Access Group :

Access Group is used to RESTRICT access to our application’s functionality. To accomplish varying levels of access control, we can CREATE multiple access groups for the same application.

An access group decides on the following:

• After logging in, users can access the portals.
• The roles, or privileges, that users have access to.
• Advanced parameters are APPLIED to new rules, such as the default rule-set name and version.

The Operator ID of a user is used to associate an access group with that user. When a user logs in with more than one access group established, the application associated with the principal access group is used. Privilege inheritance can also be used by security MANAGERS to make the process of allowing the user access to a feature protected by privilege easier. The Data-Admin-Operator-AccessGroup class defines access groups.

Access Roles :

Through the Access of Role to Object and Access Deny rule types, access roles determine the classes that a user can see, alter, and delete.

To grant permissions (capabilities) to users, use an access role name. In requestor type and access group instances, access roles can be mentioned. For a range of users, the Pega Platform includes built-in access roles ( names that begin with PegaRULES: ):

• Guests
• Administrators
• Developers
• Authenticated work users

The Rule-Access-Role-Name rule type defines access roles.

Difference :

• Authorizations are granted according to a user's access group RATHER than their role. The degree of authorization for the access group is determined by the most permissive role in the access group.
• A list of Data-Admin-Operator-AccessGroup instances is displayed on the Access Groups tab. The table shows the system's access groups and the number of operators assigned to each group whereas for the present application, the Access Roles tab displays a list of Rule-Access-Role-Name rules. You can examine, add, and remove roles from this tab.