Access groups

An access group is a group of permissions within an application. Pega Platform uses these permissions for operators, external system access, and background processes. You define an access group for operators who have similar responsibilities. For example, most applications allow case managers to do actions that are different from the actions of regular operators, so case managers and regular operators belong to different access groups.

Access group names have the format application name:access group name. For example, for the MyApp application, you can define the MyApp:Administrators access group for administrators and the MyApp:Users access group for regular operators.

Operators can belong to multiple access groups. You select one of the access groups as the default, which is used when the operator initially logs in. If an operator belongs to multiple access groups, the operator can switch between groups. Only one access group is in effect at any given time during a session.

When you create an access group, you define permissions and settings that are used for operators who belong to that access group and who use the application defined for that access group. These permissions and settings include the following:

  • Access roles and privileges
  • The portal layout
  • The work pools that are available
  • The types of work items that operators can work on
  • The rulesets that are displayed at the top of the ruleset list
  • Details of rule caching for performance
  • For developers, the initially displayed ruleset and version for rules that they create

Access groups and ruleset lists

When an operator logs in, Pega Platform looks for an access group in the following order until an access group is found, and uses that access group to assemble the operator's ruleset list:
  1. The default access group defined on the Profile tab of the Operator ID form
  2. The default access group for the Org Division that is identified on the Work tab of the Operator ID form
  3. The default access group for the Org that is identified on the Work tab of the Operator ID form
  4. The default access group for the appropriate requestor type

Access groups and external systems

An access group determines the ruleset list that is available to an external system that requests services. The following data instances and rules reference access groups directly, or indirectly by specifying an operator:

  • Listener data instances
  • Service package data instances
  • Agent rules
  • Agent schedule data instances

When effective

When you save an access group, active requestor sessions on the current node that are associated with that access group are immediately updated. Requestors at other nodes in a cluster are updated when the next system pulse occurs on their nodes.

Facilities provided to unauthenticated (guest) requestors

Guest users, or unauthenticated requestors, typically have access to only the rules in the rulesets in the PRPC:Unauthenticated access group, as referenced in the requestor type instance named pega.BROWSER.

CAUTION:
If you update the pega.BROWSER requestor type to reference a different access group, or update the PRPC:Unauthenticated access group to make additional rulesets available to unauthenticated users, review the Require authentication to run check box on the Security tab of each activity in the rulesets. Select this check box for only the activities that guests need to run.

The clipboard for a guest requestor does not include pages for the operator ID, organization, division, or organization unit.