Skip to main content

Table of Contents

Privilege inheritance for access roles


Only available versions of this content are shown in the dropdown

Privilege inheritance simplifies the process of defining privileges and access settings that are relevant in multiple classes.

When determining a user’s access rights to a class, Pega Platform searches for Access of Role to Object (Rule-Access-Role-Obj) rules that are relevant to the target class and to the access roles listed in the user’s access group, and considers the privileges and access settings granted or denied in those rules.

Privilege inheritance lets you define access rights within a class hierarchy more easily and economically. When privilege inheritance is enabled within an access role, the search for relevant Access of Role to Object rules begins with the target class where access is requested. If no relevant rule is found that grants or denies access for the role, the search continues for relevant Access of Role to Object rules in the parent class, and continues up the class hierarchy until a relevant rule is found.

Privilege inheritance lets you avoid having to define Access of Role to Object rules at multiple levels of a class hierarchy when the privileges and access settings for a class are the same at multiple levels.

The Inherit privileges within class hierarchy option on a role determines whether privilege inheritance is enabled for that role.


As a security administrator, you need to restrict user access to a feature called NewJob.

To simplify this process, you can:

  1. Set up the Work-HRApps-NewJob rule so that it is protected by a privilege.
  2. For the HRApps:Users access role, enable the Inherit privileges within class hierarchy option on the Access Role rule form.

When a user attempts to create a New Job case, the system begins by checking the current class for a valid value for that user, for that privilege (in other words, the system seeks a valid instance of the Access of Role to Object rule for the privilege).

A valid Access of Role to Object rule instance specifies the privilege with a non-blank access value. The access value determines whether or not the user is granted permission.

If a valid instance is not found in the current class, the system continues searching the class hierarchy until it finds a valid instance. If the search exhausts all possibilities without finding a valid instance, the user is not granted permission.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us