The Scenario
What if I want to stop a person creating? But allow them to work on cases?
A very common enterprise requirement is segregating duties: you have a specific Persona (let’s call them “Tour Operators”) who need to process assignments, update data, and move a case forward, but they should not be allowed to initiate or create that case type themselves. Another Persona (e.g., “Customer” or an API) handles creation of Customer Feedback.
Prerequisites
For this walkthrough, assume we have:
-
This has been written and tested in Infinity '26.
-
A Case Type named Feedback collections.
-
A Persona named Customer (who can create the case).
-
A Persona named Tour Operator (who can work on the case once created).
Step 1: Configure Persona Authorizations in App Studio
Blueprint will handle most of this for you when you Import your Personas. However, Blueprint only addresses wholistic “case” or “data” access. It does not address more detailed security requirements at the assignment/task level (yet).
We can handle this entire security requirement without writing a single rule manually.
-
In Dev Studio, navigate to Security > Access Role Name
-
Select the Tour Operator Managed persona to open their access rights.
-
Under the Case types section, locate the Feedback Collection case.
-
You will see checkboxes for standard actions: Read, Write and Delete Instances
-
Update the Write instances permission to a when rule of your choice
When rule creation
In my scenario, I am going to allow Tour Operators to edit the case so long as its not during creation. However, your scenario may be different so please implement security rules according to your requirements
Have another way to do this? There are many. Please share how you would approach it in the comments below ![]()
- Type in name of new when rule, “IsNotCreateStage”
- Click the bullseye to open the rule
- Create the rule
- Apply the logic: Is not create stage (PRIM0) and ID exists.
- Both these are required to protect the Create menu and the Open Assignments after case is created
- Click save
Step 2: What Happens in the Constellation UI?
Because Constellation’s UI components are deeply integrated with Pega’s security model, the portal updates automatically:
-
The Create Menu (+): When a user with the Tour Operator persona logs into the Constellation web portal and clicks the global “Create” (
+) button, the Feedback Collection case type will be completely hidden from the list. -
The Worklist/Queue: If a Customer creates an Feedback Collection case and routes an assignment to the Tour Operator, they can still click on the assignment, open the case, view the summary panel, and submit the action.
Because the “Write” permission is maintained, the Worker can still save data to the clipboard and commit the assignment to the database, cleanly separating the Create stage from the processing stages.
Key Takeaway 
In Pega Constellation, you rarely need to modify UI elements to hide case creation options. Secure your application at the data and authorization layer (via Personas in App Studio), and the Constellation portal will automatically render the correct UI for the user.
Additional Resources
- Security of Constellation applications in Constellation 101s
- Application Security Module on Pega Academy
- Authorization topic in Pega Docs
Enjoyed this article?
See suggested articles from our Constellation 101 series and view all our Knowledge Shares from our User Experience Expert Circle.




