Permission inheritance and dependent roles
Like any other Rule Type in Pega Platform™, permissions that are configured in a parent class are inherited by child classes. For example, permissions configured in the Work- class apply to instances of Work-Claim, Work-Claim-Boat, and Work-Claim-Boat-Service. However, there may be situations in which a small number of permissions vary between user roles. For example, certain users may need to run reports in one Case Type but not another. Pega Platform allows developers to simplify permission management by inheriting access control settings from parent classes, which allows you to override only the permissions that need customization while keeping all other permission settings in their default configuration.
Default Access Roles
When creating a new application, Pega Platform creates Access Roles for administrators, authors, managers, and users. Each application-specific role inherits permissions from a standard Access Role provided as part of core Pega Platform functionality. The standard Access Role from which permissions are inherited is called a dependent role.
Dependent roles allow you to customize access control for use cases that require specific permissions while otherwise retaining permissions inherited from a standard Access Role. The use of dependent roles helps to standardize permissions across applications and improves the maintainability of the access control model.
Standard Access Roles
By default, Access Role Name records reference at least one standard Access Role as a dependent role. For example, the <ApplicationName>:Author role created for an application is based on the standard PegaRULES:SysAdm4 role, which lists the default access control settings for application developers.
Some of the standard Access Roles provided with Pega Platform are listed in the following table:
Access Role name | Purpose |
---|---|
PegaRULES:SysAdm4 | Developer with full capabilities |
PegaRULES:User1 | Application user with limited capabilities and may not perform Assignments on Worklists other than own Worklist |
PegaRULES:User4 | Users with broader capabilities may open any work object in the application but perform Assignments only on their Worklists |
PegaRULES:WorkMgr4 | Work manager with full capabilities that can view and update delegated Rules |
PegaRULES:SysArch4 | For a business analyst or system architect who defines Processes, classes, and properties and who may develop activities |
Note: To learn more about the other Access Role names, see Standard Access Roles.
Permissions configured on an Access Role name record override any permissions configured for all dependent roles. To view the dependent roles applied to an Access Role, click Manage dependent roles on the Access Role name record.
Note: If permissions for a class vary between dependent roles, the order is relevant. It stops access checking once a relevant Access of Role to Object instance explicitly denies or grants access in the dependent roles list.
Customization of Access Roles based on dependent roles
To build for Reusability and change, start with the default permissions of an Access Role and only customize permissions where you need them. Pega Platform allows you to customize an Access Role based on one or more dependent roles.
To customize a small number of classes for an Access Role, customize the Access Role to Object (ARO) records at the appropriate class level in your application hierarchy.
Caution: Configuring an ARO at the application level overrides the corresponding ARO for the dependent role, and any change to the ARO for the dependent role is ignored.
When configuring an Access Role, determine the actions and classes for which you need to customize permissions. Next, decide if you can use the default permissions configured in a standard Access Role. If so, no further customization is necessary. However, if you need to customize any permissions, customize the ARO record at the appropriate class level.
For example, if requirements state that Auditors must have view-only access to Case Types and their child Cases in the Work-Claims-Auto and Work-Claims-Boat classes, you configure the ARO on the Work-Claims class.
In the following image, click the + icons to learn more about the customization of access roles:
Check your knowledge with the following interaction:
This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.
Want to help us improve this content?