We have a usecase where the complete portal is exposed on Internet. While we can expose the portal and hide the host using Reverse Proxy, it doesnot prevent users with basic knowledge of Pega to hack the system. For Example : As a normal consumer user (through Internet) , I can access the system through a valid login/password. After that, I change the url to "http://<<Host>>/prweb/PRServlet?pyActivity=Data-Admin-Operator-ID.getOperatorIDs". System will give me the list of all operator IDs from the system
One solution is that we "Access-Deny" with When Condition to all critical activities (with MayStart) option. However there are 6000+ such activities and when I use Access-Deny, it will stop all these activites from being called whenever they are invoked
Any pointer to other alternatives will be very helpful
Have you tried the implicit privileges option on the access group?
Set the Rule Security Mode to Warn and then run through the application (accessing all features of the application) and change the mode to deny. This will white list the activities that are allowed. Please follow the instructions in the below PDN article.