AccessGroup instances consolidate a set of roles and portals. while this ensures that users belonging to a particular AG have the same roles and portals, what if we want to restrict access to certain sections on these portals for a subset of users belonging to the same accessgroup?
We shall grant privileges for these subset of users(on the fly) and use the same in sections (privilege based when) to give access, however we will have to then maintain the user/privilege mapping separately(as the operator ID instance doesn't have form fields to support privileges.. Privileges are mapped in access role to obj instances which is tied to an access role which belongs to the AG).
Right now, we have to duplicate accessgroups(with the same set of portals), but with different roles(restricting access) if we want to restrict/grant access to a subset of users
You can assign roles dynamically to an operator using the setRoles Function during login. We did it for one of our implementation for similar requirement where the Operator roles were maintained at operator level using a separate portal.
Thanks for the update. Yes.. we shall add roles/privileges on the fly, however we have to maintain these separately(outside the operatorid instance) . In your implementation, are these roles stored externally ?? is it read from an external system or did you maintain a separate data table for these roles?? As roles are more often associated with operators, it would be better if we have a way to associate the roles directly in the operatorID record. If this is available, we shall leverage it instead of having to maintain this mapping externally.
The requirements are even broader as we want to pilot few functionalities at few sites for few auctions.. I have written a design to match these expectations and reviewed this with the customer and they are ok with the same..
Anyways, Thanks everyone who participated in the discussion
Sorry I missed your note before. For our implementation, we had an operator maintenance module (portal) to assign roles to operators. The roles were stored as part of operator profile in a value list. So Authentication used to happen in LDAP and Roles for pega applications were configured in pega itself