Question

1
Replies
714
Views
Sidhartha Mohanty (SidharthaMohanty)

SidharthaMohanty Member since 2016 2 posts
Posted: July 3, 2016
Last activity: July 5, 2016
Posted: 3 Jul 2016 9:40 EDT
Last activity: 5 Jul 2016 0:49 EDT
Closed

Securing Direct Access to activities

Hi All

We have a usecase where the complete portal is exposed on Internet. While we can expose the portal and hide the host using Reverse Proxy, it doesnot prevent users with basic knowledge of Pega to hack the system. For Example : As a normal consumer user (through Internet) , I can access the system through a valid login/password. After that, I change the url to "http://<<Host>>/prweb/PRServlet?pyActivity=Data-Admin-Operator-ID.getOperatorIDs". System will give me the list of all operator IDs from the system

One solution is that we "Access-Deny" with When Condition to all critical activities (with MayStart) option. However there are 6000+ such activities and when I use Access-Deny, it will stop all these activites from being called whenever they are invoked

Any pointer to other alternatives will be very helpful

Regards

Sid

Security System Administration
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.