Assignment Flow action is available to user who has no access
User has configured a process in which one of the assignment is routed to a different operator.
In the Review Harness, Actions Button in the menu user could observe the current Flow item even though the user is not elgible to access.
User could launch the flow even though the assignment is routed to different operator.
User could process the assignment by launching the flow from their Actions Button which should not be the case.
The issue is occurring only when user has few OOTB roles added in the access group like PegaCLMFS:SS, PegaCLMFS:DataSynch, PegaCLMFS:RequirementCollection.
STEPS TO REPRODUCE
1. Open any case which is in another user work-list in review harness.
2. Go to Other actions, the user who does not have access to this case will be able to see the Current Assignment flow action of the case.
3. Click Actions button. Once user clicks action button, user is able to Peform on this assignment, which should not be the case.
An issue in the custom application code or rules.
pyWorkActionsReview (Menu on the Actions Button) has been customized on user end and it is populated with the pyFlowActionList in one of the itemList. This page retrieve all the FlowAction details related to the assignments.
The issue is occurring because in user custom role having the privilege of "canperform" for the class Assign- and the other roles like PegaCLMFS:SS is not having any privilege mentioned.
So as it is not mentioned by default it would be taking the baseclass which is 5 and will grant the access without evaluating canperform Access When.
As per the user requirement, user wants to restrict action.
So user must add the canperform privilege in the access to role object for the Assign-Worklist class in other roles.
Published April 14, 2017 - Updated May 4, 2017