Case dependency does not work with ABAC
I would appreciate your help in finding solution to following scenario:
In our process we create child cases and assign them to particular users. The parent case is supposed to wait until all the children are resolved. The dependency can not be checked as we have quite rigorous security on the child. Only assigned user can view it and perform action on it. To do that we have implemented ABAC on child case. Access Control Policy Condition has 2 conditions: first is checking if current operator is the one that is assigned to the case and another is checking if the case has status Resolved-Completed. Once it is resolved it can be accessed by agents. The problem is that the case dependency agent has no access to rest of the children if they are not resolved, so it proceeds as if no more were there.
Now:
What I was thinking: is adding one more condition to make the child case accessible by the dependency agent but unfortunately I am not sure how to check for the agent.
Please see my security conditions attached.
Accepted Solution
Pegasystems Inc.
PL
Thank you all for your suggestions.
There was indeed a declare trigger on pyStatusWork property.
The only thing I needed to do was adding a when condition to declare trigger, that was checking if pyWorkCover.pxCoveredCountOpen == 0
This needs some more testing but it seems to work.
Pegasystems Inc.
US
There is a When rule called inBatchRequestor in Pega 7.3.1 (I didn't check other versions). It would let you check if it was a batch requestor doing the processing. That may not meet your requirements though as it would be any batch requestor, not a specific agent.
Pegasystems Inc.
US
Case dependency fulfillment is not always triggered through agents. It is first processed through a declare trigger which gets triggered when the status on case changes, so it runs in the context of the current user. If for some reason if the trigger cannot process the change, it gets queued up for the agent to pick up at a later time.
One approach I can think of is to use UI based security model instead of access whens. UI is updated to hide the case data if the user does not have the access. This way the case dependency will have no access issues.
Accepted Solution
Pegasystems Inc.
PL
Thank you all for your suggestions.
There was indeed a declare trigger on pyStatusWork property.
The only thing I needed to do was adding a when condition to declare trigger, that was checking if pyWorkCover.pxCoveredCountOpen == 0
This needs some more testing but it seems to work.