top of page

Enhancing Access Control with Privileges in Pega Applications

In Pega applications, maintaining robust access control mechanisms is vital for ensuring data security and operational integrity. While access roles play a fundamental role in defining user permissions, privileges offer a finer level of control by restricting access to specific rules rather than entire classes or RuleSet versions.

Understanding Privileges:

A privilege is a specific access control feature within an application, tied to both a class and an access role. Each privilege rule represents an instance of the Rule-Access-Privilege rule type.

A privilege rule solely identifies a privilege without granting it to any user. Access to a privilege is contingent upon a requestor session possessing at least one of the access roles that authorize access to that privilege. The link between access roles and privileges is established through instances of the Rule-Access-Role-Obj rule type.

Employing privilege rules within an application is discretionary, yet they provide a more nuanced level of access control compared to relying solely on access roles.

The Purpose of Privileges:

Privileges enhance the security and access control capabilities offered by access roles and RuleSet lists by confining access to particular rules instead of entire classes or versions of RuleSets. Utilize privileges to distinguish the abilities of diverse user groups within your application.

The privilege form solely outlines the presence (name and Applies To class) of a new privilege. It does not contain any additional details and does not inherently confer any capabilities. However, by referencing privileges in Access of Role to Object rules and specific rule types such as flows, privilege rules can determine the actions that application users are permitted to undertake.

Where privileges are referenced:

As users (or other requestors) engage with your application, the system evaluates the privileges they possess against those required. Users who possess any of the listed privileges are permitted to utilize the rule.

To assign privileges to a requestor, link them with access roles. Each requestor is affiliated with one or more access roles, which are specified in the access group referenced within the Operator ID data instance.

To mandate privileges for the usage of a rule, specify the privileges within that rule in your application. This functionality is accessible for certain rule types exclusively.


Privilege rules are categorized under Security. They represent instances of the Rule-Access-Privilege rule type.

Where privileges are applied:

Once a privilege is established, it can be linked with specific rules across nine rule types. Among these, one type grants access while the remaining eight types restrict access:

  • Access of Role to Object rules: Grants privileges to users holding specific access roles.

  • Activities: Restricts rule execution to users possessing the designated privilege.

  • Attachment category rules: Governs operations permitted on attachments.

  • Correspondence: Limits rule usage to users with the specified privilege.

  • Flows: Controls flow initiation to users with the relevant privilege.

  • Flow actions: Restricts action selection to users with the corresponding privilege.

  • List view rules: Regulates which users can generate list view reports.

  • Parse Structured rules: Governs rule execution for users with the specified privilege.

  • Summary view rules: Determines which users can generate summary view reports or charts.

Checking for a privilege:

To ascertain whether a requestor possesses a particular privilege, your application can invoke the standard Boolean function HavePrivilege(), which yields either true or false:

@(Pega-RULES:Default).HavePrivilege("tools", privname, privAppliesTo, pagename)

Here, the second and third parameters specify the essential components of a Rule-Access-Privilege rule. If the third parameter is omitted, the system defaults to the class of the page indicated in the optional fourth parameter as the Applies To key part of the privilege rule.

Creating a privilege:

  1. Navigate to the header of Dev Studio and click on Create.

  2. From the dropdown menu, select Security and then Privilege.

  3. Fill in the required fields on the Create form to establish the context of the privilege.

  4. Enter descriptive text in the Label field to outline the purpose of the privilege.

  5. Use the Down Arrow key in the Apply to field to choose the class defining the privilege's scope. This class dictates which Access of Role to Object rules can be associated with the privilege.

  6. In the Add to ruleset field, specify the name and unlocked version of the ruleset where the privilege will be stored.

  7. Optionally, modify the default identifier for the privilege by clicking Edit and providing a unique value in the Identifier field.

  8. Click on Create and open to access the Privilege form.

  9. Review the details and click Save to finalize the creation of the privilege.

Privileges enhance the security and access control capabilities provided by access roles by confining access to specific rules instead of entire classes. Essentially, a privilege links an access role with a rule that requires protection. By creating privileges, organizations can precisely define the access control parameters governed by Access of Role to Object rules. Each privilege is identified by its name and Applies to class, enabling targeted control over rule-level access within the application environment.

Setting up privileges entails two essential elements that establish the connection between the rule, access role, and class:

  • The rule itself, which mandates the possession of a privilege for its utilization or access.

  • Access roles, which are dynamically assessed at runtime to ascertain whether the privilege has been conferred upon a requestor.

During runtime, the system juxtaposes the set of privileges linked with the requestor's access roles against the set of privileges mandated by a rule. If the requestor possesses any of the requisite privileges, they are empowered to execute actions such as running activities, utilizing correspondence, or generating reports.

Granting privileges to an access role:

Within the Privileges tab of the Access Manager landing page, you have the capability to create, review, and modify privileges tailored to users with distinct roles, enabling access to specific objects within cases and data types.

A privilege rule solely defines a name and doesn't confer any capabilities to users until it's associated with an object (such as a flow, flow action, or report definition) and an access role.

The source for the list of privileges is the data page D_PrivilegeList, which by default employs a report definition to compile the list of privileges within the current application.

Granting privileges via Access Manager:

Access Manager provides a user-friendly interface for granting privileges to users with diverse roles, facilitating access to specific case and data types.

Reviewing user privileges for a role using Access Manager:

Within Access Manager, you can conveniently view all associated privileges for a chosen role within a specified class. Additionally, you can generate a comprehensive report showcasing all privileges granted to each case type.

-Team Enigma Metaverse

16 views0 comments


bottom of page