Question

5
Replies
1891
Views
 Sovan Parija (SovanP43)
Larsen & Toubro Infotech Limited

Larsen & Toubro Infotech Limited
IN
SovanP43 Member since 2015 13 posts
Larsen & Toubro Infotech Limited
Posted: January 24, 2018
Last activity: January 29, 2018
Posted: 24 Jan 2018 14:03 EST
Last activity: 29 Jan 2018 12:58 EST
Closed

Access denied for rules.

I'm getting the access denied message in most tracer events. It's not affecting now but not sure when it may throw error. Mostly for flow rules, the event is getting traced. For instance, "Current user is not authorized for privilege 'DeleteAnyAttachment' for Role-Obj-Class XYZ-ABC-DEF-Work-pqr".

Any suggestions as to what might be causing the issue.

Case Management
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 3 years ago
Posted: 25 Jan 2018 12:57 EST
Carissa Wenhardt (CarissaW_GCS)
PEGA
Principal Software Solutions Engineer
Pegasystems Inc.
US

It sounds like the action being performed requires the DeleteAnyAttachment privilege but the access group for that user does not have that privilege. You mentioned the error occurs mostly for flow rules. What was the action being taken when you see the error?
Posted: 3 years ago
Posted: 29 Jan 2018 1:04 EST
Sovan Parija (SovanP43)
Larsen & Toubro Infotech Limited

Larsen & Toubro Infotech Limited
IN

Hi Carissa,


Thanks for the reply Carissa! I'm getting the mentioned issue whenever any flow is referenced through out the case life cycle. Even when an OOTB flow is called, the following event is traced. I presume that the cloning has been done from some access role which doesn't have default privileges. Other than this many @baseclass privileges are also missing.


Can you suggest me the correct access role to clone from for the developer ID so that we don't face these issues? PFA screenshot for reference.


Regards,


Sovan
Posted: 3 years ago
Posted: 29 Jan 2018 12:58 EST
Carissa Wenhardt (CarissaW_GCS)
PEGA
Principal Software Solutions Engineer
Pegasystems Inc.
US

In my test environment, my developer ID is cloned from PegaRULES:SysAdm4. I traced running a flow and see that I also have the Access Denied for 'AM:RULE-OBJ-FLOW:WORK-!PZINTERNALCASEFLOW'. The privilege check can be seen in the java for the Work-.pzInternalCaseFlow flow but I don’t see any access roles that have that privilege. I also still see the internal flow added to my case so it did not prevent the flow from running. Maybe someone else will have more information on that privilege.
Posted: 3 years ago
Posted: 27 Jan 2018 3:00 EST
Shanthini Charles (Shanthini_Charles)
PEGA
Principal Technical Solutions Engineer
Pegasystems Inc.
IN

Hello Sovan,


I looked the typical usage of DeleteAnyAttachment privilege, It allows a user to delete any attachment (File, URL, Note, ScreenShot, or ScannedDocument type) for any work object that the user can update. In your usecase looks like the current user is unable to do that.


Please ensure the current user has the proper access role, ARO and access group referenced correctly. You can use https://pdn.pega.com/how-enable-users-delete-attachments  for reference. 


Regards,


Shanthini Charles
Posted: 3 years ago
Posted: 29 Jan 2018 1:16 EST
Sovan Parija (SovanP43)
Larsen & Toubro Infotech Limited

Larsen & Toubro Infotech Limited
IN

Thanks for the response Shantini!


The DeleteAnyAttachment privilege was one of the instances where I was getting the Access Denied event type in the tracer. The issue is I'm facing the same for most of the @baseclass privileges and whenever any flow is referenced the above event is getting traced. I'm doubting it's because of some improper access role cloning. Please refer to my reply to Carissa for the reference screenshot.


Regards,


Sovan