Question

4
Replies
1476
Views
Chunzhi Hong (Chunzhi_Hong)
PEGA
Consulting Manager, Pega Consulting
Pegasystems Inc.
JP
Chunzhi_Hong Member since 2013 141 posts
PEGA
Posted: May 13, 2016
Last activity: May 16, 2016
Posted: 13 May 2016 5:04 EDT
Last activity: 16 May 2016 8:25 EDT
Closed
Solved

7.2 How to restrict access to specific Data class

Requirement:

There is a data table contains sensitive information and the access to the data table should be granted per access role.

At a first glance, it looks simple enough to implement the requirement by creating an ARO which gives access (Read instance=5) to the specific data class and grant the ARO to desired Access Groups.

However, it turns out that even users belongs to Access group that doesn't have the ARO still can open records of the data table.

It seems that OOTB ARO defined on "Data-" class plays a role here, below is my test results.

Access Group Granted AROs Expected Test Result
MyApp:Managers

"Data-" (Read instance=5)

Can open any records of any data class that inherits from "Data-" class. As expected.
MyApp:Workers

"Data-" (Read instance=5)

"Data-Sensitive" (Read instance=0)

Can open any records of any data class that inherits from "Data-" class, except "Data-Sensitive". Can open any records of "Data-Sensitive" class.
MyApp:Visitors

"Data-" (Read instance=0)

Can NOT open any records of any data class that inherits from "Data-" class.

As expected.

Can open any records of "Data-Sensitive" class.

Message was edited by: Chunzhi Hong

Updated Test Result of "MyApp:Visitors"

Data Integration Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.