You can associate one or more roles to an access group. Roles are additive. The more roles that you add to an access group, the more authorization there is. Privileges can be associated with one or more roles.

1. Determine which roles are needed for your application. You can use the Pega Foundation for Healthcare roles as a starting point.
2. Determine if View_Employee_PII and/or View_VIP_PII are needed.
3. Determine which privileges to associate with each role.
4. Associate each role with an access group.

For more information, see Learning about access groups and Managing access roles.

• Step 13: Defining the security model and organization structure