Access Group form
Completing the Advanced tab

  1. About 
  2. New 
  3. Definition 
  4. Advanced 
  5. Operators 
  6. History 
  7. More... 

Use this tab to define the work pools associated with this access group, and other settings related to capabilities such as authentication, security, connectivity, and accessibility for users or other requestors who reference this access group.

Work Pools

Field

Description

Name

SmartPrompt Lists the classes that are marked as Is a Class Group (on the rule form's General tab) for each work pool in which users associated with this access group are permitted to create cases. Each such class defines a work pool, a named collection of case types.

You can enter any class group for which the container class (the Rule-Obj-Class instance with the same name as the class group) belongs to a ruleset listed in the Production RuleSets array or available to users through application rules. This restriction ensures that the rules of the application (in addition to the case types) are available to users associated with this access group.

As a best practice, select the radio button on the class group that contains the case types in which users associated with this access group most often create cases. This selection determines the default work pool that appears on the top of the Application Explorer tree when you open an application.

The names (the class rule Short Description text) of the workpools listed here appear in the Application menu Switch Workpool list.

If you leave this array blank:

  • When you open an application, the Application Explorer class auto-complete field is empty; no classes appear in the tree.
  • Operators associated with this access group cannot create cases. However, the array does not affect which cases the operator can update, only which types of cases the operator can create. The assignments the operator can open and update is determined by access roles and ruleset lists, not by the work pools.

Work pool names appear on this Work Pool Selector list in the order that the corresponding work pools are listed here. If this array contains more than a few, consider reordering them to present the work pool names alphabetically, or in another order meaningful to users.

Leave blank if users who enter new cases and are associated with this access group use a composite portal that includes the standard section @baseclass.NewWork. The cases that such users can enter appear on the Cases and Data tab of the Application rule, not here. See How to create a composite portal.

For users of the traditional WorkUser or WorkManager portal rules, this list determines the set of work pool names that appear in the Work Pool Selector (typically visible below the logo in the navigation panel) and the work types that appear in the selection list of the New.. box. The names appear in the order that the work pools are listed.

For example, if you designate the PegaSample class group as default, the corresponding work pool name is Sample Work.

When a user (at a traditional portal) associated with this access group enters new work items, the available work types are those from classes (work types) in the designated class group (work pool).

Access Control

Field

Description

Authentication timeout

Enter a number of seconds after which the system challenges idle browser sessions (for users of this access group), asking users to re-enter their Operator ID and password. This timeout event does not cause session context or clipboard contents to be lost.

If users respond to the challenge and are re-authenticated, they can usually continue processing where they left off, unless the system released locks they held in the meantime, or the system was stopped and restarted.

Note: This authentication timeout is not related to the timeout/browser value in the prconfig.xml file or Dynamic System Settings, which controls when passivation occurs. See timeouts.

HTTP/HTTPS home directory

Typically, accept the default of /webwb. Directories within this directory hold important static XML forms, JavaScripts, style sheets, and images.

If you have changed the name of this directory, enter the new directory name here.

Rule security mode

This setting determines whether and how the system executes rules accessed by members of this access group.

In Pega 7, rules can be made to require privileges in two ways:

  • By an administrator explicitly editing the rule's Security tab (where such a tab is available).
  • By a Pega 7 activity, pyRuleExecutionMessagesLogged, that automatically generates privileges and adds them to roles that access rules that require privileges.

Allow is the default, recommended setting. Deny is the strictest setting and requires creating privileges for rules and access roles.

Warn mode should be used only when you want to identify rules for which users need generated privileges to execute. You can then use the Pega 7 activity to generate missing privileges and add them to roles where needed. See PDN article Setting role privileges automatically for access group Deny mode.

Select one of these options:

  • Allow [default] - The system allows users in this access group to execute a rule which has no privilege defined, or to execute a privileged rule for which the user has the appropriate privilege. (This includes privileges predefined for standard roles, set by an administrator, or generated by Pega 7.) This is the default and recommended setting.
  • Deny - The system checks for either of these conditions:
    • A privilege has been specified for the rule: The system checks whether the user has either an explicit privilege, or a generated privilege for the rule. If the user has either privilege, the system executes the rule. If the user has neither privilege, the system denies execution of the rule and logs an error message in the PegaRULES log.
    • No privilege has been specified for the rule: The system checks whether the user has the generated privilege. If the user lacks the generated privilege, the system denies execution and writes an error message to the PegaRULES log.
  • Warn- The system performs the same checking as in Deny mode, but performs logging only when no privilege has been specified for the rule or the user role:
    • If a privilege has been specified for the rule, the system checks whether the user has either an explicit privilege or a generated privilege for the rule. If the user has neither privilege, the system denies execution of the rule.
    • No privilege has been specified for the rule: The system checks whether the user has the generated privilege. If the user lacks the generated privilege, the system allows execution and writes a warning message to the PegaRULES log.

      Warning messages are used to generate privileges with pyRuleExecutionMessagesLogged.

Best practice is to use Allow mode for Rule Security Mode, and use the Access Manager to configure authorization for rules. When more specific security is needed for an individual rule, specify a privilege for the rule. See Access of Role to Object form - Completing the Privileges tab. If you want to specify privileges for all rules and users, and you have sufficient time and resources to perform a system-wide exercise including all expected users, see the PDN article Setting role privileges automatically for access group Deny mode.

Runtime Configuration

Field

Description

Enable accessibility add-on Select to cause users associated with this access group to see more-accessible versions of several standard harness, section, and flow actions rather than the normal standard versions. To provide maximum accessibility support, also include the PegaWAI ruleset in the Production RuleSets list for such users. See Understanding accessibility.
Enable offline support Enables offline support for all users of the access group in mobile apps running with Pega Mobile Client. See Offline capability and PDN article How to configure offline capability for mobile applicationto learn more.
Force full sync for all users

This option is used by offline enabled mobile applications. Clicking this button forces a full data sync operation for all users of the mobile app the next time that they synchronize with the server. If it has already been done at least once, the date time stamp of when last full data sync operation has occurred displays underneath this button. When you click this button, you must also click Submit in the opened window to confirm.

Production RuleSets

Optional. Enter production rulesets and versions specific to this access group. For example, in a production setting, you can identify one ruleset and version that remains unlocked and holds only rules expected to be changed often. Such rules may be delegated to management. A rulesetwith this purpose is sometimes called a local-only or production ruleset.

Caution: Leave blank except for developers and others who modify rules. While your profile includes the ruleset versions listed here, they are not considered part of the current application. Rules in the ruleset versions listed here may not be visible in the Application Explorer, Guardrails tool, or Document wizard facilities.

As a best practice for good security — and to avoid a warning when you save the Access Group form, select from the ruleset versions that appear in the Production RuleSets array on the Definition tab of the application rule.

The system uses this information at log-on time to assemble the ruleset list for this user. The order of your entries in this array affects rule resolution. At login, the system appends these entries to the top of your ruleset list, but starting at the bottom of this array. The order of rows in this array becomes the order they appear in the ruleset list.

For example, if during sign-on this access group is accessed when the (partial) ruleset list contains Alpha:01, Beta:02, and Gamma:03 (in that order), and this array contains Red:07, Blue:08, and Green:09 (in that order), the result is Red:07, Blue:08, Green:09, Alpha:01, Beta:02, Gamma:03.

You can include a full version number or an initial portion of a version number. Separate the ruleset name from the version (or partial version) with a colon, as in:

  • MORTGAGE:02-07 — Initial portion (major and minor version)
  • MORTGAGE:02-07-20 — Full version number

Except for users who have the PegaRULES:WorkUser4 role, include at least one ruleset version that is not locked. If all ruleset versions that a user can access are locked, that user cannot create new rules. (Typically, managers have access to a local customization ruleset for storing only those rules that are personal customized versions of list view or summary view reports.)

Note: List distinct rulesets here. A user or other requestor can access rules in only one major version of a ruleset ; access to version 04-10-15 includes access to 04-10-14 and 04-04-11, but not to 03-01-01 or 02-15-07.

To reorder the rows of this array, hold the mouse pointer over a number. Click and drag to another row. To duplicate or move a row, hold the mouse pointer over a number. Or, right-click to access a menu with Cut, Copy, and Insert options.

Design Time Configuration

Leave these fields blank for an access group that supports logging on to Pega 7 from external systems, or that supports workers or managers who never create rules.

Field

Description

Default destination ruleset

SmartPromptOptional. Select a ruleset from those listed in the Production RuleSets array or from those listed in application that the system suggests as a destination ruleset when users associated with this access groups create a rule.

  • If this access group is to support application developers — users who can create rules — select a ruleset that the developers usually work in and add rules to.
  • For managers who are to create and customize reports, select a ruleset that is not intended to be moved to other Pega 7 systems. See Using the Report Browser
  • For language specialists involved in internationalization, select a language-specific ruleset.

When a user associated with this access group uses the New or Save As buttons to create a rule, the system suggests this ruleset for the new rule.

If you leave this field blank, the Save As form uses the ruleset of the existing rule being saved as the default ruleset for the new rule, if a version that is unlocked is available to you.

Version Optional. Required if rulesetis not blank. Enter the ruleset version (for the ruleset identified in the previous field) that requestor associated with this access group usually add rules into. During New operations (and certain Save As operations). this version appears as the default ruleset version.

Up About Access Group data instances