SidharthaMohanty Member since 2016 2 posts
Posted: 4 years ago
Last activity: 4 years 3 months ago

Securing Direct Access to activities

Hi All

We have a usecase where the complete portal is exposed on Internet. While we can expose the portal and hide the host using Reverse Proxy, it doesnot prevent users with basic knowledge of Pega to hack the system. For Example : As a normal consumer user (through Internet) , I can access the system through a valid login/password. After that, I change the url to "http://<<Host>>/prweb/PRServlet?pyActivity=Data-Admin-Operator-ID.getOperatorIDs". System will give me the list of all operator IDs from the system

One solution is that we "Access-Deny" with When Condition to all critical activities (with MayStart) option. However there are 6000+ such activities and when I use Access-Deny, it will stop all these activites from being called whenever they are invoked

Any pointer to other alternatives will be very helpful



Security System Administration
Moderation Team has archived post
Share this page LinkedIn