Are there any OOTB roles , provided by PEGA, to make the Developer Studio read-only , where rules can only be viewed , but not written, edited or deleted ?
To be clear : I am not asking about privileges or the mechanism to develop a custom solution , as we have already implemented one and it is working.
My question is about whether there is a OOTB role ,already provided by PEGA , to enable a Read-only solution quickly.
Hi @VTALUKDAR,
Try “PegaRULES:Guest”.
@KiruthikaA Tried it : that Access role only authorizes access to PEGA’s Rule-Application instances. Same with the PegaRULES:Guest-Maximum as well.
Try with a specific application , and you get an error :
Caused by: com.pega.pegarules.pub.runtime.IndeterminateConditionalException: You are not authorized to open instance RULE-APPLICATION XXXXX 02.06.18
at com.pega.pegarules.priv.FUAUtil.activityPreTranIndeterminateConditionalCheck(FUAUtil.java:446) ~[prpublic.jar:?]
at com.pegarules.generated.activity.ra_action_requestorinitialize_89ad755666c9b32d183401b5c4c47e77.step4_circum0(ra_action_requestorinitialize_89ad755666c9b32d183401b5c4c47e77.java:1061) ~[?:?]
@VTALUKDAR Can you disable checkout from Operator ID and try ? That will make it not editable for all the versioned rules and non versioned rules but might not be applicable for data instances.
@SrinidhiM I have already worked on a custom solution which achieves this, but my point was to get something OOTB so that it can be used directly without ANY customization.
I guess from the answers I have received, no such role actually exists…Yes I can try with adding granular privileges, but that approach would be very similar to my custom solution anyway…
Do they need to see all the rules? Or just a few of them?
In case it’s the latter, you can delegate the rules and just make sure they cannot save them.
@BasM7674 No that is not an option. As I mentioned above, the user should be able to view all rules, not just the ones which can be delegated .
Simple answer to your question, there is no OOTB Read Only Access Role available.
I have started searching for the same and end up creating my own access role, However, my Custom Access Role is built on
PegaRULES:User1 and any additional changes like ability to view Clipboard or Data Types etc., I have overriden in my app’s access role.
@SrinidhiM Disabling check out is only part of the problem , not the full solution.
This is my use case :
Use case :
– User should be able to view rules, but not write, or delete anything
– User should not be able to Run rules (either from the rule itself or from Clipboard)
– User should not be able to Import code into PEGA
– User should be able to view Clipboard , Tracer and all other Diagnostic features
– User should not be able to Add a rule to Favourites.
@VTALUKDAR Hi Can you check the below privileges:
pxViewDeveloperDesktop
pxViewLimitedForm
There is one Access Role Name (PegaRULES:ViewerCollaborator) but you might have to do some changes because this does not include privilege to run basic rules which are required for authentication
@VTALUKDAR Yes, Seems like the OOTB roles and privileges that are available only provides a part of your requirement and not the complete requirement. We might need to add granular privileges which you have already done.
Why wouldn’t you give them access to the staging environment. I assume you have one, there you can see everything as it is on production, right?
@BasM7674 The problem is not that we cannot give them access to STAGING environment. The issue is that sometimes there are specific instances where we need to look into the PROD environment without actually being able to change anything.
Suppose an agent/job scheduler/data flow fails in PROD, but did not fail in ACCEPTANCE/STAGING environment. Then we have no other option but to open the PROD environment. We want a access role which would allow us to peek into the PROD Environment and SEE everything, but would not be allowed to CHANGE anything.
I hope I was clear with the use case now.
@SUMAN_GUMUDAVELLY Hi , this is actually an old post, and I found a solution for this, probably something similar to what you did.
I created a new Custom role which handles the Read-only bit, and put in all the restrictions I need to handle the changes.The role works fine, but some very small hiccups remain (example : Clear Invocation History in Service REST cannot be disabled).
@VTALUKDAR We are on 8.8.1 and looking for the same solution ..seems to be you already made it with custom solution so Can you please share the list of access roles/ARO/Privileges needed for making the designer studio read only.
Does the Admin Studio provide enough functionality for your use case? I think it’s designed to do just that, look into the operations part of the system.