Skip to main content

Rule security mode

Rule security mode is a critical feature in Pega Platform™ that helps protect access to certain types of Rules, such as Activities, reports, and flow actions. These Rules might provide access to sensitive data. As a best practice, assign privileges to these Rules to prevent unauthorized access.   

As shown in the following figure, the Rule security mode on the Access Group enforces a deny-first policy. In this policy, you must have privileges granted to you to access certain information or perform specific actions. The Rule security mode determines how the system executes Rules that members of the Access Group access. 

The Rule security mode setting in a Booking Authors Access Group.

The three supported security modes for Rules are Allow, Deny, and  Warn

The default and recommended security mode is Allow. It permits users in the Access Group to run a Rule with no defined privilege or to run a privileged Rule for which the user has the appropriate privilege. If your organization requires a specific security setting for an individual Rule, specify a privilege for that Rule. 

Use Deny if you want to require privileges for all Rules and users. This setting is recommended if your organization's security policies require a granular and strict security definition. 

The system automatically generates a privilege if Deny is the active selection and a privilege is not defined for a Rule. It checks whether a user has that privilege. The privilege is made up of <RuleType>:Class.RuleName (5). for example, Rule-Obj-Flow:MyCo-Purchase-Work-Request.CREATE (5). The system does not add the generated privilege to the Rule.  

If the user has the generated privilege, the system runs the Rule. If the user lacks the generated privilege, the system denies the run and writes an error message to the PegaRULES log. 

Use Warn to identify missing privileges for a user role. The system performs the same checking as in Deny mode but only logs when the Rule or the user role does not have a specified privilege. It acts like a precheck to see whether any Rule lacks specified privileges. The pyRuleExecutionMessagesLogged activity generates the warning messages that the system writes to the PegaRULES log for missing privileges for user roles. 

Ensure that you have enough time and resources available to perform a system-wide test, including all expected users, before changing the Rule security mode. 

Note: The SECU0007 security alert is generated when an attempt is made to run a Rule that the user is not authorized to run, and the Rule security mode is set to WARN or DENY.

Check your knowledge with the following interaction:

This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice