Posted: 30 Jan 2017 4:47 EST Last activity: 17 Feb 2017 11:02 EST
Non-authorized user viewing flow instead of access error message
My application has different users with different roles: User, Manager, Administrator.
I've created a custom object (let's call it CUSTOBJ) along with a case type, and only Administrators are able to perform actions on them (as set in Designer Studio => Org & Security => Access Manager => Work & Process). See attachment for configuration details.
When I use a search box on my front-end UI to search for a CustomObject with a user of type "User", I get a "You are not authorized to open instance ONE-TWO-THREE-FOUR-CUSTOBJ CO-500" when trying to open the object through the search (see attachment). This behaves as expected.
When I use a search box on my front-end UI to search for a CustomObject with a user of type "Manager", the flow screen opens (see attachment), though I cannot proceed any further because clicking on the flow action does nothing.
While the manager hopefully cannot proceed any further, why am I shown this screen instead of the typical "You are not authorized..." message? Access is configured identically in the Access Manager for both Users and Managers. We even checked the PEGA-generated classes related to the CustObj object (in Records => Security => Access of Role to Object), and there doesn't seem to be any difference.
I'm probably missing something, but I can't pinpoint it. Any help appreciated.
Thanks for the suggestions. We've actually tried that too (everything set to 0), and that didn't change anything. Sorry about that, I might not have been explicit enough in my initial description. I did go through your suggested steps again to see if we missed anything, but that's not the case.
We were thinking that could've been a permission inherited from somewhere else, but that doesn't seem to be the case either.
It looks like you've set things up correctly, so I don't have a quick answer for you. I'd take a look at the section that displays the error. Is it just passing the message from the server through or is there logic that explicitly displays that unless...? If it's the later, does that code look for WorkManager4 privilege or something? You may ultimately need to change the logic (assuming the record is available) so that it meets your business needs.
We've looked again for possible section logics and so on, but couldn't find anything wrong.
We don't have any more time to allocate to this problem, as we have other tasks to take care of, and deliver.
We're going to leave things as is. We'll soon remove these objects from the indexation anyway, so they won't appear in the search results, and users won't be able to open them, which was how the problem started in the first place. A bit frustrating not to have the origin of the problem, I admit.