Discussion
Pegasystems Inc.
US
Last activity: 29 Dec 2019 14:38 EST
7.3 / 7.4 LSA Architecture Application Build Exam - Retired Exam Question 4
The CLSA Architecture Application Build exam consists of 3 to 6 questions of varying complexity which evaluates the ability of a candidate to develop and architect solutions using the PEGA platform. Please refer to the Exam preparation guide for further details.
Question 4 from a retired exam scenario is attached to this post. You are encouraged to work through this question by collaborating in this discussion thread. A solution will not be provided.
It is estimated that a candidate proficient in design and implementation would be able to complete this task in 4 hours.
The starting point migration file for this first retired exam is called Booking_20171102_10000.zip and can be downloaded here.
Pegasystems Inc.
IN
Did any one tried to implement this scenario? If yes, please share your thoughts and Solution ZIP file and document
Achmea
NL
.... I just saw that I used the NEW starting point... So not sure which rules were available and which not.: However here are my awnsers with the new starting point in mind :
1: My first idea would be to assign a privilege to the Executive Officers Roles and add these to the reports. However there are no specific Executive Officers Roles. Starting point would then to create these specific roles, by copying a Booking:Manager Acces Role.
2: Attribute based acces control to view the profit field only when current accesgroup is Executive officer. Or use a when condition on every field to perform the same check. Harder to maintain.
Pricing is handled in dec-table Pricing. However there seems to be some incomplete rules. Base Pricing is not in the FinalTotalPrice, Is this something we should fix??
3: Create a property to hold the Approved boolean. We will then show a read-only section of the Quotation Event information in stage Quotation.
--> I am not sure if updating the event information is the same as Change stage to Quotation. As changing the event info would also trigger underlaying calculations and possibly require a new client response.
Other wise we could also create a flowwide local flowaction to do the same, that only executive officers can start.
4: Creating a delegate decision table, that is editable in the managers portal. Not sure how to only make it availble for executives
.... I just saw that I used the NEW starting point... So not sure which rules were available and which not.: However here are my awnsers with the new starting point in mind :
1: My first idea would be to assign a privilege to the Executive Officers Roles and add these to the reports. However there are no specific Executive Officers Roles. Starting point would then to create these specific roles, by copying a Booking:Manager Acces Role.
2: Attribute based acces control to view the profit field only when current accesgroup is Executive officer. Or use a when condition on every field to perform the same check. Harder to maintain.
Pricing is handled in dec-table Pricing. However there seems to be some incomplete rules. Base Pricing is not in the FinalTotalPrice, Is this something we should fix??
3: Create a property to hold the Approved boolean. We will then show a read-only section of the Quotation Event information in stage Quotation.
--> I am not sure if updating the event information is the same as Change stage to Quotation. As changing the event info would also trigger underlaying calculations and possibly require a new client response.
Other wise we could also create a flowwide local flowaction to do the same, that only executive officers can start.
4: Creating a delegate decision table, that is editable in the managers portal. Not sure how to only make it availble for executives
5: I dont get the CEO part in this question?
So you can only access <10.000 Asign-WorkList items from your peers?
6: For the worklist we can can circumstance based on accesgroup or Operatior Position and adjust the report definition.
Ai4Process
GB
However there seems to be some incomplete rules. Base Pricing is not in the FinalTotalPrice, Is this something we should fix??
Yes there is an issue with the calculation of the Pricing, Cost & the Profit. We need to update the ComputeTotals DT & add the below components as well in step 2 -> .Pricing(ParkingService).DiscountedPrice + (.NumCarsParked * .Pricing(CarPark).DiscountedPrice) + .Event.Pricing(HotelService).DiscountedPrice + .Event.Pricing(Base).DiscountedPrice
If we dont do that then price is not calclated correctly & profit is also coming up as negative.
Navy Federal
US
Yes This can be achieved using ABAC. We can create Access Policy Condition to check whether assignment is assigned to Facility Coordinator or not . We create Access Control policy at Assign-Worklist level with action as read . This can be achieved easily using ABAC. I can be achieved using RBAC as well. In ARO of Assign-WorkList class in Facility Coordinator access role , we create a access when to check the required condition and allow the access bases on that. But ABAC is recommended as it is easy to configure and does not require any additional role.
Please let me know if you have any other better approach. That will be very helpful.
Thanks
Rama
Ai4Process
GB
But isnt it recommended that as long as we can achieve funcitonality through RBAC we should use RBAC. Only if not achievable then we should go for ABAC?
Pegasystems Inc.
US
Can anyone recommend how we can debug ABAC? For this question I'm attempting to put an Access Control Policy on the profit property. But it doesn't work and in the tracer I don't see any of my rules running.
Pegasystems Inc.
US
I believe you need to create the Access Control Policy with the applies to class set to that of the FSG-Booking-Work-Event case type. You can then mask the property by referencing the embedded page .Event.Profit .
Pegasystems Inc.
IT
HI, here is my feedback for ABAC for debug and use:
- ABAC is formed by 2 parts Conditional Logic and Policy logic, to debug you need to run Remote Tracer and find the name of the Access Control Policy Condition
- You will find that the Conditional Part is evaluated and shown, the Policy Logic is evaluated as well but is not shown
- To discover where ABAC is fired i am making temporarily the Availability of rule ABAC Policy condition as Blocked, so when it is evaluated you will see a Red FAIL in the tracer
Hope it helps.
Regards
Eliseo Olla
Navy Federal
US
Hi Guys,
Please see my approach for the third requirement
3) Ensure that only Executive Officers are allowed to update Event information after an Event is approved
This can be implemented as explained below.
We can create a property name "QuoteApproved" at Event class level and this property will be set to true upon approval of the quote by Executive officer.
We will have a case wide local action to update the case/event details , We can use pyUpdateCaseDetails OOTB flowaction . This flow action can be conditionally available to only Executive officers. Whenrule checks whether User is a Executive Officer by checking ExcutiveOfficer access group on operator page and QuoteApproved property on the event case.
Please let me know if anyone else has a better approach than this.
Thanks
Rama
Rama
Pegasystems Inc.
US
Security Requirements
1. According to the Front Stage Scenario Requirements, executive officers have two reports. The first one lists the events with revenue, cost, and profit. The second report shows profit by event type. Ensure that only Executive Officers are allowed to access, view, and run these two reports. Executive officers should be able to create new custom reports using standard features.
Proposed Approach: To create a Privilege to Read Report and apply them to the reports.
2. Add a Profit Field to all the forms that display Event information and ensure that only Executive Officers are allowed to view the Profit Field. Refer to Appendix B for a summary of Event costs and Appendix C for a summary of Event pricing.
Proposed Approach: Used ABAC on the Profit property and restricted access only to Executives using their Access Group.
3. Ensure that only Executive Officers are allowed to update Event information after an Event is approved.
Proposed Approach: Used ABAC to Provide access, Restricted access to non-Executives if they are not in Quotation or Assignment stages.
Security Requirements
1. According to the Front Stage Scenario Requirements, executive officers have two reports. The first one lists the events with revenue, cost, and profit. The second report shows profit by event type. Ensure that only Executive Officers are allowed to access, view, and run these two reports. Executive officers should be able to create new custom reports using standard features.
Proposed Approach: To create a Privilege to Read Report and apply them to the reports.
2. Add a Profit Field to all the forms that display Event information and ensure that only Executive Officers are allowed to view the Profit Field. Refer to Appendix B for a summary of Event costs and Appendix C for a summary of Event pricing.
Proposed Approach: Used ABAC on the Profit property and restricted access only to Executives using their Access Group.
3. Ensure that only Executive Officers are allowed to update Event information after an Event is approved.
Proposed Approach: Used ABAC to Provide access, Restricted access to non-Executives if they are not in Quotation or Assignment stages.
4. Ensure that only Executive Officers are allowed to update the fixed, hotel, and parking related Internal Costs as described in Appendix B associated with Event Bookings. Please note that if no mechanism exists for maintaining these costs you will need to develop it as part of the new version of the application.
Proposed Approach:Created Decision tables and Delegated them to to Executives.
5. Sales executives can view and access work from other sales executives (but only other sales executives). The same is true for executive officers and event managers. However, it must not be possible to access work on peers’ worklists that are related to events with more than 10,000 attendees and, therefore, go directly to the CEO for approval.
Proposed Approach:: Used ABAC to Always permit CEO, Permit access to cases only if Executives/Sales/Event Managers only if count is <10000 and belongs to their Access group.
6. Facility coordinators can only see their own worklist and the work specifically assigned to them.
Proposed Approach: Used ABAC using Assign-Worklist as the applies to class.
Since there was no mention to address other areas, Solution might not have the complete Implemantion to of routing and Operator/Work group/organization mapping.
Kindly review the solution and the approach and let me know your feedback.
Pegasystems Inc.
US
I took the same approach with the #1, with privileges. That just ensure that other AG can't run the report, they can still see that the report exist though. Unless I take away report all together from every role except for executives, how else can we ensure only these 2 reports aren't view/execute while still allowing other roles to create reports?
de Volksbank
NL
Have you found a solution for this one.?
I have created a category for executives, and added the reports to that category
The category is only visible for executives using the: Display in report browser when (blank will always be shown)
The report is still searchable for other operators.
I have tried using a privilege OnlyExecutives on the dataaccess tab of the reports.
I have adding this privilege to the role, but i do not get the hoped result.
any suggestions ?
kind regards
Jetze
Morgan Stanley
IN
Can anyone please help me in the below req:
1. Only EO's are allowed to update the event information after the event is approved. -> I think we can use case stages or assignment status. However, after the event has been approved by executive there's a stage called assignment where we update the EventManager property by executive and some comments are given by the event manager which has got past the executive approval stage. How do we handle this?
2. No access to other's cases if event attendees are more than 10,000. -> Basically, when we define a condition on event case type, How do we know that the case has been assigned to which operator. In Assign-Worklist we don't have attendees information.
-- A user should be able to access the case if its assigned to him irrespective of the count of attendees. For a policy being defined in FSG-Booking-Work-Event how do we know that the case is assigned to him?
-- If we define the policy in Assign-WorkList we know to whom the case has been assigned and we should let others access the case only if the count is < 10,000. Where do we get this info from?
Wells Fargo
US
I registered for LSA app build examine. I have a few questions about the policy. They are the following:
1). The total time span is 3 days. Each question is allotted an estimated time to complete. Do i have to complete and submit each question within that time frame. Do i get point deduction if i take more than required time to submit. E.g. Q1 is estimated for 3 hours, I instead submit my answer next day. The reason is that i want to avoid half baked solution or go for least time consuming solution even though not optimal one.
2). I found out some requirement ambiguous and can be interpreted differently. How can I ask for clarification and get quickest response. Due to the time constraint, if i could not get clarification in time and decide to make my assumption and provide solution accordingly. Do i still get credit if my assumption turns out to be not right?
Pegasystems Inc.
US
Tony,
In response to your questions:
1) You have 3 days to complete the entire exam. How you choose to divide up that time is completely up to you. You can work 30 hours or 72 hours. The distribution of marks is in accordance with the estimated time to complete each question therefore it is generally wise to distribute your time according to that guideline.
2) We prefer you would send an email to [email protected] for clarifications. We will usually respond respond within 1 hour however keep in mind the team is based in North America therefore you will receive the quickest response if sent during daylight hours. Generally there is little need for requirement clarification however if you do find yourself in a situation where you have to make an assumption, make sure it does not conflict with the requirements and document any assumptions in the design question document. We will take that into account when grading as long as your assumption is reasonable.
Pegasystems Inc.
IT
Hi,
I am doing preparation App Build and went through the Q4 above.
Here is my Proposed approach on the following points.
- Point N. 5. I have configured with ABAC and RBAC:
- An ABAC to check for Sales, Executives and Event Manager access groups they can access the peers' worklists when #Attendees <= 10000.
- If # Attendees > 10000 I use RBAC for case #Attendees > 10000 as below:
- An Access Role for related access group that have configuration WorkMgr 4. It checks the Perform privilege be applied conditionally only if # Attendees < 10000. If not they cannot access the peer's worklist assignments (see Attachment).
- Point N. 6. Configured the Facility Coordinator with an Access Role with Type User4. This does not have the Perform privilege so can access only his worklist.
- For other Points i am mostly aligned as in previous posts
Regards,
Eliseo Olla
Tata Consultancy Services
IN
Hi,
What is the best way to set a skill in assignment at runtime? At assignment shape, it is hardcoded setting. So, if I determine the skill (like English or German) from inputs to the case creation, how to set that as required skill in an assignment? Can this be done without using Assign-NewDefaults activity?
N.B. The actual skill rules are already created. Only skill determination happens at runtime.
Regards,
Santanu Seth
CIBC
CA
Could someone help me on the following ask:
- I downloaded the start up build and completed the RBAC & ABAC exercise without issue.
- Then I tried to define a standalone ABAC scenario that I came up with, outside the context of the exercise and tried to implement, But even a simple ABAC definition is not working with Access Control Poilcy, Access Control Condition & Access When rule. I even made sure EnableAttributeBasedSecurity is set to true. But still no luck.
Is there any other DSS or setting that needs to be enabled prior to ABAC can be tested that I haven't set yet?
Any suggestion?
CIBC
CA
It is already enabled that is why i was able to see and create all the Access Policy and Access Policy Conditional rules. Is there anything i needed to do my end?
ING Bank N.V.
NL
Hi All,
I am facing an issue somewhat similar to what Gopinath was facing. On some specific reasons, attributes in an embedded page inside pyWorkPage is not being masked , inspite the application having specific ABAC condition to mask it.
I have attached a document where I have explained the problem. Can anyone let me know what might be the issue here ? Is there something I am missing here ?
ING Bank N.V.
NL
Added the screenshots in the attached document.
The scenario is easy to replicate : just remove the BookingAdministrator Access When Rule from SalesAndExecutives Access Control Policy Condition. After the change, when you login with Admin.Booking, you should not be able to see the Financial information on any Event case, but I can see it.
Ai4Process
GB
After delegating the Pricing DT rule to Booking:Executives AG, When I login as Executive Officer, I see the DT in the list but on clicking on Edit, the DT opens in Readonly mode & it shows the lock symbol next to it (The rule is not checked out by anyone & RSV is unlocked). I even tried creating an Access of Role To Object to allow the AG to modify rules of FSG-Data-Event class, but still the same.
I also tried saving the DT rule into an unlocked Production RUleset & adding the ruleset to the Access Group's Production Ruleset list, but still the same behavior. Any ideas?
Deutsche Telekom Services Europe SE (DTSE)
DE
Hi.
Sounds like your ruleset has option "Use Check-Out?" enabled, but your operator has option "Allow rule check out" disabled.
Regards, Matthias
Ai4Process
GB
Thanks for responding. No that wasn't the case. But looks like the rule was checked out by admin.booking user. Once I discarded the checked out rule, it worked.