Skip to main content
This content is now archived and is no longer updated. Progress is not calculated. Pega Cloud instances are disabled, and badges are no longer awarded.

Securing work queues and attachments

Securing work queues and attachments

The Access Manager allows you to configure and manage access control settings for many of the elements of an application. Security for two application elements cannot be configured in the Access Manager: work queues and attachment categories.

Access control for work queues

In Pega, access control for work queues is role-based. By default, any user who can access a work queue can perform an assignment in the work queue. To control whether users can perform assignments in a specific work queue, you apply one or more roles to it. When you apply a role to a work queue, only users assigned to a listed role may retrieve an assignment from the work queue.

For example, the standard work queue [email protected] lists three roles. A user must be assigned the PegaRULES:ProArch4, PegaRULES:Batch, or PegaRULES:Basics role to perform an assignment in the [email protected] work queue.

Roles for default pega workbasket
Note: Pega uses the [email protected] work queue as a last resort for routing. Pega routes assignments to the [email protected] work queue when no other more specific or local work queue can be found.

To apply a role to a work queue, enter or select the role in the Roles section on the Work queue tab of the work queue record.

Note: Do not confuse access control with skill-based routing. You prevent users from performing specific assignments through the use of skill-based routing. In access control, you assign a role to a work queue to prevent unauthorized users from performing any assignment in the work queue.

Access control for attachments

Pega provides two levels of access control for attachments. You apply a privilege or when condition to an attachment category to allow or deny attachment actions to users. You enable attachment level security to restrict access to the attachment itself.

Attachment category access control

Use a privilege or when condition to control access to an attachment category. When you add the privilege, select the actions to allow if the user has the privilege. For each when condition, select the actions to allow if the condition is true.

Note: Configure access control for an attachment category using a When rule, not an Access When rule.

Users can perform an action on attachments in the category if they have at least one of the required privileges, and all of the when conditions for the action are true. Consider the following configuration for an attachment category.

Access control list by privilege
Privilege Create Edit View Delete own Delete any
DeleteOthers         x
DeleteOwn       x  
AdministerWorkQueue       x x

 

Access control list by When Rule
When Create Edit View Delete own Delete any
IsCurrentStageSubmit x x x    

For this attachment category, the following conditions hold:

  • Users can delete any attachment if they have either the DeleteOthers or AdministerWorkQueue privilege.
  • Users can delete their own attachment if they have either the DeleteOwn or AdministerWorkQueue privilege.
  • Users can create, edit, or view an attachment if the IsCurrentStageSubmit when rule returns a true result.
Caution: If you use a When rule to control access to a category, deselecting an action is not sufficient to deny access to the action. In the previous example, the when rule IsCurrentStageSubmit is insufficient to prohibit users from deleting an attachment if the condition returns a value of false.
Tip: You can use the standard when rule Never to create an always-false condition to deny an action to users.

Attachment-level access control

Configure attachment-level access control to allow users to determine who can access a specific attachment within the category. When users add an attachment to the category, they identify one or more work groups to which access to the attachment is allowed.

To enable attachment-level access control, select the Enable attachment-level security check box on the Security tab of the Attachment category record.


This Topic is available in the following Module:

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice