How to build assignment authority matrix through Work groups

How to define access controls to restrict the assignments based on work groups .

Use case :-System takes approvals from three departments before it gets resolved, Each department is treated as a work group and system should assign the cases dynamically to the users of work group based on work load & availability and it can be done using ToLeveledWorkGroup but how to define authority matrix using work group as mentioned below .

1) L1_WG ( only able to perform cases which are assigned to their team).
2) L2_WG ( Able to work on cases which are assigned to L1_WG & L2_WG but not L3_WG)
3) L3_WG ( Access to L1_WG , L2_WG and L3_WG).

Is there any better solution to implement it without tweaking "CanPerform Access when"/ defining skills .

Pega 7.3.1

***Edited by Moderator Marissa to update platform capability tags****


Keep up to date on this post and subscribe to comments

November 12, 2019 - 7:37pm

Assuming it's only about the instances of Assign-Worklist and not the Assign-WorkBasket, then you utilize the 'perform' privilege to implement such requirement.

If you check canPeform of Assign-Worklist, it grants you access to an Assign-Worklist instance only if assignment is owned by you or you got Perform privilege on work obj class.

Things need to do -

1. Create an access group for each work group as access is different for each group, and access logic is normally defined using access group.

2. Create a Access role specific to each access group.

3. In each access role, conditionally grant Perform privilege to you class of work object. Use a generic Access when to encapsulate your logic. Access when should in turn refer to a decision table or decision tree that will hold the work group specific logic. Decision table/tree will either return true or false.


Hope it helps.

November 13, 2019 - 10:44am
Response to N.SenSharma

Thanks for response .. Is it only option to tweak the access when rule to achieve the scenario ?  , If i'm not wrong then we don't even need to create an Access Groups for each WG as AssignPage hold the work group of assigned user so we can check WG list of operator with assignment user workgroup to validate the access.


November 13, 2019 - 11:29am
Response to Brahmesh@

Well, then the question is how you are planning to perform such check in your application unless you write some custom/additional code to achieve that?

On the other hand, the benefit of doing it through Access role/Privilege is PRPC will enforce that check automatically across the OOTB portal, without any custom code.

A good example will be the assignment list that appears on the OOTB review harness. When the review harness is rendered by PRPC, it automatically perform access check for each of assignment list, and make the assignment url read-only if you lack access to that.

If you're planning to write your own code, you need to take care of that part and everywhere else on portal.

In other words, usage of Access role/privilege will require less work and more maintainable, hence it is the preferred solution, IMO.

November 13, 2019 - 11:55am
Response to N.SenSharma

I completely agree with define the security access through ARO would be better approach..

Just curious to know the exact purpose of having multiple work groups in operator profile if it doesn't support to building autortiy metrics like WB list in operator profile ..

November 13, 2019 - 12:58pm
Response to Brahmesh@

As per this post[1], this is a stub feature at least in 7.2.x version. But, I believe the idea behind this feature, as indicated on the following post, is to grant access to work baskets of multiple work group.

I checked in my v7.4 installation, and found the workbasket list on dashboard is stilled listed based on 'current' work group. So, no OOTB help on this matter.