the action that the privilege governs. Doing so helps other system architects to select the correct privilege for other rules when configuring the access control model.
Caution: Whenever possible, save the privilege to the same class and ruleset as the rules that reference the privilege. This reduces the likelihood that Pega denies access to a rule because of a missing privilege.
Tip: When you create a privilege record, on the History tab, use the Full Description and Usage fields to identify the intent of the privilege and what rules require the privilege. This information is displayed in the Access Manager.
Require a privilege to use a rule
To add a required privilege to a rule, open the rule and list the privilege on the rule form. For most rules that support privileges, you add privileges to the Security tab. For flow rules, you add privileges to the Process tab. The following image shows a privilege applied to a flow action. At run time, Pega verifies if the user has been granted the privilege RuleObjFlowAction:pyCascadingApprove before allowing the user to perform the action.
Grant a privilege to a role
You add a privilege to the user role on the Privileges tab of the Access Manager. In the Access Manager, you can deny, explicitly grant, or conditionally grant a privilege to users. To conditionally grant the privilege, you configure an Access When record to test when to grant and deny the privilege.
Tip: You can also configure the access control model to grant or deny privileges according to the production level of the system. To do this, add the privilege to the role using the Access Manager, then adjust the privilege setting on the Access of Role to Object record for the role and class.
The following example shows a set of privileges configured for the HRApps:Manager role. Users with the HRApps:Manager role on their access group can use any rule that requires one of the listed privileges.
To view the set of privileges granted to a role, select the role and class. To add a privilege to a role, add the privilege to the table.
Tip: The Access Manager filters the class list to display either case types or data types. Under Type of class, select either Case Type or Data Type to switch between a list of case types and a list of data types.
By default, the Access Manager lists privileges applied to the selected class. To view inherited privileges, select Show inherited privileges to display the privileges inherited from parent classes. For example, you can define privileges in the class group to extend to all case types in your application. These privileges are not displayed in the Access Manager unless you select Show inherited privileges.