Switch Access Group dynamically

vub01 · June 1, 2023, 6:54pm

There are posted in the community that described how to switch access group dynamically.

Switch Access group for Rest API | Support Center (pega.com)

How to switch access group when authenticating ? | Support Center (pega.com)

The post suggested to use Pega Private Engine API to do so. Other similar posts also suggested the similar solution. The solution works as expected. However, The concern is the use of the private engine API (in bold) to accomplish this requirement.

try { PRThread prtRef = tools.getThread(); if (prtRef != null) { ((com.pega.pegarules.priv.authorization.PegaAuthorization)prtRef.getAuthorization()).replaceAccessGroup(prtRef, AccessGroup); } } catch (Exception ilEx) { oLog.error(“Error”, ilEx); tools.putParamValue(“test”,ilEx.toString() ); }

Questions:

Is it ok to use the Pega Private Engine API as showned above to switch access group when authenticating?
If this is not the correct way to switch access group dynamically, what is the correct way to do so?
Are there any OOTB API, activity, function, etc. that we can use to switch user access group dynamically?

Thanks

MarijeSchillern · August 23, 2023, 1:19pm

@vub01

Using Pega Private Engine API is generally not recommended, as it may lead to unexpected behavior and compatibility issues in future releases. It is better to use supported OOTB features and APIs.
To switch access groups dynamically, you can create a custom activity that sets the desired access group on the Operator ID page (pyAccessGroup property) and then updates the requestor context using the OOTB activity Code-Security.pxUpdateOperatorContext.
As mentioned above, you can use the OOTB activity Code-Security.pxUpdateOperatorContext to update the requestor context after setting the desired access group on the Operator ID page. This approach is more reliable and future-proof compared to using private APIs.

This answer came from a Pega gen-AI assistant using the below references. As a Support Center moderator, I reviewed the answer and references for accuracy:

Custom activity in the Service package

Configuring access groups and roles

Planning your Pega Customer Decision Hub environments > Authorization

Editing tools authorization for a single access group

Andreas_Hubenthal · August 25, 2023, 7:05am

Hey @MarijeSchillern I like the idea and solution you provided, but I cannot find the mentioned OOTB activity pxUpdateOperatorContext on our 8.8.2 environment. Can you please verify that this is the correct name?

MarijeSchillern · August 25, 2023, 9:50am

@Andreas Hubenthal I have hunted high and low for the activity 'pxUpdateOperatorContext’ (the one the AI Assistant found somewhere in our documentation…) but cannot find it.

We only found Code-Security!pyEstablishOperatorContext which “Establishes operator context (populates OperatorPage namedpage ) for the given input parameter values (userId, organization, division, unit)”. It is not relevant here…

It seems there is no specific OOTB API, activity, or function designed to switch user access groups dynamically.

The documentation states it is possible to update the requestor context using an activity. You can spawn multiple background requestors by calling an activity through a Java step with a PublicAPI call, such as: tools.getRequestor().queueBatchActivity(“”, " ", tools.getParameterPage()); This allows you to start a second requestor with the same access group as the current requestor session, execute the activity, and then terminate.

RedirectAndRun will get executed in the new thread context and pxSecuritySnapshot will get created at the time of user login and will not be updated.

We suggest you to try below options:

Map all the roles to user as part of the attribute mapping in the authentication service.
Update the roles in the operator ID in post-authentication and save the operator ID.
Maintain custom table for custom/additional roles, update Operator ID by combining model operator access roles and custom access roles and save it into clipboard.

Updating access groups by submitting a request to an active instance

My apologies for the earlier provided answer. I will check internally if I can find an SME to review your scenario.

sivar1 · August 31, 2023, 8:41am

@vub01 @Andreas Hubenthal Pega does not have an OOTB function or activity to switch access group. You can use the above mentioned code.

Vignesh_Amarnathan · January 2, 2024, 9:06am

@vub01 , Thank you for the post. I am facing similar scenario and tried this code and it seems it is working for BATCH requestor only and not for BROWSER. Can anyone please suggest if there is any alternative Pega engine API available for BROWSER requestor to switch access group dynamically?

VenkatRaman · June 26, 2024, 10:16pm

@Vignesh Amarnathan

Did you get any solution for the same? I have the same issue.

Conversation		Replies	Views
Switch access group based on URL in Pega Application General pega-platform , team-lead , security , manufacturing , 8-8-2	1	222	February 12, 2024
Data Flow - Switching requestor Access Group General senior-system-architect , security , system-administration , case-management , decision-management , cross-industry , 8-7-6	2	218	May 3, 2024
Can't able to edit Access Group in Administrator Operator ID for Pega'23 General pega-platform , security , system-administration , admin-studio	4	115	April 25, 2024
Custom activity in the Service package General lead-system-architect , case-management , financial-services , 8-2-2	6	568	January 21, 2022
User role switching in Constellation General pega-platform , constellation , senior-system-architect , security , government , 24-2	5	254	November 3, 2025

Switch Access Group dynamically

Related topics