Question
Authorization Levels in Pega
Hi Guys,
I have a question around Access Control/Authorization in Pega.
Suppose I want to hide certain functionality in the application from a set of users. I can simply hide the link to that particular module/ functionality say a grid or tab or menu item using a condition such as pyAccessGroup should be XYZ (Visible When or Enable When).
Then why do we need to define authorization/security at even granular levels such as access roles and privileges.
Is this a way to make the security model more robust and at the class level also (assuming access roles incorporate various classes and associated privileges)?
If I only deny access based on the example I gave, i.e. hiding a grid or menu item from user based on a simple condition such as .pyAccessGroup=="Appl:Admin", can this security pose threats and is compromising in real time?
Please explain in detail.
Thanks!
Bhagyashree
Hiding an item on the UI does not secure the underlying functionality, it is still accessible to users. For example, if I had a menu option which called a function to delete user information (for GDPR or some other reason), if I merely hid the menu option from certain users, the function can still be accessed by all users. I would also also need to also have authorization controls on the underlying function to secure it.
You mean some end user can possibly tweak this from the front end and access the function even if the menu item is hidden?
What are such ways in which user can do this?
Any ideas?
Thanks!
Bhagyashree
Accepted Solution
Yes that's right. There are ways to get access to the functionality. One of the way is by passing a specific url in the user session. That's why its more important to restrict the security instead of just hiding menu/links etc.
Security is not just about hiding functionality from end user. there are so many cases where you want to avoid saving a record based on certain conditions(like a user attribute or a combination of values in different properties).