Question
Pegasystems Inc.
JP
Last activity: 16 May 2016 8:25 EDT
7.2 How to restrict access to specific Data class
Requirement:
There is a data table contains sensitive information and the access to the data table should be granted per access role.
At a first glance, it looks simple enough to implement the requirement by creating an ARO which gives access (Read instance=5) to the specific data class and grant the ARO to desired Access Groups.
However, it turns out that even users belongs to Access group that doesn't have the ARO still can open records of the data table.
It seems that OOTB ARO defined on "Data-" class plays a role here, below is my test results.
| Access Group | Granted AROs | Expected | Test Result |
|---|---|---|---|
| MyApp:Managers | "Data-" (Read instance=5) |
Can open any records of any data class that inherits from "Data-" class. | As expected. |
| MyApp:Workers |
"Data-" (Read instance=5) "Data-Sensitive" (Read instance=0) |
Requirement:
There is a data table contains sensitive information and the access to the data table should be granted per access role.
At a first glance, it looks simple enough to implement the requirement by creating an ARO which gives access (Read instance=5) to the specific data class and grant the ARO to desired Access Groups.
However, it turns out that even users belongs to Access group that doesn't have the ARO still can open records of the data table.
It seems that OOTB ARO defined on "Data-" class plays a role here, below is my test results.
| Access Group | Granted AROs | Expected | Test Result |
|---|---|---|---|
| MyApp:Managers | "Data-" (Read instance=5) |
Can open any records of any data class that inherits from "Data-" class. | As expected. |
| MyApp:Workers |
"Data-" (Read instance=5) "Data-Sensitive" (Read instance=0) |
Can open any records of any data class that inherits from "Data-" class, except "Data-Sensitive". | Can open any records of "Data-Sensitive" class. |
| MyApp:Visitors | "Data-" (Read instance=0) |
Can NOT open any records of any data class that inherits from "Data-" class. |
As expected. Can open any records of "Data-Sensitive" class. |
Message was edited by: Chunzhi Hong Updated Test Result of "MyApp:Visitors"
Accepted Solution
Pegasystems Inc.
JP
I found a work-a-round as below to solve the issue, so I will postpone my SR request at this moment.
"Data-Sensitive" (Execute activities=0)
Chunzhi
Pegasystems Inc.
IN
Hi Chunzhi, Good morning!
- I think its a bug.
- but again on 7.2
- we recently faced this error and worked as expected.
- we had ARO defined on Assign-Workbasket [Delete Instance=0/blank] associated to PegaRULES:User4 in custom ruleset [which is incorrect rule]
-
PegaRULES:User4 already has Assign- with Delete Instance=5
- Our case: user is presented with error on UI stating 'do not have access'.
- we recently faced this error and worked as expected.
- not sure but - could we double check the ruleset in which AROs for Data- & Data-Sensitive class are created...
Please share your thoughts/comments, Thank you!
psahukaru
Updated: 16 May 2016 5:31 EDT
Pegasystems Inc.
JP
Hi Phani,
Thanks for your feedback.
In my case, both AROs for Data- & Data-Sensitive class are associated to the same application rulest, MyAppRS, since I've cloned PegaRULES:WorkMgr4 for customizing.
I am going to raise an SR.
Chunzhi
Pegasystems Inc.
IN
Hi Chunzhi Hong ,
Once you go ahead and raise an SR, I request you to share the SR number here, so that we can track it within the thread for you.
Thank you for your participation in the community.
~Vidyaranjan A V | Community Moderator | Pegasystems Inc.
Accepted Solution
Pegasystems Inc.
JP
I found a work-a-round as below to solve the issue, so I will postpone my SR request at this moment.
"Data-Sensitive" (Execute activities=0)
Chunzhi