Achieving Authentication and Authorization in one go
We are trying to achieve Authorization and Authentication for users of an application in one go.
The user IDs and their corresponding roles (whether an Admin, External User or Internal User etc) are defined in a Global Corporate Database, which is used by all other applications that the business uses. These are all global users and shall have access to all applications and similar roles everywhere.
Now any such user logs into the Pega application for the first time, we want Pega to create same operator ID with password and similar Access Group in Pega with the corresponding roles as the ones present in the Global Corporate Database.
Does Pega support this type of integration at the time of logging in to Pega to fetch and dynamically create access roles and privileges for the created users.
Also roles in the Global Corporate Database are often changed and hence having the option to manually sync those roles with Pega is out of question. In this scenario, when can the syncing be done- during login or after a point the user logs in.
I dont think we can directly map the roles and privileges in your corporate database to pega access group directly. You need to create access group based on the your corp roles.
if you are using LDAP authentication, you can customize the authentication activity in Auth service for creating operators and assigning specific access group. Check AuthenticationLDAPVerifyCredentials activity in which operators are created and its properties are mapped from LDAP directory. This activity you can customize and write some logic to determine the access group, based on that you can set the access group to that operator.
We have a similar situation where the users have entitlements you can call them access roles. We have a datapage that is configured to get the entitlements. A datatype is used to map the entitlements with the accessgroups. As mentioned by Vanaa in the post above, you can customize the authentication activity to and use such datapage to give fresh set of accessgroups everytime a user logs in.
Not sure, If you are aware of using a model user to create an operator based on attributes received from SAML response(If your sso is SAML based). In such case, the attributes recieved from sso can be used to create the operator too