Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Advanced settings for access roles

Updated on June 30, 2021

Access roles define the classes that a user can view, update, and delete through the Access of Role to Object and Access Deny rule types. Access roles are critical for ensuring valid authentication in an application. The access roles that a user holds defines what they can and cannot due in an application. For example, a manager access role allows managers to reopen closed cases, whereas those with the case manager role cannot reopen cases.

An access role is different from a work party role, which defines the types of parties that can appear in work items.

Use an access role name to grant permissions to users. Requestor type instances and access group instances can reference access roles. Pega Platform provides built-in access roles, with names starting with PegaRULES:, for a variety of users:

  • Guests
  • Authenticated work users
  • Administrators
  • Developers

An access role is an instance of the Rule-Access-Role-Name rule type.

At user log in, the system assembles a set of roles for the user based on information in the user's requestor instance (Operator ID instance), and the associated access group instance. Access roles associated with a user are important because an access role allows access to features and determines the user's capabilities.

To determine whether the current user has a role, call the standard Boolean function HaveRole():

Lib(Pega-RULES:Default).HaveRole(this, "rolename").

Where referenced

Access role names form the first key part of Access of Role to Object rules (Rule-Access-Role-Obj rule type), and the Access Deny Obj rules (Rule-Access-Deny-Obj rule type). You convey access roles to users through access groups.


Use the Access Roles tab on the Security landing page to view or modify a list of the access roles in your application.

You can access the Access Roles landing page tab in the header of Dev Studio, by clicking ConfigureOrg & SecuritySecurityAccess Roles.

Use the Records Explorer to list all the access roles that are available to you.


Access Role Name rules are instances of the Rule-Access-Role-Name class and are part of the Security category.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us