Access Manager — Authorizing Work & Process items

To access the Work & Process tab, click Designer Studio > Org & Security > Access Manager > Work & Process.

Your access group should provide Full or Conditional Access to the “AccessManager: change authorizations” tool in order to edit authorization settings in Access Manager, and Full or Conditional Access to the “AccessManager: view authorizations” tool to view settings in Access Manager. See Access Manager — Authorizing Tools.

This landing page includes an Application selector that enables you to limit results to one or more applications, if available, for processing. Click Application and select or deselect applications, and click Apply.

About the Work & Process tab

The Access Manager's Work & Process tab gives you a quick look at who can do what in your application. It displays a grid of case types (work classes) followed by user operations (open, modify, perform other users' assignments, etc.) on cases that you can secure with Access Manager. The display also includes flows and flow actions. Access Manager displays authorization settings for the access group of the current operator.

When case type items are expanded, icons indicate full access , no access , or conditional access.

Access Manager can alert you to areas in your business processes that need tighter restrictions. You can view and edit authorizations for users in an access group, or view displays of authorizations for all access groups.

Authorizations are granted based on a user's access group, not the role. The most permissive role in the access group determines the level of authorization for the access group. To the left of each case type item, Access Manager displays an icon indicating the most permissive authorization for each user action on cases of that type.

User operations on cases

You can modify access for the following user operations on instances of the expanded case type (work class):

• Open - operator can view and open (work on) cases of this type.
• Run Reports - operator can run reports that reference cases of this type.
• Modify - operator can edit and save cases of this type.
• Delete - operator can delete cases of this type.
• View History - operator can view cases in the History-[classname] of this type.
• Perform (Assignments) - operator can access and work on cases of this type assigned to other operators.

Additionally, Access Manager displays, if defined for the case type:

• Process Flows - operator can access the flow.
• Flow Actions - operator can view and click items in an Action menu.

Single Access Group display

To view authorizations for case type items - single access group

You can click Export authorizations to generate a report showing an expanded view of all settings for the access group and its roles.

1. If you want to view settings for an access group other than your own, select it in the Access Group field.
2. In the Case Types column, click the arrow to the left of a case type to expand the display. (Expand Process Flows or Flow Actions the same way.) Access Manager displays one of the following icons to the left of the item, indicating:
• Operators in this access group have full access to this action, flow, or flow action in the case type.
• Operators in this access group have no access to this action, flow, or flow action in the case type.
• There is some combination of conditional and possibly no access among operators in the access group.

For example, if the case type is Purchase Order, a next to the user action Run Reports indicates all users in the selected access group can run reports on case in the Purchase Order class. This is because one role has full access, which extends to all operators in the access group.

You can click a case type name to view its class definition.

To edit authorizations for case type items - single access group

Note: You cannot edit standard Pega 7 Platform roles.

1. If you want to view settings for an access group other than your own, select it in the Access Group field.
2. In the Case Types column, click the arrow to the left of a case type to expand the display.
3. In the column for the access role to be authorized, click the icon and select one of the following for the desired case type user action, flow, or flow action:
   

• Full Access to grant operators with this role (as well as all other operators in the selected access group) full access to the item.
• No Access to deny operators with this role access to the item.
• Conditional to grant access to the item based on an Access When condition. The system displays a field below the Conditional button. Select an Access When condition under which an operator in the access group can access the item.
  For authorizing access to assignments among members of an organization, Access Manager supplies standard Access-When rules. See Standard Access When rules.
  

About Authorizing Process Flows and Flow Actions

Access Manager displays all flows and flow actions defined for each case type in the selected application(s). You authorize operator access to process flows and flow actions the same way you authorize access to user actions on cases.

Unlike authorization settings for user actions on a case type, settings for process flows and flow actions have no effect on the aggregate authorization value for an access group.

Note: To edit flows and flow actions, their containing RuleSet must be unlocked.

To view authorizations for case type flows and flow actions- single access group

1. If you want to view settings for an access group other than your own, select it in the Access Group field.
2. In the Case Types column, click the arrow to the left of a case type to expand the display. Click the arrow next to Process Flows or Flow Actions to expand the list. Access Manager displays one of the following icons to the left of the item, indicating:
• Operators in this access group have full access to the process flow or flow action in the case type.
• Operators in this access group have no access to the process flow or flow action in the case type.
• There is some combination of conditional and possibly no access to this flow or flow action among operators in the access group.

To edit authorizations for process flows or flow actions - single access group

Your access group should provide Full or Conditional Access to the “AccessManager: change authorizations” tool in order to edit authorization settings in Access Manager.

1. If you want to view settings for an access group other than your own, select it in the Access Group field.
2. In the Case Types column, click the arrow to the left of a case type to expand the display.
3. In the column for the access role to be authorized, click the icon and select one of the following for the desired case type user action, flow, or flow action:
   

• Full Access to grant operators with this role (as well as all other operators in the selected access group) full access to the item.
• No Access to deny operators with this role access to the item.
• Conditional to grant access to the item based on an Access When condition. The system displays a field below the Conditional button. Select an Access When condition under which an operator in the access group can access the item.
  For authorizing access to assignments among members of an organization, Access Manager supplies standard Access-When rules. See Standard Access When rules.

All Access Groups view

To view authorizations for case type items - all access groups

You can click Export authorizations in All Access Groups view to generate a report showing an expanded view of all settings for all access groups defined for the application.

You cannot modify authorizations when viewing all access groups. The display is intended to show you only whether all operators in each access group are fully authorized to perform every user action on cases of a case type (), or all are denied authorization for every user action () -- or whether there is some mix of authorizations among the user actions (). Refer to the example below.

Note: Settings for process flows and flow actions have no effect on the aggregate authorization value for an access group.

1. In the Access Group field, select All Access Groups.
   
   Here is an example showing the unexpanded display:
   
   In the example above, the display indicates the following access to user actions on cases of case type Vendor Maintenance:
   
• All operators in this access group can perform all the listed user actions on cases of that case type. Members of the PurchaseFW:Administrators access group can perform all user actions on Vendor Maintenance cases.
• No operators in this access group can perform any of the user actions on cases of that case type. No members of the Purchase Managers access group can perform any user actions on Vendor Maintenance cases.
• Operators in this access group can perform some of the user actions for that case type but cannot perform other user actions. Members of PurchaseFW:AccountsPayable can open Vendor Maintenance cases but cannot delete them.
  

You can expand the view to see authorization for each user action:

To continue the example, say you want to investigate authorizations for View History by members of the PurchaseFW:ShippingReceiving access group. To do so, you select it in the Access Group menu then expand the Vendor Maintenance case type to display the setting for View History. The aggregate value of the View History user action is conditional, due to the conditional setting for the Shipping & Receiving role:

	Access Manager — Authorizing Tools, About Access When rules, Customizing the Access Manager Privileges tab.
	About Flows About Flow Actions

Tools — Application

Designer Studio — About Landing Pages

Open topic with navigation