Question
Access denied for rules.
I'm getting the access denied message in most tracer events. It's not affecting now but not sure when it may throw error. Mostly for flow rules, the event is getting traced. For instance, "Current user is not authorized for privilege 'DeleteAnyAttachment' for Role-Obj-Class XYZ-ABC-DEF-Work-pqr".
Any suggestions as to what might be causing the issue.
Pegasystems Inc.
US
It sounds like the action being performed requires the DeleteAnyAttachment privilege but the access group for that user does not have that privilege. You mentioned the error occurs mostly for flow rules. What was the action being taken when you see the error?
Larsen & Toubro Infotech Limited
SG
Hi Carissa,
Thanks for the reply Carissa! I'm getting the mentioned issue whenever any flow is referenced through out the case life cycle. Even when an OOTB flow is called, the following event is traced. I presume that the cloning has been done from some access role which doesn't have default privileges. Other than this many @baseclass privileges are also missing.
Can you suggest me the correct access role to clone from for the developer ID so that we don't face these issues? PFA screenshot for reference.
Regards,
Sovan
Pegasystems Inc.
US
In my test environment, my developer ID is cloned from PegaRULES:SysAdm4. I traced running a flow and see that I also have the Access Denied for 'AM:RULE-OBJ-FLOW:WORK-!PZINTERNALCASEFLOW'. The privilege check can be seen in the java for the Work-.pzInternalCaseFlow flow but I don’t see any access roles that have that privilege. I also still see the internal flow added to my case so it did not prevent the flow from running. Maybe someone else will have more information on that privilege.
Pegasystems Inc.
IN
Hello Sovan,
I looked the typical usage of DeleteAnyAttachment privilege, It allows a user to delete any attachment (File, URL, Note, ScreenShot, or ScannedDocument type) for any work object that the user can update. In your usecase looks like the current user is unable to do that.
Please ensure the current user has the proper access role, ARO and access group referenced correctly. You can use https://pdn.pega.com/how-enable-users-delete-attachments for reference.
Regards,
Shanthini Charles
Larsen & Toubro Infotech Limited
SG
Thanks for the response Shantini!
The DeleteAnyAttachment privilege was one of the instances where I was getting the Access Denied event type in the tracer. The issue is I'm facing the same for most of the @baseclass privileges and whenever any flow is referenced the above event is getting traced. I'm doubting it's because of some improper access role cloning. Please refer to my reply to Carissa for the reference screenshot.
Regards,
Sovan