You are here: Reference > Rule types > Access of Role to Objects > Access of Role to Object form - Completing the Security tab

Access of Role to Object form
Completing the Security tab

  1. About 
  2. New 
  3. Security 
  4. Privileges 
  5. Settings 
  6. History 
  7. More... 

Use Access Manager to grant authorization instead of working directly with the fields in this tab. Access Manager simplifies the process and updates your Access of Role to Object rules. In Access Manager, when you modify the access level, the system updates this form, or creates a new form with the changes.

Access Manager change Access of Role to Object form change
Full access Access Control level to instances of the case type is set to 5.
No access Access Control level to instances of the case type is set to 0.
Conditional access The specified Access-When rule is entered in the Access Control field; the condition must be met in order to perform the operation on instances of the case type.

In Designer Studio, click Designer Studio > Org & Security > Access Manager. See Access Manager — Authorizing Work & Process items for more information.

Working directly with the Access of Role to Object form

If you choose to edit this form directly instead of using Access Manager: For each of the categories, you can enter an Access When rule name, or a numeric value between 0 and 5.

Enter 0 or leave blank to prohibit all access. Enter a value between 1 and 5 to provide access. If, at runtime, the production level of your Pega Platform system is not greater than the numeric value, then users with the specified access role can perform the operation on objects in the access class. If an Access When rule evaluates to True at runtime, the users with the specified access role can perform the operation.

For example, assume the key to this instance in the Purchasing application is Purchasing:Supervisor.Data-Customer, the production level of the system is 3, and the value in the Open Instances is 4. Users with the Supervisor role can open instances of the Data-Customer class.

If the same Access of Role to Object rule instance is present on a system with a production level of 5, a user with the Supervisor role cannot open instances of the Data-Customer class.

The first four categories are needed to operate on instances. Execute Activities controls access to running activities in this class. The Open, Modify, and Delete Rules settings are usually needed only by application developers.

The production level of the system is shown on the System form.

Field

Description

Open Instances

Optional. This determines whether holders of the access role identified as the first key part of this rule can open instances of the class identified as the Access Class key part of the rule to open.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the Access Class key part of the rule to open, and class inheritance, to find the Access When rule.

Modify Instances

Optional. This determines whether holders of the access role identified as the first key part of this rule can save new or modified instances of the class identified as the second key part of the rule to be saved.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the Access Class key part of the rule to be saved, and class inheritance, to find the Access When rule.

Delete Instances

Optional. This determines whether holders of the access role identified as the first key part of this rule can delete instances of the class identified as the second key part of the rule to be deleted.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the Access Class key part of the page passed in to the Delete method. This is usually, but not necessarily, the entire page. It is possible to pass to the Delete method a page containing only the keys of the instance to be deleted.

Run Reports

Optional. This determines whether holders of the access role identified as the first key part of this rule can run reports against the class being reported on or listed.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

The message:

You are not authorized to run this view.

indicates that a user lacks the capability provided by this field.

Execute Activities

Optional. This determines whether holders of the access role identified as the first key part of this rule can execute activities with an applies to class identified as the second key part of this rule.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule.

Open Rules

Optional. This determines whether holders of the access role identified as the first key part of this rule can open rules with the class as a key part.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule. As a best practice, create the Access When rule in the Rule- base class.

Modify Rules

Optional. This determines whether holders of the access role can save new or modified rules with the class as a key part.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule. As a best practice, create the Access When rule in the Rule- base class.

Delete Rules

Optional. This determines whether holders of the access role can delete rules with the class as a key part.

Enter the When Name key part of an Access When rule, or a level value between 1 and 5.

If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule. As a best practice, create the Access When rule in the Rule- base class.

About Access of Role to Object rules