Access Manager landing page

Launch the Access Manager landing page by selecting the > Org & Security > Access Manager menu item.

The following tabs are available on this landing page:

Work & Process
Tools
Privileges

To use Access Manager, you must be logged in as an operator associated with an access group containing the PegaRULES:SecurityAdministrator or PegaRULE:BasicSecurityAdministrator role. If you have the latter role, you do not see the Tools tab.

Access Manager enables you to view and authorize operator access to case types, data, and tools in your applications. The Work & Process tab shows authorization for case types and the actions users can perform on them (for example, open, run reports, perform assignments), plus process flows and flow actions. On the Tools tab, you can manage access to built-in and custom application tools.

Use Access Manager to determine and define the access users have to items in the display. When you select an access group, the left column shows the level of authorization users have to the item: full access (), no access ( ), or conditional access ().

It's important to remember that in PRPC, authorizations are typically granted based on a user's access group, not the role. The most permissive role in the access group determines the level of authorization for the access group. (Note an exception: If an Access-Deny rule has been applied to a role, that role and all other users in the access group are denied access to instances of the class.) The aggregate security level is visible in Access Manager as the icon to the left of the item to be secured.

Consider Access Manager a view to your security model, rather than a means to construct it. Create access roles and access groups, and define privileges independently of Access Manager.

Work & Process tab

Work and process elements in the display are grouped by case type (work class). For each class, Access Manager displays operations on instances of the class that can be secured:

Open - operator can view and open (work on) instances of the class.
Run Reports - operator can run reports that reference instances of the class.
Modify - operator can edit and save instances of the class.
Delete - operator can delete instances of the class.
View History - operator can view instances of the History-[classname] class.
Perform Assignments - operator can access and work on instances of the class assigned to other operators.

Additionally, Access Manager displays:

Process Flows - operator can run all flow rules "touched" by rules in your application; they may not necessarily be in your application's RuleSet.
Flow Actions - operator can perform all flow actions used by rules in your application.

The tab displays the following fields and clickable items:

Field	Description
Application	To filter the list to display case types (or tools on the Tools tab) for one or more applications in the Access Manager, click Applications and select the desired application(s).
Access Group	Select the access group from the menu, or select All Access Groups. Access Manager displays the Single Access Group display or the All Access Groups display.
Export authorizations	Click to generate a report of your application security model. The report shows all case type items expanded. See PDN article Generating Work & Process application authorization settings documentation.
[refresh]	Click to refresh the Access Manager display.
[Case type name]	Click to display the class rule form in a new tab.
[Role name]	In single access group display, click to display a list of Access of Role to Object rules for this role. Double-click an item to open the rule form. Authorization settings made in Access Manager for Access Controls (user operations) show a zero for no access, 5 for full access, and an Access-When rule for conditional permission.
[Access group name]	In all access groups display, click to display the access group rule form.

For more information, see Access Manager — Authorizing Work & Process items.

Tools tab

The Tools tab displays tools you can secure, in two categories:

User & manager: control access to a limited set of tools for operations like adding words to the spell check dictionary.
Administrative & development: control access to developer tools for system-related tasks like tracer options, or purge and archive.

The tab displays the following fields and clickable items:

Field	Description
Application	To filter the list to display case types (or tools on the Tools tab) for one or more applications in the Access Manager, click Applications and select the desired application(s).
Access Group	Select the access group from the menu, or select All Access Groups. Access Manager shows either the Single Access Group display or the All Access Groups display.
[refresh]	Click to refresh the Access Manager display.
[Role name]	In single access group display, click to display a list of Access of Role to Object rules for this role. Double-click an item in that list to open the rule form. Authorization settings made in Access Manager for Access Controls (user operations) show a zero for no access, 5 for full access, and an Access-When rule for conditional permission.
[Access group name]	In all access groups display, click to display the access group rule form.

For more information, see Access Manager — Authorizing Tools.

Privileges tab

On the Privileges tab you can create, review, and modify privileges for users with different roles to access specific case and data types.

Select the type of class

Select either Case type or Data type. your choice here affects your options in the next row.

Select a role and a class or data type.

In the Role field, select a user role from the options available. Clear the field and click the down arrow to see a list of all available roles.
The second field is where you select a Class type or Data type, depending on the type of class you chose. Click the down arrow to see all the available types.

Check the Show inherited privileges checkbox to display privileges the role inherits .

Review the and modify the privileges for the role

The grid displays the privileges associated with the selected role for the selected class. For each grid entry the following information displays:

Privilege name - the name of the privilege.
Description - any available description.
Usage - any notes on what a user having this privilege can do.
Access - icons indicate whether the access is full, conditional or none.

To add a privilege, click the + icon below the grid display. In the form that appears, select the privilege from the available options, and set the access to Full, Conditional, or None. Click OK to add the privilege to the role for the selected case or data type; Click Cancel to close the form without adding a privilege.

Click the X icon at the right of the privilege to remove it for the selected class from the selected role.