Question
"Stop access checking once a relevant Access of Role to Object instance explicitly denies or grants access" ?
Hi Team,
I can understand from descriptions, but what will be the nature of operation when we have multiple ARN as part of same access group and having this checkbox checked.
Hi Adaij,
I am using pega 731, and we have this check-box for access group. I get that when you tel about most specific ARO will be considered from every ARN added in access group. The question is more related to this check-box, how does the selection of ARO changes once it is checked or not-checked.
Thanks for your comment, appreciated !
If there are multiple roles, and there is an ARO associated with the first role which grants access, or an Access Deny which denies access then that result is returned and no more checks will be made. This is more performant than checking the result from all roles but there is potential that Access Deny rules in the second or roles listed after could be ignored.
I believe you mean multiple ARO. By default, access for Role based security is implicitly denied (not granted). If there is one or more ARO's which grants access, then access will be granted. If there is also an Access Deny, access will be explicitly denied regardless if there is an ARO which grants access. The most specific ARO relative to the class of the object being operated on is used to determine the access.
Which checkbox are you referring to ?