Securing work queues and attachments
Securing work queues and attachments
The Access Manager allows you to configure and manage access control settings for many of the elements of an application. Security for two application elements cannot be configured in the Access Manager: work queues and attachment categories.
Access control for work queues
In Pega, access control for work queues is role-based. By default, any user who can access a work queue can perform an assignment in the work queue. To control whether users can perform assignments in a specific work queue, you apply one or more roles to it. When you apply a role to a work queue, only users assigned to a listed role may retrieve an assignment from the work queue.
For example, the standard work queue firstname.lastname@example.org lists three roles. A user must be assigned the PegaRULES:ProArch4, PegaRULES:Batch, or PegaRULES:Basics role to perform an assignment in the email@example.com work queue.
Note: Pega uses the firstname.lastname@example.org work queue as a last resort for routing. Pega routes assignments to the email@example.com work queue when no other more specific or local work queue can be found.
To apply a role to a work queue, enter or select the role in the Roles section on the Work queue tab of the work queue record.
Note: Do not confuse access control with skill-based routing. You prevent users from performing specific assignments through the use of skill-based routing. In access control, you assign a role to a work queue to prevent unauthorized users from performing any assignment in the work queue.
Access control for attachments
Pega provides two levels of access control for attachments. You apply a privilege or when condition to an attachment category to allow or deny attachment actions to users. You enable attachment level security to restrict access to the attachment itself.
Attachment category access control
Use a privilege or when condition to control access to an attachment category. When you add the privilege, select the actions to allow if the user has the privilege. For each when condition, select the actions to allow if the condition is true.
Note: Configure access control for an attachment category using a When rule, not an Access When rule.
Users can perform an action on attachments in the category if they have at least one of the required privileges, and all of the when conditions for the action are true. Consider the following configuration for an attachment category.
|Access control list by privilege|
|Privilege||Create||Edit||View||Delete own||Delete any|
|Access control list by When Rule|
|When||Create||Edit||View||Delete own||Delete any|
For this attachment category, the following conditions hold:
- Users can delete any attachment if they have either the DeleteOthers or AdministerWorkQueue privilege.
- Users can delete their own attachment if they have either the DeleteOwn or AdministerWorkQueue privilege.
- Users can create, edit, or view an attachment if the IsCurrentStageSubmit when rule returns a true result.
Caution: If you use a When rule to control access to a category, deselecting an action is not sufficient to deny access to the action. In the previous example, the when rule IsCurrentStageSubmit is insufficient to prohibit users from deleting an attachment if the condition returns a value of false.
Tip: You can use the standard when rule Never to create an always-false condition to deny an action to users.
Attachment-level access control
Configure attachment-level access control to allow users to determine who can access a specific attachment within the category. When users add an attachment to the category, they identify one or more work groups to which access to the attachment is allowed.
To enable attachment-level access control, select the Enable attachment-level security check box on the Security tab of the Attachment category record.