Question
Can Access Deny rules ensure that access is denied across roles in an Access Group?
I understand that if for an access group there are two access roles defined such that access role A grants access for a class and the other access role B doesn't grant access then PEGA chooses the most permissible setting meaning that access is granted if at least one access role allows it. Can somebody confirm on the below if my understanding is correct
1. If I add third access role C which has access deny defined for the class then access won't be granted because access deny overrides all the other access roles which granted the access.
2. In the access role C does the access deny need to be defined for the most specific class similar to ARO or access deny will be applicable even if defined for any hierarchy class
Hi Lee,
Thanks for response.
Ok, so it means that one access role having an access deny will override all other access roles granting access. I am good with it now.
What about the second point- should the access deny be defined for most specific class or it can be anywhere in the hierarchy?
In Pega, Security is, and always has been, designed to be object-oriented.
You do not need to specify multiple classes when those classes descend from a common ancestor and you want the same security definition to apply to every derived class.
RBAC looks for the most specific class you have defined. Other classes can extend that class.
Access When rules can leverage polymorphism, Assign- canPerform being one example.
You can define a uniquely-named Access Role that is strictly used for Access Deny rules.
Then assign that Access Role to every Access Group.
You can also invert the boolean logic using De Morgan's laws to define an ABAC Access Policy rule.
That is preferred since it avoids the possibility of someone forgetting to add the Access Deny-only Access Role to a newly created Access Group.