Question

4
Replies
191
Views
Paul5174 Member since 2016 3 posts
SopraSteria
Posted: January 30, 2017
Last activity: February 17, 2017
Closed
Solved

Non-authorized user viewing flow instead of access error message

Hello,

My application has different users with different roles: User, Manager, Administrator.
I've created a custom object (let's call it CUSTOBJ) along with a case type, and only Administrators are able to perform actions on them (as set in Designer Studio => Org & Security => Access Manager => Work & Process). See attachment for configuration details.

When I use a search box on my front-end UI to search for a CustomObject with a user of type "User", I get a "You are not authorized to open instance ONE-TWO-THREE-FOUR-CUSTOBJ CO-500" when trying to open the object through the search (see attachment). This behaves as expected.

When I use a search box on my front-end UI to search for a CustomObject with a user of type "Manager", the flow screen opens (see attachment), though I cannot proceed any further because clicking on the flow action does nothing.

While the manager hopefully cannot proceed any further, why am I shown this screen instead of the typical "You are not authorized..." message? Access is configured identically in the Access Manager for both Users and Managers. We even checked the PEGA-generated classes related to the CustObj object (in Records => Security => Access of Role to Object), and there doesn't seem to be any difference.

I'm probably missing something, but I can't pinpoint it. Any help appreciated.

Thanks.

v7.1.8

Security
Moderation Team has archived post
Share this page LinkedIn