The OperatorID (an instance of Data-Admin-Operator-ID) is the starting place। Here you may assign a single Access Group (an instance of Data-Admin-Operator-AccessGroup) to provide the access control profile for the user. 
The Access Group has 3 distinct mechanisms for conveying access rights:- RuleSet or Application – grants access to individual RuleSets and/or RuleSets contained in an Application
- Work Pools – grants access to Work tasks contained within a specific Class Group
- Roles – define rights to both instances and rules at a class level
The Role itself is just a predefined tag (Rule-Access-Role-Name). Alone, it does not convey or deny access. The Role to Object records ((Rule-Access-Role-Obj) contain linkages between a Role and a specific class. To make managing these linkages simpler, PRPC 5.x has a Security Wizard than can be accessed by selecting Tools->Security->Role Names and double-clicking a particular role to manage.
The wizard allows you to identify any number of class to associate with the Role. The security system is, by default, exclusive. PRPC will not grant access unless explicitly provided. The Role to Obj linkages allow you to specify:- Open, Modify, Delete, and Browse on Instances of a class and
- Open, Modify, Delete, and Execute on Rules contained by a class.
The numeric values assigned are 0-5 and correspond to the "Production Level" setting from the System record.
The production level values can be:
To convey access, the number shown in the Role to Obj linkage must be greater than or equal to (>=) the current system's Production Level. Incidentally, the Production Level can be found on the clipboard at pxProcess.pxAdminSystem.pyProductionLevel.
