Question
Can Access Deny rules ensure that access is denied across roles in an Access Group?
I understand that if for an access group there are two access roles defined such that access role A grants access for a class and the other access role B doesn't grant access then PEGA chooses the most permissible setting meaning that access is granted if at least one access role allows it. Can somebody confirm on the below if my understanding is correct
1. If I add third access role C which has access deny defined for the class then access won't be granted because access deny overrides all the other access roles which granted the access.
2. In the access role C does the access deny need to be defined for the most specific class similar to ARO or access deny will be applicable even if defined for any hierarchy class
You can define a uniquely-named Access Role that is strictly used for Access Deny rules.
Then assign that Access Role to every Access Group.
You can also invert the boolean logic using De Morgan's laws to define an ABAC Access Policy rule.
That is preferred since it avoids the possibility of someone forgetting to add the Access Deny-only Access Role to a newly created Access Group.