Security planning

Organizations are modeled on a three-level structure:

1. Organization
2. Division
3. Organizational Unit

The structure that you create affects many parts of the Pega Care Management application, such as the management reports, statistics, and rules that are available to users in that organization.

The organizational structure can affect how and where work is routed and who can access which parts of a system. It can be used to determine which calendars users see and to which queues work is routed. Best practices recommend that organizations get their organization structure set up as soon as possible in the project and not leave this to the end.

By using the Operator ID record, each user is associated with one Organization, Division, and Organization Unit, which locates the users in the correct part of the organization. For example, an organization could set its structure as UPlus Health (organization), Care Management (division), and Program Referrals (an organizational unit). The following figure shows a sample organizational chart in Dev Studio:

Correct organizational structure can help you to implement common functionality without custom development. Examples include: 

• Providing access to certain functionality based on a user’s position within the hierarchy.
• Restricting access to certain functionality based on the user’s hierarchy position.
• Routing of work items: which queue should work be placed into, based on the owner of that work and his or her position in the hierarchy.
• Reporting and division of data on reports.

To configure your organizational structure, perform the following steps:

1. In the header of Dev Studio, click Configure > Org & Security > Organization > Organizational Chart.
   
2. Review the existing structure.
3. Determine the organization, division, and unit levels of the hierarchy.
   

 Define the authentication strategies for your application. Authentication proves to the application that you are who you say you are. Pega Platform™ offers the following authentication types:

• PRBasic 
  Based on passwords in the Operator ID data instances and the login form. The login form is defined by the HTML @baseclass.Web-Login rule, which your application can override.
• PRSecuredBasic 
  Similar to PRBasic, but passes credentials by using Secure Sockets Layer (SSL) with Basic HTTP authentication. The login form is defined by the HTML @baseclass.Web-Login-SecuredBasic rule, which your application can override.
• PRCustom 
  Supports access to an external LDAP directory or a custom authentication scheme.
• PRExtAssign 
  Supports external assignments (Directed Web Access).
• J2EEContext 
  Specifies that the application server in which Pega Platform is deployed; uses JAAS to authenticate users.

Pega Care Management comes with a set of predefined access groups, roles, and privileges. You can use the application roles as a starting point, but you should create your own application-specific access groups and roles to avoid any future problems when upgrading.

Other rule types such as sections, flow actions, and activities use roles and privileges to allow access to these rules at run time.

The following table lists access roles and Pega Care Management features. An X in the table cell indicates that the person with the specified role can access the corresponding feature. If you want to change a role, for example, if you want the PegaCare:UMCoordinator to help with new program enrollments or new program referrals, you modify the access rights for that role.