SA-21834

Summary

When a new privilege is created to only view/create for Attachment Category Note, the user is still able to delete successfully. This worked in Pega 7.1.5 but not in Pega 7.1.7.

Error Messages

Not Applicable

Steps to Reproduce

1. Create an Attachment Category rule.
2. Create a privilege rule (CannotDelete) and refer it in the Security tab of the Attachment Category rule, select the check boxes for ‘Create’, ‘Edit’, ‘View’ and clear the checkboxes for ‘Delete’, ‘Delete any’.
3. Save the rule.
4. Refer the same privilege (CannotDelete) in the Access of Role to Object rule for a Role (PAT:USER).
5. Try to delete an attachment by logging in with a user having the Role PAT:USER.

Root Cause

From Pega 7.1.6 the behavior of the Attachment Category security has changed.  Leaving an Access control category blank will not Deny Access any more. To grant access to a specific category, a 'Privilege' and/or 'When' rule is used. Similarly, to deny access to a specific category also requires the use of the same.

Resolution

Perform the following local-change: 

1. Refer a WHEN rule in the attachment category to allow Create’, ‘Edit’, ‘View’ operation by selecting the checkboxes for ‘Create’, ‘Edit’, ‘View’.
2. Refer another WHEN rule in the attachment category to deny ‘Delete’, ‘Delete any’ operation by selecting the checkboxes for ‘Delete’, ‘Delete any’.