setting Data-Admin-Security-Keystore class access controls to 0 doesn't change anything

I’m trying to create an Accesss Group with SecurityAdministrator privileges except the access to the keystores*.*

Steps to reproduce the problem:

1. Create a new Access Role based on the existing SecurityAdministrator. Let’s call it “SANoKey.”
2. Edit this Access Role and add the class Data-Admin-Security-Keystore with all Access Controls set to 0.
3. Create an Access Group with the SecurityAdministrator role and replace it with the new one (SANoKey).
4. This new Access Group shouldn’t be able to edit or delete any instance of Data-Admin-Security-Keystore, but that’s not true. It can still access Records > Security > Keystore and edit everything there.

I’ve tried deleting the dependent role of the Access Role and cloning it to avoid conflicts, but it still doesn’t work.

I’ve even tried deleting the SecurityAdministrator Access Role instead of replacing it. However, even when the security interface disappears, the Keystore can still be accessed through the search function in the upper right section. This Access Group only has the SysAdm4 Access Role.

@EnriqueO17387700

I didn’t have time to look through the specifics of the access of those roles but did you try adding an access deny ?

To test it you could create a new role with this access deny in it and add it to the access group you have.

In terms of accessing it from the search then what are the requirements? To not know it exists (doesn’t show up in search results) or just can’t open the rule if selected?

@EnriqueO17387700

Solved by Pega Support with

“In Access Group: Theme Cosmos authors in available roles please reorder groups so SANoKey will be on top and change “Stop access checking once a relevant Access of(…)” to true”