Adding a role to an access group
You can assign access roles to an access group so that users who belong to the access group have a consistent set of functions available to them.
- To add or remove roles from an access group, you must have the pzCanAlterRoles privilege, which is included in the PegaRULES:SecurityAdministrator role.
- Before adding a role to an access group, complete the following task: Creating an access group.
Create an access group or open an existing instance from the navigation panel by clickingand selecting an instance.
Click the Definition tab.
Select Stop access checking once a relevant Access of Role to Object instance explicitly denies or grants access if you want the system to stop searching as soon as an access role is found with a relevant Access of Role to Object rule. Clear this check box to use all roles.
In the Available roles section, enter the access roles that apply to operators and other requestors that use this access group.
In the role field, press the Down Arrow key and select a role.
The following examples show the Pega-supplied roles. In your environment, use the roles that you have created.
- If you have not selected Stop access checking once a relevant Access of Role to Object instance explicitly denies or grants access, the order is not relevant; the access roles available to a user act as a collection of capabilities granted, and not as a hierarchy.
- Enter access roles that are consistent with the values that you enter in the Portals field.
- For non-developer workers and work managers using an application, a best practice is to create and use custom access roles that define the capabilities of the role by using Access of Role to Object rules. Pega Platform comes with one standard role for users and one for managers, but your application will probably have multiple different roles for users, managers, and others.
- The PegaRULES:ProArch4 role is supported but deprecated. Do not use this role for new development.
- For workers, use PegaRULES:User4.
- For work managers, use PegaRULES:WorkMgr4.
- For business analysts, use PegaRULES:SysArch4.
- For developers and designers, use PegaRULES:SysAdm4
To add more access roles, click Add role and select a role.
- Learning about access groups
An access group is a group of permissions within an application. Pega Platform uses these permissions for operators, external system access, and background processes. You define an access group for operators who have similar responsibilities. For example, most applications allow case managers to do actions that are different from the actions of regular operators, so case managers and regular operators belong to different access groups.
- Granting portal access to an access group
Associate a portal with an access group to control which workspaces or web channels are available to users while they work in your application.
- Controlling role evaluation for access groups
Typically, when the system determines a user's access rights to a class, it searches Access of Role to Object ( Rule-Access-Role-Obj ) rules for all of the access roles listed in the operator’s access group. Access is granted if any of these access roles permit it. You can, instead, control how many access roles are searched and the order in which they are searched.
- Managing access roles
An access role rule defines a name for a role, and represents a set of capabilities. To deliver these capabilities to users, you reference the access role name in other rule types to assign the access role to users and to provide, or restrict, access to certain classes.
- Understanding Access of Role to Object rules
Access of Role to Object rules specify permissions that are granted to a role and access class. These permissions restrict what developers and operators can do with rule and data instances. An Access of Rule to Object rule applies to all instances of its access class.