Discovery features for access control policies
Access control policies support discovery features that allow users to view limited, customizable information about class instances that fail read policies but satisfy discover policies. Users cannot open or interact with the discoverable instances, but they can see that the instances exist and they can evaluate whether they might need access to certain instances.
To make discovery features available to users, the pyIsDiscoveryEnabledForOperator Access When rule must evaluate to true. These features apply to instances of Work- and Data- classes when data is retrieved from the Pega database, but apply only to instances of Work- classes when data is retrieved from the search index.
The following Discovery gadgets, which are section rules, support discovery features:
- pxDiscoverableItems – This section displays discoverable instances for report definitions. By default, this section is included in the Report Viewer when it displays results for list reports. This section can be displayed in the results for summarized reports if you set the dynamic system setting DiscoverableItemsIncludedForSummaryReport to true. In the Report Viewer, this Discovery gadget shows only records that have the condition NotReadAndDiscover.
- pxDiscoverableSearchItems – This section displays discoverable class instances for search. By default, this section is included when search results are displayed.
The Discover gadget is shown in the Report Viewer or in search when all of the following are true:
- Read policies are in force for at least one of the classes involved (either defined on the class or inherited by it), and there are policy conditions for those policies (the policy conditions do not have empty filter logic strings).
- Discovery policies are in force for at least one of the classes that also have Read policies, and there are policy conditions for those policies.
- The number of instances that fail the Read policies but satisfy the Discovery policies is greater than zero.
Each of the Discovery gadgets displays a link with the number of class instances for the report or search that fail read policies but meet discover policies for the user. Users can view a list of the discoverable instances by clicking the link. The information that is shown for these instances is determined by the pyDefaultDiscoverableReport report definition rule for a class.
Developers can customize these sections to change their labels and behavior. You can also include these sections in other parts of an application’s user interface. For example, you can include the pxDiscoverableItems section above a list control that is populated by a report definition.
- Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application.
- Customization of Discovery gadgets
You can customize some of the information in the Discovery gadgets so that the information that you specify is displayed for users.
- Enabling discovery features for access control policies
Access control policies support discovery features that allow users to view limited, customizable information about class instances that fail Read policies but satisfy Discover policies. To enable these features for users, the pyIsDiscoveryEnabledForOperator Access When rule must evaluate to true. You can enable discovery features for all users of an application, or for particular operators.
- Adding a Discovery gadget to a customized user interface
A Discovery gadget enables users to view limited information about selected cases that they do not have Read authority to access. You can include the section rule for a Discovery gadget in any section of your user interface, such as in the layout of a customized search gadget, or above a list control that is populated by a report definition.