PRPC 6.

1 SP2

Access Security

LEVEL LEARNER

Overview
Security combines authentication which ensuring that a person

or system is an known, identified person or system and access

control limiting which application facilities and capabilities are
available to the person (or system).
At runtime, Process Commander compares the capabilities
that a user holds with the limitations and restrictions
associated with a rule or an object, to allow or deny access.
In PRPC, Security Model is implemented using the following
elements:
Operator ID
Access Group
Access Role
Privilege
2

Objectives
After completing this chapter you will learn:

How to create the Operator ID

Details about Operator ID
How to create the Access Group
Details about Access Group
How to create the Access Role
Details about Access Role
How to create the Privilege
Details about Privilege

Do You Know?

Operator ID

Operator ID: Overview

Introduction:
An Operator ID is an instance of the Data-Admin-OperatorID class. The Operator ID references an Access Group that
contains the RuleSet Versions, Roles, Portal Layouts, and
Applications available to users. An authenticated or
unauthenticated user (requestor) cannot access a Process
Commander application without the Process Commander
security model. Therefore, by default, all access is denied. In
brief, the operator defines what a user is capable of doing, not
what the user is allowed to do.

Create Operator ID
Rules Explorer, expand the Organization link. Right-click on
Operator ID, and click New.

Operator ID (cont)
General Tab
In General tab enter personal details of the Operator (i.e.

Title, Full Name, Position/Title, Phone and Email)

The highlighted portion shows the Access Group (DataAdmin-Operator-AccessGroup)
associated
with
the
Operator.

Operator ID (cont)
Work Settings Tab
Organization Unit: The Organizational Unit section
contains the name of the Organization, Division & OrgUnit
to which the operator belongs.

Operator ID (cont)
Work Settings Tab
Work Group:
Work Group is logical collection of Operators and usually Work
Group will have a manager.

A work group is an instance of Data-Admin-WorkGroup.

Operator ID data instance usually identifies a Work Group
to which the user belongs.
Work Group facilitates for better monitoring and
reporting of tasks.

Operator ID (cont)
Work Settings Tab
Skills (Optional):
In Skills section enter the name of a skill rule (RuleAdmin-Skill rule type) associated with this user. Select a
user proficiency rating for this skill between 1 and 10, where
10 indicates highest proficiency
WorkBaskets:
A workbasket is a named queue of open assignments that
are not associated with a particular operator. It is an
instance of the Data-Admin-WorkBasket class.
Enter a list of workbaskets that may contain assignments for
this user with urgency threshold values

10

Operator ID (cont)
Work Settings Tab
Get From WorkBaskets First:
When selected, system retrieves an assignment from the user's
WorkList only when all of the WorkBaskets listed in the
WorkBaskets array are empty.
If not selected, the Get Most Urgentbutton when clicked
retrieves the top assignment on the user WorkList, and
accesses WorkBaskets only if this user's WorkList is empty.

Merge WorkBasket:

11

Select to cause the Get Most Urgentbutton that appears on

the Process Work navigation panel for this user to consolidate
assignments from all the WorkBaskets in the WorkBaskets list
below, then sorted by assignment urgency, returning most
urgent in any WorkBasket.
If not selected, processing searches the WorkBaskets in the
WorkBaskets array in the order listed on this tab, and the most

Operator ID (cont)
Work Settings Tab
Use Scheduled Absence section to define:
When and whether this user is available to receive
assignments
When this user is unavailable (e.g., on vacation or
otherwise not able to process assignments)
Who is to receive assignments when this user is unavailable

12

Operator ID (cont)
Work Settings Tab
In Substitute Operator Type section complete the fields to
control how Process Commander routes assignments for this
operator when this operator is marked absent or unavailable.
For Substitute Operator Type choose either Operator or
Workbasket so that routing rules can redirect the
assignments to a substitute operator or to a workbasket during
those periods.
In LookUp In DecisionTree field select a decision tree rule

that returns an Operator ID or one that returns a workbasket

name, matching your selection in the Substitute Operator
Type field.
In Default To Assignee identify the Operator ID or

13

Operator ID (cont)
Advanced Tab
Security Settings:
Change Password: To set the Operator password for
authentication.
External Authentication: Select to require that this operator
be authenticated only through LDAP or other external
authentication facilities
Allow Rule Checkout : Select to allow this user to update
rules in RuleSets that require check out

14

Operator ID (cont)
Advanced Tab
Security Settings:
Starting Activity to execute: Identifies the first activity that
the system executes after this user is authenticated. The
standard activity for this purpose is named DataPortal.ShowDesktop.

15

Operator ID (cont)
Advanced Tab
Security Settings:
License Type: Select Named if this Operator ID is a
person who interacts with Process Commander through a
Web browser. Invocation if this Operator ID is for
processing performed through service calls, or for
processing by external users (typically through the Directed
Web access feature)
Default Locale: It affects the processing of input dates,

times, and numbers, and the presentation of displayed

dates, times, and numbers. This is optional.

16

Do You Know?

Access Group

17

Access Group: Overview

Introduction:
Access Groups determine which applications and which parts of
those Applications a user can access.
An access group is an instance of the Data-Admin-OperatorAccessGroup class.
It specifies the Access Roles, RuleSets accessible to the user and
the Portal Layout to display when the user logs in. A sample PRPC
access group form looks as follows.

18

Access Group: Create

From Rules Explorer, expand the Security link. Right-Click
on Access Group, and Click New.

19

Access Group: Create

Enter a name for this Access Group in the Access Group
Name field. Click Create. After that fill in the tabs specified
below.

20

Access Group (cont)

Layout Tab
Complete this tab to identify the Work Pools (Class Groups),
Application Name, Version, and Access Roles (e.g.
PegaRULES:SysAdm4) available to the Operator IDs or
requestors that reference this Access Group.

21

Access Group (cont)

Layout Tab
The Application section specifies the name of the Application
Rule and its Version.
The Application Rule on the other hand contains set of RuleSets
specific to the Application.
These RuleSets can also be specified in the Production
RuleSets section in the form, but as a best practice, the
Production RuleSets is left blank and application rule is referred.
The Roles section refers to the Access Role for that Access
Group. e.g.
PegaRULES:SysAdm4
PegaRULES:SysArch4

The WorkPools section lists all Class Groups for Work Pools in
which users associated with this Access Group are permitted to
enter new work objects. Each Class Group defines a Work Pool,
22 a named collection of work types.

Access Group (cont)

Settings Tab
Use this tab to define the HTTP/HTTPS Home Directory,
Portal Layout, and other capabilities for users or other
requestors who reference this Access Group.

23

Access Group (cont)

Settings Tab
Login Settings:

24

HTTP/HTTPS Home directory: Typically, accept the default

of /webwb. Directories within this directory hold important static
XML forms, JavaScripts, style sheets, and images
Default Portal layout: Identify a portal rule to indicate which
portal presentation supports those requestors who reference this
access group.
Typical choices referencing standard portal rules are:
For a worker, select WorkUser.
For a manager, select WorkManager.
For all developers, select Developer.
Authentication Timeout (seconds): Enter a number of seconds
after which the system challenges idle browser sessions (for users
of this access group), asking users to re-enter their Operator ID
and password.

Access Group (cont)

Settings Tab
Secondary Portal Layout:
Portal Layout: Optional. For developers, you can define
alternative layouts, to allow them to quickly switch between
layouts; this is useful in debugging. Enter the name of a
Portal Rule to make an additional portal presentation
available to this user.
Local Customization:
Leave these fields blank for an Access Group that supports
logging on to Process Commander from external systems,
or that supports workers or managers who never create
rules.
25

Access Group (cont)

Associations Tab
Use this read-only tab to review or quickly access Operator ID
instances that reference this Access Group.

26

Do You Know?

Access Role

27

Access Role: Overview

Introduction:
An access role is defined as having certain class access rights. A
user can have one or more access roles, which are listed in access
groups. All users in the same access group have the same roles.
Your application includes one or more predefined access groups.
These access roles typically exist for users who work with the
application:
system
administrators,
architects,
managers,
supervisors, and basic operators, for example.

28

Access Role: Create

From Rules Explorer, expand the Security link. Right-Click
on Access Role Name, and Click New.

29

Access Role: Create

Enter a name for this Access Role in the Access Role field.
Click Create. After that fill in the tabs specified below.
Format <Application-Name> : <Role-Name>

30

Access Role (cont)

Rule Details
An access role rule defines a name for a role, and represents a set
of capabilities. To deliver the capabilities to users, you reference
the access role name in other rule types to assign the access role
to users and to provide, or restrict, access to certain classes.
Create access role names using the format <application
name>:<role name>, where <application name> is the name
of your application and <role> name is the name of a role that
uses the application.
An access role identifies a job position or responsibility defined for
an application. For example, an access role can define the
capabilities of LoanOfficer or CallCenterSupervisor. The system
grants users specified capabilities, such as the capability to modify
instances of a certain class, based on the access roles they acquire
at sign on.

31

Access Role (cont)

Role Tab
This read-only tab provides quick access to any Access of Role
to Object rules which have this access role as the first key part.
Click a row to open the Access of Role to Object rule.

32

Do You Know?

Privilege

33

Privilege: Overview
Introduction:
A Privilege allows a user with a particular role to execute
certain application functions. Privileges are associated with
access roles, not directly to users.
If a user has the access role with which the privilege is
associated, the user has the privilege. Privileges also play a
role in routing work, as users can only receive work items for
which they have privileges.

34

Privilege: Create
From Rules Explorer, expand the Security link. Right-Click
on Privilege, and Click New. Click New. The New form
appears.

35

Privilege: Create
Enter the name of the class to which this privilege applies in the
Applies To field. Remember that privileges are inherited by child
classes, so enter the name of a class at the appropriate point in
the hierarchy.
Enter the privilege name in the Privilege Name field. Begin with a
letter and use only letters, digits, and dashes.
Select your RuleSet and version if necessary from the selection
boxes.
Choose the status of this rule from the Available selection box (see
the Application Developer Help) and click Create.

36

About Privilege Rules

Privileges complement the security and access control features
provided by access roles and RuleSet lists, by restricting access
to specific rules rather than to entire classes or RuleSet
versions.
Use privileges to differentiate the capabilities of different
groups of users within your application.
As users (or other requestors) work with your application, the
system compares the privileges they hold with the privileges
required

37

Privilege (cont)
Role Tab
This read-only tab provides quick access to any Access of Role
to Object rules (Rule-Access-Role-Objrule type) that
references this privilege rule (on the Privileges tab). Click a row
to open the Access of Role to Object rule.

38

Questions?

39

Welcome Break

40

Lend a Hand
Create Operator ID
RuleSet Version
Application Version
Access Group
Associate Access Group to Operator ID
Add
Work User & Work Manager Portals to the Access Group

41

Test Your Understanding

Operator ID is the instance of class
Data-Admin-Operator-ID
Data-Admin-OperatorID
Access Group is the instance of class Data-Admin-Operator-AccessGroup
Data-Admin-Operator-Access-Group
Where do you mention the Access Group?
What is WorkBasket?
What is WorkGroup?

42

Access Security: Summary

An Operator ID is an instance of the Data-Admin-OperatorID class
An Access Group is an instance of the Data-AdminOperator-AccessGroup class.
Access Groups determine which applications and which parts
of those applications a user can access.
A user can have one or more Access Roles, which are listed in
Access Groups.
All users in the same Access Group have the same Access
Roles.
A Privilege allows a user with a particular role to execute
certain application functions. Privileges are associated with
Access Roles, not directly to users.
43

PRPC Access Security

You have successfully completed

Access Security