|
|
Access of Role to Object rulesCreate an Access of Role to Object rule by selecting Access of Role to Object from the Security category.
An Access of Role to Object rule has two key parts. Each rule links an access role and a class:
|
Enter a RuleSet name, for the Export Archive tool use. This RuleSet name does not affect rule resolution processing.
For general information on the New form, see Completing the new rule dialog box. For general information on the Save As form, see How to enter rule keys using Save As.
How the system locates rules at runtime
When searching for an Access of Role to Object rule, the system first looks for an exact match on both key parts — Role Name and Access Class. If none is found, the system uses pattern inheritance and directed inheritance (following the approach used by rule resolution) on the Access Class key part to attempt to locate a rule.
For standard access roles such as PegaRULES:SysArch4 or PegaRULES:User4, PRPC includes corresponding standard Access of Role to Object rules, including a rule for @baseclass. If you create access roles, be sure to create a last-resort Access of Role to Object rule at @baseclass for that access role, so that the class inheritance search always ends successfully.
However, access of Role to Object rules are not subject to rule resolution on the Role Name field, and affect all users on a system. As a best practice to avoid confusion and difficult-to-debug security configurations, place each Access of Role to Object rule in the same RuleSet as the RuleSet of the Access Class — the second key part.
Rule resolution
Rule resolution does not apply to Access of Role to Object rules. Your system can contain at most one Access of Role to Object rule for each Applies To class and Role Name combination. Stated another way, you can't override Access or Role to Object rules.
About Access of Role to Object rules