OOTB Access roles to make Developer Studio read-only
Are there any OOTB roles , provided by PEGA, to make the Developer Studio read-only , where rules can only be viewed , but not written, edited or deleted ?
To be clear : I am not asking about privileges or the mechanism to develop a custom solution , as we have already implemented one and it is working.
My question is about whether there is a OOTB role ,already provided by PEGA , to enable a Read-only solution quickly.
Accepted Solution
Updated: 28 Jun 2023 3:14 EDT
ING Bank N.V.
NL
@SUMAN_GUMUDAVELLY Hi , this is actually an old post, and I found a solution for this, probably something similar to what you did.
I created a new Custom role which handles the Read-only bit, and put in all the restrictions I need to handle the changes.The role works fine, but some very small hiccups remain (example : Clear Invocation History in Service REST cannot be disabled).
IQZ Systems LLC
US
Hi @VTALUKDAR,
Try "PegaRULES:Guest".
Updated: 10 Jan 2023 7:40 EST
ING Bank N.V.
NL
@KiruthikaA Tried it : that Access role only authorizes access to PEGA's Rule-Application instances. Same with the PegaRULES:Guest-Maximum as well.
Try with a specific application , and you get an error :
Caused by: com.pega.pegarules.pub.runtime.IndeterminateConditionalException: You are not authorized to open instance RULE-APPLICATION XXXXX 02.06.18 at com.pega.pegarules.priv.FUAUtil.activityPreTranIndeterminateConditionalCheck(FUAUtil.java:446) ~[prpublic.jar:?] at com.pegarules.generated.activity.ra_action_requestorinitialize_89ad755666c9b32d183401b5c4c47e77.step4_circum0(ra_action_requestorinitialize_89ad755666c9b32d183401b5c4c47e77.java:1061) ~[?:?]
Pegasystems Inc.
IN
@VTALUKDAR Can you disable checkout from Operator ID and try ? That will make it not editable for all the versioned rules and non versioned rules but might not be applicable for data instances.
ING Bank N.V.
NL
@SrinidhiMDisabling check out is only part of the problem , not the full solution.
This is my use case :
Use case : -- User should be able to view rules, but not write, or delete anything -- User should not be able to Run rules (either from the rule itself or from Clipboard) -- User should not be able to Import code into PEGA -- User should be able to view Clipboard , Tracer and all other Diagnostic features
-- User should not be able to Add a rule to Favourites.
Pegasystems Inc.
IN
@VTALUKDAR Hi Can you check the below privileges:
pxViewDeveloperDesktop
pxViewLimitedForm
There is one Access Role Name (PegaRULES:ViewerCollaborator) but you might have to do some changes because this does not include privilege to run basic rules which are required for authentication
ING Bank N.V.
NL
@SrinidhiMI have already worked on a custom solution which achieves this, but my point was to get something OOTB so that it can be used directly without ANY customization.
I guess from the answers I have received, no such role actually exists...Yes I can try with adding granular privileges, but that approach would be very similar to my custom solution anyway...
Pegasystems Inc.
IN
@VTALUKDAR Yes, Seems like the OOTB roles and privileges that are available only provides a part of your requirement and not the complete requirement. We might need to add granular privileges which you have already done.
Masking Technology
NL
Do they need to see all the rules? Or just a few of them?
In case it's the latter, you can delegate the rules and just make sure they cannot save them.
ING Bank N.V.
NL
@basmasking No that is not an option. As I mentioned above, the user should be able to view all rules, not just the ones which can be delegated .
Masking Technology
NL
Why wouldn't you give them access to the staging environment. I assume you have one, there you can see everything as it is on production, right?
ING Bank N.V.
NL
@basmaskingThe problem is not that we cannot give them access to STAGING environment. The issue is that sometimes there are specific instances where we need to look into the PROD environment without actually being able to change anything.
Suppose an agent/job scheduler/data flow fails in PROD, but did not fail in ACCEPTANCE/STAGING environment. Then we have no other option but to open the PROD environment. We want a access role which would allow us to peek into the PROD Environment and SEE everything, but would not be allowed to CHANGE anything.
I hope I was clear with the use case now.
Skandiabanken
SE
@VTALUKDAR We are on 8.8.1 and looking for the same solution ..seems to be you already made it with custom solution so Can you please share the list of access roles/ARO/Privileges needed for making the designer studio read only.
Masking Technology
NL
Does the Admin Studio provide enough functionality for your use case? I think it's designed to do just that, look into the operations part of the system.
Ford Motor Company
US
Simple answer to your question, there is no OOTB Read Only Access Role available.
I have started searching for the same and end up creating my own access role, However, my Custom Access Role is built on
PegaRULES:User1 and any additional changes like ability to view Clipboard or Data Types etc., I have overriden in my app's access role.
Accepted Solution
Updated: 28 Jun 2023 3:14 EDT
ING Bank N.V.
NL
@SUMAN_GUMUDAVELLY Hi , this is actually an old post, and I found a solution for this, probably something similar to what you did.
I created a new Custom role which handles the Read-only bit, and put in all the restrictions I need to handle the changes.The role works fine, but some very small hiccups remain (example : Clear Invocation History in Service REST cannot be disabled).