Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Access Group's Roles not evaluated properly

SA-41067

Summary



The AccessGroup's Roles are not evaluated properly when multiple roles are listed in the access group.

This is causing security issue, that is, users who should not have access to certain classes are gaining unauthorized access.


Error Messages



Not applicable


Steps to Reproduce



1. Create a class to which contain access condition (AAA-BBB-CCC-Work-AdvancedTask).
2. Create two Operators as user4,user5.
3. Create a Access role, which says no access to new class (All R/W/D values to zero).
4. Configure User4 to include two access roles PegaRULES:User4 & App:LimitedUser.
5. Configure User5 to include only one role AApp:LimitedUser5 (which is a clone from PegaRULES:User4 ) + limited access to AdvancedTask (same as the one in role App:LimitedUser )
It is expected that the two users – User4 & User5 have identical access, that is, both users should not have access to AdvancedTask (AAA-BBB-CCC-Work-AdvancedTask), however User4 HAS Access to AdvancedTask (unexpected behavior).


Root Cause



An issue in the custom application code or rules:

When access controls are evaluated, system does 'OR' among the given roles in the access group, that is, if any one of the role gives access even if the other role denies, System take it as 'Allow'.

In user scenario 'App:LimitedUser' denies access, PegaRULES:User4 gives access.

Hence the user got access. Work- is evaluated in this scenario because the current class has no Rule-Access-Role-Objs (RAROs) in " PegaRULES:User4" so the nearest ancestor is picked for evaluation.


Resolution



Here’s the explanation for the reported behavior:

Use 'RADO'( RULE-ACCESS-DENY-OBJ) instead of 'RARO' (RULE-ACCESS-ROLE-OBJ) to deny the access.

Suggest Edit

Published March 12, 2018 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us