Question

How to pass dynamically set Access Roles to standard agent task?

Hello everyone!

We have such sutiation:

  • There is only one Access group "Users" for business users in application with one Access role in it
  • When user logs into Pega we dynamically add Access roles similar to this article - https://community.pega.com/knowledgebase/articles/how-dynamically-add-roles-during-user-authentication
  • So the user for example has two roles in runtime.
  • User make some actions that brings to queueing an agent task. Agent has standard mode.
  • Agent uses user's Access group to process the task. But he has only one original role and doesn't have any dynamically added roles.

The problem here is in access absence to classes described in the second role (dynamically set).

If an agent will try to do something that can do second role, but the first role can't, it will fail.

What is the best practice here?

***Edited by Moderator Marissa to update platform capability tags****

Comments

Keep up to date on this post and subscribe to comments

April 25, 2019 - 2:21am

Any ideas?

Finally we've created a separate access group for agents with admin rights.

And when we create a task for agent, we change pyAccessGroup, to the task will be processed under our new access group, not under user's access group.

September 17, 2019 - 7:28am
Response to Fedotochkin Ilya

@Fedotochkin Ilya, How about the following approach

  1. Customize the queue table to add an extra column (property)
  2. When the queue entry is created during case processing. can we write the roles added during run time to this column
  3. When the agent picks up the entry for execution, use the roles list that was saved above to dynamically add them before execution

Thought the above is in theory, i have not attempted the same. Did you consider this approach?

July 18, 2019 - 2:23pm

Hello,

I'm not sure I completely follow. You want to use a similar method, but the context of the requestor doesn't have access to the classes you need? Definitely, you need to start in an access group with the fundamental classes of your application. I would caution against giving it administrator privileges for security reasons. I would create a stripped down access group that has your application/rulesets in it, so that the classes are available and then go from there.

Thanks,
Mike