Restrict database schema changes by setting privileges
To control automatic schema changes in your database, edit the AutoDBSchemaChanges dynamic system setting and associated privileges.
By default, if the current operator has the PegaRULES:SysAdm4 access role, Pega Platform™ makes automatic changes in the database schema to support the following features:
- Creating dedicated tables and class maps: When you create a concrete class inherited from Work-, Data-, History-, or Index-, either from the rule form or when using Direct Capture of Objectives, Pega automatically creates a dedicated table and maps the class to the table.
- Creating and populating exposed columns: The Property Optimization tool in Dev Studio creates and populates an exposed column for that property.
- Automatically applying schema changes in archives: SQL files containing schema changes may be included in import archives. These changes can be applied automatically during the import.
- Optimizing schemas to improve system performance: The Optimize Schema tool identifies database optimizations that could improve the system performance, database size or other resource use. Pega automatically applies these optimizations.
- Using the Upgrade Applications Schema landing page.
Prior to release 7.4, these features are all disabled by default if the system production level is 3 or higher. To permit these features in a production-level system, you must change the corresponding privileges in the Access of Role to Object rule for SysAdmin4.
If your site does not allow direct changes to the database schema without database administrator (DBA) approval, or to limit changes to the database late in the development cycle, change the following settings:
- To disable all these features at the system level, set the dynamic system setting database/AutoDBSchemaChanges to false. This makes all these features unavailable for all the roles and users in the system.
- To control access to individual features, set the dynamic system setting database/AutoDBSchemaChanges to true and remove specific privileges from your version of the SysAdm4 role. The table below summarizes the privileges associated with each feature.
Tool | Function or Control | Settings | Behavior |
---|---|---|---|
Application Explorer - Property list | Optimize for Reporting | The access group has the SchemaPropertyOptimization privilege and the dynamic system setting database/autoDBSchemaChanges is true | The Optimize for reporting option is available and the status of population jobs is visible. |
Import Wizard | Schema step - View/Download SQL DDL | The access group has the ViewSchemaOnImport privilege | User can view and download DDL |
Import Wizard | Schema step - Automatically run Upgrade Application Schema | The access group has the SchemaImport privilege and the dynamic system setting database/autoDBSchemaChanges is true | Users can automatically apply the DDL. |
Import Wizard | Hide schema step page | The access group has the SchemaImport privilege and the access group does not have the ViewSchemaOnImport privilege | The Import Wizard does not display the Schema step page and the schema import happens automatically. |
Import Wizard | Automatically populate columns after import | The access group has the SchemaPropertyOptimization privilege | The user can select the feature to automatically populate columns. |
Import from REST service or command line | Apply schema changes | The access group has the SchemaImport privilege and the dynamic system setting database/autoDBSchemaChanges is true | The schema changes are applied automatically. |
Import from REST service or command line | Apply schema changes | The access group does not have the SchemaImport privilege or the dynamic system setting database/autoDBSchemaChanges is false | The schema changes are not applied and the failure response indicates the reason for failure. |
Modify Schema | Modify schema, Expose properties | The access group has the ViewAndOptimizeSchema privilege and the dynamic system setting database/autoDBSchemaChanges is true | The user can view the landing page and process updates. |
New Application wizard, Import wizard, Class rule form | New class or new class group | The access group has the SchemaTableCreation privilege | Pega Platform automatically creates a table for new classes or class groups that inherit from Work-, Data-, or History-. |
Optimize Schema | Proceed with Changes | The access group has the ViewAndOptimizeSchema privilege and the dynamic system setting database/autoDBSchemaChanges is true | The user can view database schema suggestions and apply changes. |
Upgrade Application Schema | Apply schema | The dynamic system setting database/autoDBSchemaChanges is true | Pega Platform queues jobs to apply schema changes. |
Upgrade Application Schema | View and download schema | (none) | The user always has permission to view the Upgrade Application Schema landing page and to download DDL. |
Upgrade Applications Schema | Upgrade Applications Schema | The dynamic system setting database/AutoDBSchemaChanges is true | After upgrade, port recommended schema changes to previously auto-generated tables. |