Use this tab to define the work pools associated with this access group, and other settings related to capabilities such as authentication, security, connectivity, and accessibility for users or other requestors who reference this access group.
Field |
Description |
Name |
Lists the classes that are marked as You can enter any class group for which the container class (the Rule-Obj-Class instance with the same name as the class group) belongs to a ruleset listed in the Production RuleSets array or available to users through application rules. This restriction ensures that the rules of the application (in addition to the case types) are available to users associated with this access group. As a best practice, select the radio button on the class group that contains the case types in which users associated with this access group most often create cases. This selection determines the default work pool that appears on the top of the Application Explorer tree when you open an application. The names (the class rule Short Description text) of the workpools listed here appear in the Application menu Switch Workpool list. If you leave this array blank:
Work pool names appear on this Work Pool Selector list in the order that the corresponding work pools are listed here. If this array contains more than a few, consider reordering them to present the work pool names alphabetically, or in another order meaningful to users. Leave blank if users who enter new cases and are associated with this access group use a composite portal that includes the standard section @baseclass.NewWork. The cases that such users can enter appear on the Cases and Data tab of the Application rule, not here. See How to create a composite portal. For users of the traditional WorkUser or WorkManager portal rules, this list determines the set of work pool names that appear in the Work Pool Selector (typically visible below the logo in the navigation panel) and the work types that appear in the selection list of the New.. box. The names appear in the order that the work pools are listed. For example, if you designate the PegaSample class group as default, the corresponding work pool name is Sample Work. When a user (at a traditional portal) associated with this access group enters new work items, the available work types are those from classes (work types) in the designated class group (work pool). |
Field |
Description |
Authentication timeout |
Enter a number of seconds after which the system challenges idle browser sessions (for users of this access group), asking users to re-enter their Operator ID and password. This timeout event does not cause session context or clipboard contents to be lost. If users respond to the challenge and are re-authenticated, they can usually continue processing where they left off, unless the system released locks they held in the meantime, or the system was stopped and restarted. Note: This authentication timeout is not related to the |
HTTP/HTTPS home directory |
Typically, accept the default of If you have changed the name of this directory, enter the new directory name here. |
Rule security mode |
This setting determines whether and how the system executes rules accessed by members of this access group. In Pega 7, rules can be made to require privileges in two ways:
Allow is the default, recommended setting. Deny is the strictest setting and requires creating privileges for rules and access roles. Warn mode should be used only when you want to identify rules for which users need generated privileges to execute. You can then use the Pega 7 activity to generate missing privileges and add them to roles where needed. See PDN article Setting role privileges automatically for access group Deny mode. Select one of these options:
Best practice is to use Allow mode for Rule Security Mode, and use the Access Manager to configure authorization for rules. When more specific security is needed for an individual rule, specify a privilege for the rule. See Access of Role to Object form - Completing the Privileges tab. If you want to specify privileges for all rules and users, and you have sufficient time and resources to perform a system-wide exercise including all expected users, see the PDN article Setting role privileges automatically for access group Deny mode. |
Field |
Description |
Enable accessibility add-on | Select to cause users associated with this access group to see more-accessible versions of several standard harness, section, and flow actions rather than the normal standard versions. To provide maximum accessibility support, also include the PegaWAI ruleset in the Production RuleSets list for such users. See Understanding accessibility. |
Enable offline support | Enables offline support for all users of the access group in mobile apps running with Pega Mobile Client. See Offline capability and PDN article How to configure offline capability for mobile applicationto learn more. |
Force full sync for all users |
This option is used by offline enabled mobile applications. Clicking this button forces a full data sync operation for all users of the mobile app the next time that they synchronize with the server. If it has already been done at least once, the date time stamp of when last full data sync operation has occurred displays underneath this button. When you click this button, you must also click Submit in the opened window to confirm. |
Production RuleSets |
Optional. Enter production rulesets and versions specific to this access group. For example, in a production setting, you can identify one ruleset and version that remains unlocked and holds only rules expected to be changed often. Such rules may be delegated to management. A rulesetwith this purpose is sometimes called a local-only or production ruleset. Caution: Leave blank except for developers and others who modify rules. While your profile includes the ruleset versions listed here, they are not considered part of the current application. Rules in the ruleset versions listed here may not be visible in the Application Explorer, Guardrails tool, or Document wizard facilities. As a best practice for good security — and to avoid a warning when you save the Access Group form, select from the ruleset versions that appear in the Production RuleSets array on the Definition tab of the application rule. The system uses this information at log-on time to assemble the ruleset list for this user. The order of your entries in this array affects rule resolution. At login, the system appends these entries to the top of your ruleset list, but starting at the bottom of this array. The order of rows in this array becomes the order they appear in the ruleset list. For example, if during sign-on this access group is accessed when the (partial) ruleset list contains Alpha:01, Beta:02, and Gamma:03 (in that order), and this array contains Red:07, Blue:08, and Green:09 (in that order), the result is Red:07, Blue:08, Green:09, Alpha:01, Beta:02, Gamma:03. You can include a full version number or an initial portion of a version number. Separate the ruleset name from the version (or partial version) with a colon, as in:
Except for users who have the PegaRULES:WorkUser4 role, include at least one ruleset version that is not locked. If all ruleset versions that a user can access are locked, that user cannot create new rules. (Typically, managers have access to a local customization ruleset for storing only those rules that are personal customized versions of list view or summary view reports.) Note: List distinct rulesets here. A user or other requestor can access rules in only one major version of a ruleset ; access to version 04-10-15 includes access to 04-10-14 and 04-04-11, but not to 03-01-01 or 02-15-07. To reorder the rows of this array, hold the mouse pointer over a number. Click and drag to another row. To duplicate or move a row, hold the mouse pointer over a number. Or, right-click to access a menu with Cut, Copy, and Insert options. |
Leave these fields blank for an access group that supports logging on to Pega 7 from external systems, or that supports workers or managers who never create rules.
Field |
Description |
Default destination ruleset |
Optional. Select a ruleset from those listed in the Production RuleSets array or from those listed in application that the system suggests as a destination ruleset when users associated with this access groups create a rule.
When a user associated with this access group uses the New or Save As buttons to create a rule, the system suggests this ruleset for the new rule. If you leave this field blank, the Save As form uses the ruleset of the existing rule being saved as the default ruleset for the new rule, if a version that is unlocked is available to you. |
Version | Optional. Required if rulesetis not blank. Enter the ruleset version (for the ruleset identified in the previous field) that requestor associated with this access group usually add rules into. During New operations (and certain Save As operations). this version appears as the default ruleset version. |