Privilege inheritance for access roles
Privilege inheritance simplifies the process of defining privileges and access settings that are relevant in multiple classes.
When determining a user’s access rights to a class, Pega Platform searches for Access of Role to Object (Rule-Access-Role-Obj) rules that are relevant to the target class and to the access roles listed in the user’s access group, and considers the privileges and access settings granted or denied in those rules.
Privilege inheritance lets you define access rights within a class hierarchy more easily and economically. When privilege inheritance is enabled within an access role, the search for relevant Access of Role to Object rules begins with the target class where access is requested. If no relevant rule is found that grants or denies access for the role, the search continues for relevant Access of Role to Object rules in the parent class, and continues up the class hierarchy until a relevant rule is found.
Privilege inheritance lets you avoid having to define Access of Role to Object rules at multiple levels of a class hierarchy when the privileges and access settings for a class are the same at multiple levels.
The Inherit privileges within class hierarchy option on a role determines whether privilege inheritance is enabled for that role.
Example
As a security administrator, you need to restrict user access to a feature called NewJob.
To simplify this process, you can:
- Set up the Work-HRApps-NewJob rule so that it is protected by a privilege.
- For the HRApps:Users access role, enable the Inherit privileges within class hierarchy option on the Access Role rule form.
When a user attempts to create a New Job case, the system begins by checking the current class for a valid value for that user, for that privilege (in other words, the system seeks a valid instance of the Access of Role to Object rule for the privilege).
A valid Access of Role to Object rule instance specifies the privilege with a non-blank access value. The access value determines whether or not the user is granted permission.
If a valid instance is not found in the current class, the system continues searching the class hierarchy until it finds a valid instance. If the search exhausts all possibilities without finding a valid instance, the user is not granted permission.