Authentication and authorization
Managing access to an applicaiton is extremely important to both Pega and our client organizations. The goal of Pega's application access protocol is to maintain the availability, integrity, and confidentiality of an application. Pega Platform™ provides features that are both flexible and layered, ensuring that only certain users can access an application and, once granted access, can only perform certain tasks.
In this topic, you review two fundamental aspects of application access in Pega Platform: authentication and authorization.
Authentication
Authentication deals with who can access an application, and it is Pega's first line of defense in securing an application.
In Pega Platform, authentication methods ensure that only users and systems with verified identities can access an application, web page, API, and data. Authentication in an application includes verifying user credentials, Pega Platform requests to external services, and external service requests to Pega Platform.
The system must authenticate the user credentials before a user can access an application. Generally, these credentials consist of the Operator ID, which is normally the email address of the user, and their unique password.
Depending on the security requirements of the organization, applications can implement more robust authentication services (including SAML 2.0, OpenID Connect, or token credentials) to implement single sign-on (SSO) solutions. SSO solutions limit repetitive requests for credentials when users access various systems or applications. Configuring the authentication service Rule to implement policies such as multi-factor authentication improves application security.
Authorization
Authentication addresses who can access an application; authorization addresses what users can do after they access an application.
Authorization models define the access that users have to specific features of a Pega Platform application. For example, you can restrict the ability of users to view data or perform certain actions at runtime. You can limit a business or system architect's ability to create, update, or delete rules at design time or determine access to certain application development tools, such as the Tracer tool.
Pega Platform offers three complementary authorization models:
- Role-based access control (RBAC): RBAC is an access-control model that organizes users into Roles and assigns permissions to each role as appropriate.
- Attribute-based access control (ABAC): ABAC is an access-control model that determines whether specific users can access objects (Case, field, or document) by comparing the characteristics of that object to attributes of the user requesting access.
- Client-based access control (CBAC): CBAC focuses on tracking and processing requests to view, update, or remove personal customer data that Pega Platform holds across your applications, such as the data that EU GDPR and similar regulations require.
As a Pega Business Architect, you must gain an understanding of all the Personas that interact with an application, the Tasks and Processes for which they are responsible, as well as what they should, and should not, be able to view, due to PII or other regulatory requirements. Once that information has been documented, the project LSA will use the information you have gathered to configure the necessary authentication and authorization to protect the application, the organization, and the customers.
Check your knowledge with the following interaction:
This Topic is available in the following Module:
Want to help us improve this content?