When you create an application in UI-Kit, system creates two access roles - “Manager” and “User”. “Manager” access role inherits from PegaRULES:WorkMgr4 and “User” access role inherits from PegaRULES:User. The difference is, Manager can perform other’s assignments while User can only perform his own assignment.
My question here is, where exactly (which rule, in which class) this difference is controlled?
I want to understand the actual configuration, not Access Manager.
The reason I ask is, I just realized that in Cosmos application, system creates only one access role for end users - “User4” and it behaves like “User” in UI-Kit - user can only perform his own assignment, not other’s.
However, most of my customers want to configure end user’s access role like “Manager” so user can also perform other’s assignments. I want to apply the same configuration used in old UI-Kit “Manager” access role.
The rule canPerform on Assign-Worklist is your starting point. Pega checks this rule for every assignment that is opened from a work list. The OOTB version of it has a check on a privilege.
It’s unreadable in the picture above, but when copied it reads: @pxCheckPrivilegeInWorkClass(myStepPage, “Perform”)
So, everybody that has the privilege Perform on the work class can open an assignment on any work list. This privilege can be on the Work- level, or any other custom level if you have a custom role, i.e. MyCorp-ABC-Work.
The WorkMgr4 access role has a ARO defined on the Work- level. This contains the privilege the system is looking for.
Now, if you want to customize auto-created User4 access role in Cosmos application in such a way that user can perform other’s assignments, you can add “Perform” privilege in your Work class, shown as below.
Or, you can also get rid of A2 row from canPerform Access When rule, but this is not recommended. If you modify this rule, careful attention should be paid.
Thank you for the clear explanation! After understanding the mechanism, I was able to customize Sandbox:User4 in Cosmos so users can perform other’s assignments.
Below is the screenshot with User4 operator. In UI-Kit, operator can at least see “Begin” button even if he doesn’t have a privilege. When clicked, operator will see an error “You are not authorized to perform this assignment”.
However, in Cosmos, when operator does not have a privilege, he can’t even see a button (In Cosmos, “Go” button instead of “Begin” button), shown as below. Am I missing anything, or has product specification been changed recently?
In a nutshell, in UI-Kit, the button was always displayed regardless of operator’s accessibility to the assignment. This approach was okay because if true security is configured properly, system throws an exception anyways when button is clicked. Cosmos was enhanced to check operator’s accessibility to the assignment in UI level to avoid unnecessary click operations.
