How to hide the "go" button in Assignments, My Worklist and Task Lists

Secure Your Assignments, Don’t Just Hide the “Go” Button

A common requirement we see is the need to conditionally hide or show the “Go” button on an assignment card in the Case view.

Open assignments view.png1073×558 32 KB

In our traditional UI-Kit applications, the typical approach was to apply a visibility condition directly on the button’s properties in the section rule. While that worked, it was a form of “security by obscurity.” A savvy user could still potentially access the assignment if the underlying action wasn’t properly secured.

In Constellation, we follow a more robust and secure paradigm: we secure the action, and the UI automatically reacts. The “Go” button for an assignment is only visible if the logged-in user has the necessary permissions to perform that assignment. If they don’t have the permission, the “Go” button is hidden by default. There’s no need to configure visibility on the UI element itself. You, the reader would be right to argue this is what should of happened in Traditional UI applications as well but this best practice was not always met.

Securing the Flow Action

The most direct method to control who can perform an assignment is to secure its corresponding Flow Action with a privilege.

Step 1: Create a Privilege

A Privilege is a rule that defines a specific permission that can be granted to a user’s role. Think of it as a key that unlocks a specific capability.

1. In Dev Studio, navigate to Records > Security > Privilege.

2. Click Create and give your privilege a descriptive name. For this example, let’s use CanPerformApproval.

3. Save the new privilege rule into your application ruleset.

Step 2: Apply the Privilege to the Flow Action or Assignment

Next, we’ll tell Pega that performing a specific assignment requires the “key” we just created.

1. Assignment level:

   1. Identify if this is worklist (Assign-Worklist) or queue level (Assign-Workbasket)

   2. In the header of Dev Studio, click Create > Security > Privilege.

   3. On the Create form, enter values in the fields to define the context of the privilege.

      1. In the Label field, enter text that describes the purpose of the privilege.

           Begin the name with a letter and use only alphanumeric, ampersand, and dash characters. As a best practice, start the name with a capital letter. In compound names such as ReconcileProblemWork, capitalize the first letter of each word.
         

      2. In the Apply to field, press the Down Arrow key and select the class that defines the scope of the privilege.

           The class controls which Access of Role to Object Rules you can link to the privilege.
         

      3. In the Add to ruleset field, select the name and unlocked version of a ruleset that stores the privilege.

      4. Optional: To change the default identifier for the privilege, click Edit, and then provide a unique value in the Identifier field.

   4. Click Create and open to open the Privilege form.

   5. Click Save.

2. Flow action level:

   1. Identify the flow action associated with the assignment you want to secure. You can find this in the assignment shape’s properties in your case lifecycle.

   2. Open the Flow Action rule form.

   3. Navigate to the Security tab.

   4. In the Required privilege field, enter the name of the privilege you created in the first step, CanPerformApproval.

   5. Save the Flow Action rule.

Step 3: Grant the Privilege to the Correct Role

Now that the action is locked, we need to give the key to the users who should have access. You grant privileges to Access Roles.

1. Open the Access Role for the persona that should be able to perform the action (e.g., YourApp:Manager).

2. Add the CanPerformApproval privilege to the list of privileges for the appropriate class (e.g., your case type class or Assign-Worklist). You can do this directly in the Access Role form or by using the Access Manager tool.

3. Ensure that the Access Roles for users who should not perform the action (e.g., YourApp:User) do not have this privilege.

RBAC for Assignments.png1380×671 66.6 KB

The Result

With this configuration, the Pega runtime automatically handles the UI.

• When a user with the YourApp:Manager role views the case, they will see the “Go” button because they possess the CanPerformApproval privilege.

• When a user with the YourApp:User role views the case, the “Go” button will be hidden because they lack the required privilege. The system prevents them from performing the action, and the UI reflects that state.

Advanced Scenarios: Attribute-Based Access Control (ABAC)

ABAC will hide the assignment/task entirely, not just the “Go” button

For more dynamic scenarios where access depends on case data (e.g., hiding the button if Case.Amount > $10,000 and the user is not a manager), you can leverage Attribute-Based Access Control (ABAC). This involves creating an Access Control Policy with a condition that compares attributes on the case with attributes on the user’s operator record.

This is a more advanced topic but is the next logical step for complex security requirements.

ABAC policy will hide the assignment entirely.png2524×985 181 KB

Conclusion

By securing the action itself rather than just the UI, you build more robust, maintainable, and truly secure applications. This is a fundamental principle of the Constellation architecture.

Credit: @Maciej Dybal for collaborating on this one (and countless others)

References for Further Reading

• Pega Academy: Application Security

• Pega Academy: Attribute-based access control (ABAC) security model

• Pega Documentation: Configuring Action buttons for a Flow Action

• Pega Documentation: Role permissions and privileges in Access Manager

Constellation 101 Series

Enjoyed this article? See more similar articles in Constellation 101 series.

@MarcCheong

Great to see such a elaborate post. Yes, in the past you could obscure, but that didn’t address the real issue: the application should be secured.

Some additions:

• In previous versions, while generating the application, all Accessgroups (even the :Users) received role PegaRULES:User4, and thus the canPerform Access when (like shown in our screenshot) was always true. I started reverting to :User1.
• The advanced scenario is only working > 25.1 #keepcurrent

In my opinion the advanced scenario is basically the only scenario which is relevant for customer facing applications, as you do not want to have a potential data-leak (assigned operatorID / email).

For all others; we have discussed in our Webinar, there are also other areas where you need to look into while securing your application.

@RonaldDeLignie great points! It completely slipped my mind that we discussed this in our Webinar!

and yes, the changes in '25 have been deliberately made to compliment Pega Blueprint and the Blueprint Import capability. We assume users do not have access unless you have specifically outlined they have access to in in the Personas step of the blueprinting. That is then imported to create the relevant access control.

• Shout out to the Blueprint and App Designer Expert Circle, and @BradTanner, @ChrisBoone and @SumanKumar, where you can find out more on all things Blueprint.

@MarcCheong

Thanks for this. If we need dynamic to handle it: I hope as per the link, ABAC can help this requirement alone but entire assignment is getting hidden.
What should be the Action that can help us just to hide the Go button using ABAC.?

I tried Read- at Assign-worklist level and its hiding entire assignment (not just go button) as also you shown in the image.

If thats not possible using ABAC, might be good to hide just go button using RBAC dynamically

@MarcCheong One more observation- The one you highlighted for ABAC CanPerform that is controlling the Go button in the example that was shown-. CanPerform is an AccessWhen that is controlling. But I can’t find Privilege added in the Assign-Worklist ARO.

As you mentioned add the correct Privilege to the access role in point 3 with image. I can find that CanPerform is an access when and the ARO shown in image that is hiding Go button doesn’t have any privilege attached. can you check?

@MarcCheong

I tried other approach-> its hiding go button in assignment view from case type. But not hiding go button from Tasks in home page.

1.jpg1080×781 91.4 KB

@palws

@MarcCheong

And what’s determining if a user want to disable and not hide an action button?

@palws

General rule I would follow:

• if you want to secure the assignment, and allow the user to see what other assignment there are → RBAC
• if you want to secure the assignment and do not expose any other assignment information → ABAC

Sorry typo in the 1st sentence- The one you highlighted for ABAC* CanPerform → The one you highlighted for RBAC CanPerform

@palws my examples were illustrative. In my scenario I customised “can perform” for RBAC to hide the go button. In the ABAC, I created a rule “NoAssignments” the was a simple “Never” to remove access for my screenshots. Obviously, in real implementations this would be more detailed.

Out-of-the-Box, as of '25, you are not granted access to objects unless explicitly given access, as @RonaldDeLignie highlighted earlier in this thread. So you would need to implement your own rules to grant access.

@palws

Don’t mix up when you can execute the assignment with security. This does not secure the Assign-* item but rather prevents it from executing. So if you haven’t secured the class correctly, you potentially can use D_pyAllWorkList datapage to get all assignment details.

@BijoyN

Read this: Axess Lab | Disabled buttons suck or Usability Pitfalls of Disabled Buttons, and How To Avoid Them — Smashing Magazine

and there are many more. Imo Pega has done the correct thing: if you cannot execute the assignment, don’t show the button

@BijoyNsee @RonaldDeLignie response. Disabling things is not Pega’s preferred UX, even in Traditional UI, whilst technically feasible it was always a higher effort implementation than visibility conditions or validation rules on submit.

You can see more from @lachc’s blog on the What’s Up with Constellation Form Layout with disabled controls getting directly addressed.

@RonaldDeLignie

User wants to see a disable button, to get an idea that there could be action possible.

He may ask for permission using different process.

Lets not restrict user expectations.

There should be 3 flags

1. IsAllwoed

2. IsVisible

3. IsDisable

In this case IsAllowed is false and other 2 are true.

@palws i hadn’t shown the flow action path in the above, so thanks for sharing your experience. Let me do some investigation, as that GO button should not be showing in the “To Do” widget - Like you, I would of expected the Flow Action level security to kick in there.

@MarcCheong Thanks. RBAC and ABAC were working as mentioned

@BijoyN this is not part of our prescribed design system, which is the fastest time to value for clients. However, if you wish to extend constellation UI, you can, they are higher investment paths but are options where there is need.

I would recommend our two recent webinars on the topics:

• Extending Constellation: A Deep Dive into Constellation DX Components
• Extending Constellation: Unlock Advanced UI Customization with Constellation SDKs

However, it does sound like you are already inflight on a project, this could be a considerable change of effort to using the provided OOTB UI

@BijoyN

“Let’s not restrict user expectations” - if you rephrase it; as responsible Pega Architects we should address the issues with Diabled buttons and explain why we don’t want them. This than will lead to the correct discussion, what do you want to realize / what is the outcome you want to achieve?

Personally I would not like that users go look around that there might be actions which they potentially can request access for (or not?).