Restricting Parse Structured rule execution
Use the Security tab on the Parse Structured rule form to specify an activity type, and optionally to restrict which users (or other requestors) can execute a rule. This optional security supplants restrictions based on ruleset and version.
The Security tab on the Parse Structured rule form is similar to the Security tab on the Activity rule form. You can specify zero, one, or more than one privilege to restrict access. Order is not significant. At run time, any match between the listed privileges and those that a user possesses will allow users to execute this rule.
In the navigation pane of Dev Studio, click Records.
Expand the Integration-Mapping category, and then click Parse Structured.
In the list of Parse Structured instances, select the instance for which you want to configure the Security tab.
Click the Security tab.
On the Security tab, in the Restrict access section,complete the following fields to define the security requirements:
To allow users to start this activity directly through user input processing, such as by clicking a Submit button, or through a pyActivity= element in a URL, select the Allow direct invocation from the client or a service check box.Select the check box for a service activity, or if this activity is called by an AJAX event from a form.Clear the check box if this rule is to be started only from another activity, through a Call, Branch, or other means.
If you clear the check box, and at run time a user attempts to start this rule by user input, the rule does not run and returns a method status of Fail:Security.For most activities, leave this check box clear to promote the security of your application. Unless needed by your design, allowing these activities to be started from a URL or other user input (whether the requestor is authenticated or a guest), might let users bypass important checking, security, or setup.
To require that only authenticated requestors can start this activity, select Require authentication to run.Clear this check box to allow guest users to run this rule if they meet other security and access criteria. Guest users are unauthenticated requestors and typically have access to rules only in the rulesets provided in the PRPC:Unauthenticated access group, as referenced in the Requestor type instance named pega.BROWSER.If you update the BROWSER requestor type to reference a different access group, or update the PegaRULES:Unauthenticated access group to make additional rulesets available to unauthenticated users, review this check box for each activity in the rulesets. Select this check box for all activities, except activities that guests run.
In most cases, clear this check box if the activity is for an agent. Agents are not true authenticated users and by default cannot run activities that are restricted to authenticated users. However, this check box is ignored by agents for which you select the Bypass activity authentication check box on the Security tab of the Agent rule form; such agents can run activities regardless of the Require authentication to run value.
In the Privilege Class field, identify the Applies To key part of a class to use at run time if you want to locate a privilege rule.Normally, this is the same as the Applies To key part of this activity.
In the Privilege Name field, identify the name for a privilege in that class (or an ancestor class). The class that you enter and the name must together identify a privilege (using rule resolution including class inheritance.)Identify privileges in this array to restrict which users and other requestors can execute this activity. The execution of the activity fails at run time if the user does not possess an access role that provides access to one of the identified privileges through an Access of Role to Object rule.
In the Activity type section, in the Type list, determine whether and how this activity can be referenced in other rules. For an activity that is not to be referenced in a flow rule, choose one of the following values:
The Locate activity type is not supported. Existing activities that use locatable pages display this option. New activities do not.
- Activity – Select this option when no more specific value is applicable. Activities with this value cannot be referenced directly in flows. (Select Activity for this field on Parse Structured forms.)
- Onchange – Select this option for an activity to be
executed automatically by a Declare Onchange rule. Such activities must not use any
methods that directly change the properties or the database.
Declare Expression rules do not evaluate during the execution of an OnChange.activity. Onchange activities must not perform any forward chaining themselves.
- LoadDeclarativePage – Select this option for an activity
that adds values to data pages. Reference this activity on the
Definition tab of a data page rule
(Rule-Declare-Pages rule type).
For more information, see Creating a data page.
- Trigger – Select this option for an activity to be executed automatically by a Declare Trigger rule. Because triggered activities run during database commits, they cannot themselves commit database transactions.
If the class of the activity inherits from the Work- base class and you designed and implemented the activity to be referenced in a flow rule shape, in the Type list, select one of the following types:
For more information, see How to create activities for use in flows.Do not choose Validate or Assembly for this field.
- Notify – Choose this option for a notification activity. For example, a notify activity can send an email message to someone conveying news of an assignment.
- Rule Connect – Choose this option for an activity that operates without user interaction and calls a connector rule to interface with an external system.
- Assign – Choose this option for an assignment activity, one that creates an assignment.
- Route – Choose this option for a router activity, one that determines which user worklist or work queue is to receive an assignment.
- Utility – Choose this option for a utility activity, one that automates processing without user interaction.