Rule Delegation

 Summary of Rule Delegation

• The purpose of Rule Delegation is to make the rule available in the production environment for customization for the business users.
• Can be delegated to either a Access Group or a specific user.

• The delegated rule should be available in the production ruleset which should be an unlocked ruleset.

Once the rule is delegated another link will be available in the left panel as configuration for the managers (refer above)

• All the delegated rule will be added to the table System-User-MyRules class.

Once we open the record related the particular Access Group it will open the all the delegated rule records with in that that Access Group. If we check the check box related the particular record it will ignore rule resolution. i.e. even though the never version of the delegated ruleset is pushed which has an undelegated rule version it will not be picked. Therefore, User is still able to make changes to the delegated rule.

Important considerations when deploying the delegated rule the production environment 

When taking a product rule, there is a condition to check if all the rules are unlocked. Since the production ruleset should be remained unlocked we must check on the check box to include unlocked rulesets

Alternatively, we may have to manually push the delegated rule as a data instance in the product rule keeping the check box unchecked to include only locked rulesets.

OAuth 2.0

Implementing OAuth 2.0 In Pega As Consumer

OAuth 2.0 is an open-standard authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service, without the need for the user to share their credentials with the third-party application.

n Pega, OAuth 2.0 can be used to allow Pega applications to access data or resources from external applications, such as Salesforce or Google Drive. This can be useful for a variety of purposes, such as:

• Integrating Pega with a customer relationship management (CRM) system to access customer data
• Connecting Pega to a document management system to store and retrieve documents
• Integrating Pega with a payment processing system to accept payments

There are five Authorization grant types

1. Authorization Code
2. Client Credentials
3. Implicit (Pega doesn't support this type)
4. Resource owner password credentials (Use this approach when there is high trust between the applications as this requires password sharing)
5. JWT bearer (OpenID Connect token)

Authorization Code 

This grant type can be used when there is a user involved to grant the access. Imagine a scenario where the user is prompted to login to Quora with his Google or Facebook login.

Client Credentials

Use this grant type when two backend applications wants to OAuth2.0  protocol. There are two legs in this authorization type. First we are trying to get the access token with the help of App credentials. Next we try to get the access to the application using the access token.

Implementing OAuth2.0 with client credentials grant type

Step 1

Establishing the client credentials with the application

For further details click on the link and check the implementation information

Now you can run the API call using Postman and get the Access Token.

Eyonsis Interview Feedback

 1. How do you ensure the Pega application is secure?

2. What are the tools you use to debug services?

3. If there are multiple layers in Pega applications in which layer do we define the data classes when creating a REST service?

4. Should possess more LSA type of thinking

5. Security configurations in Integrations.

6. File Listeners/ Email listeners etc.

Email Listener

 Create A Case From Email

Create An Email Account

1. Records -> Integration - Resources -> Email Account

    Name the labels with the respective work class

2. Click Next and select the type of email account provider.

3. Now set the account setting as follows.

4. Now verify the connection using Test Connectivity link

OBJ and RDB Methods

 OBJ Methods

Obj-Save-Cancel will cancel the immediate member of uncommitted Obj-Save in the differed queue.

Rollback will cancel all the DB methods which are not committed prior to the method step in the differed queue.

RDB Methods

There are 4 main variations in RDB methods where we need to provide mandatory parameters when calling.

1. RDB-List --> Obj-browse
2. RDB-Delete --> Obj-Delete
3. RDB-Save --> Obj-Save
4. RDB-Open --> Obj-Open

Mandatory parameters

• Class Name - The class which is corresponding to datatable

• RequestType - This refers to the ConnectSQL rule. In practice it is possible to define separate ConnectSQL for each RDB method or alternatively we can define all the RDB methods in the same ConnectSQL rule since we have separate tabs for each RDB method.
  
  
• Access - Which is about which type of Database type we are connecting to eg:- Oracle, PostgreSQL, MySQL etc. we set it as All allowing all types of Databases.

Why do we use RDB methods?

Sometimes it's a bit difficult to create a query using obj methods due to complexity. In such situations we go for RDB methods we can directly write the query inside it which also improve the performance also since it will save the time to generate the SQL query also.

Enterprise Class Structure | Situational Layer Cake | Components

 Enterprise Class Structure (ECS)

Situational Layer Cake is a patent term for Pega Platform. It's about placing the source code facilitating the enterprise specializations.

Above is an example of how directed and pattern inheritance work in ECS.

Components 

A component is a collection of rulesets that create a small feature that can be added to any application created in the Pega Platform.

For more details on Components follow the below link

https://docs-previous.pega.com/sites/default/files/help_v73/basics/v6portal/landingpages/application/components.htm#:~:text=A%20component%20is%20a%20collection,ruleset%20to%20avoid%20naming%20conflicts.

After Pega 7.2, the platform has allowed to build applications on top of another applications restricting only to frameworks. Therefore, it's we can directly base application instead of a framework and also we can use components when building the applications. It further facilitates the further reuse of the existing functionalities. 

Agents in Pega

 Agents

Standard Agents and Auto Queue Management 

Standard Agent is the legacy version of the Queue Processor in Pega 8.In Pega 8 if we want to call it in a case step we need to call a utility shape and pass the required parameters AgentRuleSet and AgentName.

How the Standard Agent work

1. Once the item is queued, this particular item will be pushed to PR_SYS_QUEUES table, where the entire WO data will be copied.
2. Then once the Agent wakes up it refers the PR_SYS_QUEUES table and picks each item one by one and executes.
3. Once the Queue item is successfully executed the item will be removed from the table.(Agent activity will be executed to the number of times equal to the number of items in the table)
4. Once the Agent finishes executing all the queue items it will go to sleep.

Once the queue item is moved to PR_SYS_QUEUES table it will the table will hold property value called pyItemStatus where its value will be Scheduled

if the agent activity fails while executing an item in the list that item will be updated in the table with the status of Broken-Process

This entire process is managed by PRPC there for its called Auto Queue Management.

Case Dependency | Wait Shape

Application of Wait Shape

Wait shape can be used in two different ways mainly

1. Case dependency 
2. Timer

Case Dependency

Here, the flow can be configured to wait in a way that either any of the child cases to be resolved or till all the cases are resolved/reach a specified status.

Optionally, the wait step can be configured in a way that the current user is allowed to manually skip waiting by checking the check box. below.

In here, not only the child case even the parent case can be put on wait based on specified case status (Case status could have been modified by another parallel process such as a queue processor).

Timer 

In the Timer option, we can either hard code the specific wait time in Days, Hours and minutes or dynamically if referred through a DateTime property.

Previous Project Experience

Baxter Cloud Migration - Upgrade Project

Description

In this project we had to upgrade 17 legacy applications (EAcess,ELegal, JPDiscard) to Pega 8 from Pega 7 and we also had to move those applications to Pega cloud. And there were some applications which were upgraded from Pega 5-7. Those applications had a lot of issues.

Things we did

We had to convert a lot of deprecated rules into new rule types

Obj -List --> converted to Obj -browse 

  

List view --> Report definition 

Data-gadget HTML rules converted to data-Portal, recreated section rules and added fields again

 

Activities into data transforms

Challenges we faced

• Requirement docs not available 
• RDB-List PostgreSQL converting errors 
• When updating HTML into functions 
• Converted Standard agents into queue processors     

Interview Questions

Integration

1. What are the different processing modes in service packages and how it will be useful? 
   
   There two types of processing modes as Stateful and Stateless. Stateful means the pages created by the service call will not be automatically cleared and it will be available for the next service call where as in the case of stateless, the pages will be cleared.
   
   
2. What is the use of Access Groups in the service packages?
   
   With the help of Access Group we will get access to the application and through which we will be able to access rulesets and rules.
   
   
3. In service how you would authenticate a user?
   
   Mainly 
   
   

Explain previous project's class structure

Can we call an activity from a data transform?

What are the parameters of pxCallActivity function?

How to call a decision table from a data-transform?

What is declarative join in report definitions?

What is the difference between Connect-Rest and Service-Rest?

How can we show different content to different users in the same access group?

What is the difference between RDB methods and Obj-methods?

How do we handle SSL errors in services/connectors?

When do we use job schedulers and queue processors. Explain using examples?

What is a component in Pega? and why does Pega encourage built on application based development rather than just following Enterprise class structure? 

How to access the Parent class case data from the child case context?

We can refer by the keyword - pyWorkCover and access the pyWorkPage of the parent.

What is a Declare On Change rule?

If we need to invoke some process, we can use this on change declarative rule type which is available under Decision in class explorer. We can call an activity on change of some property. Make sure to change the activity type to On Change in the Advanced tab in the Activity rule.

What is a Declare Trigger and when do we use it?

We use Declare Trigger whenever we need to declaratively call some business process on changes on data tables. For example, If the email address is updated in Customer Details table the respective user should be notified. This rule should be defined in the respective data class under the Decision category.( Make sure the activity type is changed to Trigger)

Access Control

 Role-based Access Control (RABC)

RABC is an access control model that organizes user into roles and assign permissions to each role as appropriate

Authentication vs Authorization

Pega platform implementation of Role-based access control is based on two factors: Authentication and Authorization

• Authentication - Confirms the identity of the user by validating                     login credentials (Operator ID record)
• Authorization - Determines the applications that the user can                      access (Access Group record lists the any                          authorized applications and roles assigned to the                  members of the access group)

Role-based access control record types 

The RBAC model provides several types of records that are used to configure behavior satisfying access control needs.

• Access Group - Identifies the application, default portal and assigned access roles for group of users
• Role - Maintains a list of all access records associated with a role 
• Access Deny - Restricts user access under certain conditions
• Access of Role to Object (ARO) - Specifies the permissions that are granted to a role and access class
• Class - Defines a collections of objects that are available to other classes or to instances of the class
• Privilege - Associates an access role with a rule that needs to be secured
• Rule - Defines the behavior of an application by serving as a building block

Important Notes : - if ARO and access deny records are defined for the same combination of role and class, the settings on the access deny record override the settings on the ARO.

A privilege record is used control access to a specific rule. Most rules list any required privileges in the security tab of the rule form. Flow rules list the required privileges in the process tab.

Privilege record acts as a token. To grant privilege to a role add the privilege record to the appropriate ARO.

Privileges are considered during the rule resolution process, but only after a candidate rule has been added to the rules cache. If users attempt to run a rule without a required privilege, the applications returns an error.

Permission inheritance and dependent roles

Pega Platform allows developers to simplify permission management by inheriting access control settings from parent classes, which allows you to override only the permissions that need customization while keeping other permission settings in their default configuration.

When creating a new application, Pega Platform creates access roles for administrators, authors, managers and users. Each application specific role inherits from a standard access provided as part of core Pega Platform functionality. Standard access role from which permissions are inherited is called a dependent role.

Standard access roles 

By default, Access Role Name records reference at least one standard role as a dependent role. For example, the <ApplicationName>:Authors created for application is based on standard PEGARULES:SysAdmin4 role which lists the default access control settings for application developers.

Some of the standard access role provided with Pega platform are listed in the following table.

Question

Service Agents at a marina belong to two access groups that inherit permissions from different dependent roles: Service Agents inherit permissions from the PegaRULES: User1, and Service Managers inherit from PegaRULES: WorkMgr4.
Application requirements state that Service Agents and Managers can view data in Marina-Service-Data-Painting and Marina-Service-Data-Repair. Only the Service Managers can delete data from Marina-Service-Data-Painting and Marina-Service-Data-Repair.
What is the best approach to implement this requirement?

Configure an Access of Role to Object (ARO) record in Marina-Service-Data- class to include the Service Manager's delete permissions. 

Case Locking

Types of Case Locking in Pega

There are two types of case locking in Pega infinity

1. Default Locking
2. Optimistic Locking

Default locking is where only one operator can view/update a case at a time the default value of the lock time is 30 mins. Optimistic locking is where multiple operators are allowed to work on the same case but only one use is allowed to update/submit the case at a time.

For example, let's say there are 3 operators working on the same case simultaneously,

Operator 1 - viewing the case

Operator 2 - viewing the case

Operator 3 - Updates/Submits a screen

--> There will be notifications on the screens of the operators 1 and 2 saying that this case is being updated by Operator 3, Refresh the screen to get latest updated values.

This can be configured on Case Settings > Locking screen

Miscellaneous Topics

 

Pega Class related facts

https://www.youtube.com/watch?v=hA7lTYaDroQ&ab_channel=TechRidewithPK

 

Concrete vs Abstract classes

 

What is a class group?

As the name suggests it’s a group of classes. There may be multiple work classes inherited from Org-App-Work class such as Org-App-Work-ABC and Org-App-Work-XYZ.

There are 3 options to select from in the drop down

·        Belongs to a class group – Will be mapped to an existing parent class. For example, Org-App-Work-ABC class can be mapped to Org-App-Work class group.

 

·        Is a class group – If we select this option a new class group instance will be created in the name of the particular class. Which can be viewed from the records > Sysadmin > Class Group. Use this option if there is a large number of class instances created for the particular case time.

 

·        Does not belong to a class group – Usually this option is selected for data classes so that we can have a dedicated table. But we cannot select this option for Work classes.

 (Make sure you define key in the class group)

Test Connection

 

We find the mapped database table in the Records > SysAdmiin > Database Table

 

 External Mapping

We don’t need to explicitly map properties in the external mapping table. If the property name does not change PRPC will automatically map the columns in the table. This mapping will automatically be handled by PRPC when property optimization is done for a page property, where additional property will be made in the class and will be assigned to it.

 

How to map a class to a different database table?

1.     1. Create a database table from sql

2.     2.    Create menu > SysAdmin > database table à Provide the class        name for both the fields and create and open.

3.     3. Specify the Table name and save

4.     4.  Save the class instance

 

 

Obj- Refresh-And-Lock method

https://pegalearnings.blogspot.com/2019/06/obj-refresh-and-lock-method-in-pega.html?sc=1679545569985#c4148323625021409945

summary

Obj-Open method can be executed with or without acquiring lock. For example, if we just want to read the record we can open the object without acquiring a lock.

But if we want to Update the record we must acquire the lock. Here, the WO we are trying to acquire the lock may be already acquired by someone else. In this case if we just use the Obj-Open method with lock option checked it will fail the step as the lock cannot be acquired.

Here is where the Obj-Refresh-And-Lock method comes into picture. As a solution to this problem we can,

1.      Open the object using the Obj-Open method without acquiring the       lock

2.      Call Obj-Refresh-And-Lock method and acquire lock (This method       will not do anything if the lock is already acquired)

3.      Do the necessary changes to the opened page

4.      Commit the page

Note that some of the steps are commented in the above screenshot. This is only to refer the methods used in the explanation.

Important considerations

·        Obj-Refresh-And-Lock method has a check box “ReleaseOnCommit” which has to be checked. Otherwise lock will be there forever. And make sure to commit after using this method.

·        We can view the records of instances which are locked using the class instances of System-Locks.

·        If we want to explicitly release the lock that has been acquired we can call the method Page-Unlock

·        When tracing the locks make sure to enable “Locking” check box in the tracer

 

---------------------------------------------------------------------

Forward Chaining and Backward Chaining

 

This concept is used in Declare Expressions

A+B = C

We can configure the DE to execute in two different ways in the Change Tracking tab

1.      Whenever the input value changes – Forward Chaining

2.      Whenever Used – Backward Chaining

Assignment | Worklist | Workbasket | Routing

 

Assignment is an instance of a class derived from Assign- base class. Assignments record a temporary condition of an open work object within an executing flow. In laymen terms Assignment is a Task.

Assignments are created by a flow operating on work object, but assignments are not themselves part of the work object. The system save data recording an assignment in instances of the Assign-Workbasket (pc_assign_workbasket) or Assign-Worklist (pc_assign_worklist)

(When an operator submits the assignment FinishAssignment activity will be executed)

 

Important properties of the Assign-Worklist/ Assign-Workbasket classes

1.     pxRefObjectKey (Key) – This property keeps the mapping to the             corresponding WO of the Assignment. i.e. pxRefObjectKey =             pzInsKey of the WO

 

2.        pxFlowName (Key)

 

3.       pxAssignedOperatorID

 

Where can you find the Assignment information in the clipboard?

newAssignPage – which comes under user pages

 

How to configure the UI when there is a delay in data loading? – Defer Load Content

 

This can be configured for dynamic layouts, repeating layouts, Table layouts or dropdowns

Enabling this will introduce a delay in loading or wait for user intervention like scrolling/ hovering to load data to the portal/ harness

This can be combined with pagination for more optimal performance.

Check in the General and Presentation tabs for the configurations

 

Access Control Mechanism

• 1.      Role Based Access Control
•      Attribute Based Access Control

 

Attribute Based Access Control

It provides more granular control on application more on security perspective

Example

I want to show all cases of my class to all users – use RBAC

Now if I want to hide few properties or mask few properties we use ABAC

 

Two rules we implement

• Access control policy
• Access control policy condition/ Access When

 

Actions

 

·        Read – user can open a case that meets policy conditions or view data for cases in the lists/reports or so on

·        Update – User can create case that meets policy conditions or update data for such a case

·        Delete – User can delete a case that meets policy conditioins

·        Discover – Can see limited information about a case that doesn’t meet read conditions but does satisfy discover policy conditions.

·        Property Read – User has restricted visibility to property values including property values with read and update access.

·        Property Encrypt – Property is encrypted in database, clipboard, logs and indexes if no property read policy obfuscates the property, the decrypted value is visible to user UI control

 

 

Enforcement Exceptions

1.      Can only be defined on instances of Assign- , Data-, Work- classes

2.      ACP defined on Data- are not enforced in search queries

3.      Only read policies are enforced in custom SQL

Prerequisites

pzCanManageSecurityPolicies previllege should be available.

We must checkIn the rule to apply the changes

 

 

 

MaskIdentity is Access Policy Condition in which there are when conditions to evaluate. In the property section define the properties along with what needs to be done.