Understanding Discovery features for access control policies
Access control policies support discovery features that allow users to view limited, customizable information about class instances that fail read policies but satisfy discover policies. Users cannot open or interact with the discoverable instances, but they can see that the instances exist and they can evaluate whether they might need access to certain instances.
To make discovery features available to users, the pyIsDiscoveryEnabledForOperator Access When rule must evaluate to true. These features apply to instances of Work- and Data- classes when data is retrieved from the Pega database, but apply only to instances of Work- classes when data is retrieved from the search index.
The following Discovery gadgets, which are section rules, support discovery features:
- pxDiscoverableItems – This section displays discoverable instances for report definitions. By default, this section is included in the Report Viewer when it displays results for list reports. This section can be displayed in the results for summarized reports if you set the dynamic system setting DiscoverableItemsIncludedForSummaryReport to true.
- pxDiscoverableSearchItems – This section displays discoverable class instances for search. By default, this section is included when search results are displayed.
The Discover gadget is shown in the Report Viewer or in search when all of the following are true:
- Read policies are in force for at least one of the classes involved (either defined on the class or inherited by it), and there are policy conditions for those policies (the policy conditions do not have empty filter logic strings).
- Discovery policies are in force for at least one of the classes that also have Read policies, and there are policy conditions for those policies.
- The number of instances that fail the Read policies but satisfy the Discovery policies is greater than zero.
Each of the Discovery gadgets displays a link with the number of class instances for the report or search that fail read policies but meet discover policies for the user. Users can view a list of the discoverable instances by clicking the link. The information that is shown for these instances is determined by the pyDefaultDiscoverableReport report definition rule for a class.
Developers can customize these sections to change their labels and behavior. You can also include these sections in other parts of an application’s user interface. For example, you can include the pxDiscoverableItems section above a list control that is populated by a report definition.
Previous topic Verifying access control policies Next topic Customizing of Discovery gadgets