Posted: 6 Jan 2020 2:34 EST Last activity: 7 Jan 2020 8:53 EST
Security issues with Multitenancy environment
In Multitenancy environment, Multitenant Administrator (namely, "administrator@pegacom"), creates a Tenant Administrator in each individual Tenant environment.
Here is how to create a Tenant Administrator in base layer. After Tenant creation, Tenant Administrator can log in to corresponding Tenant environment. Below is the auto created Access Group for this Tenant Administrator. Per Multitenancy Administration Guide, two OOTB Access Roles are given by itself - "PegaRULES:AppArchitect" and "PegaRULES:SysOpsObserver".
Just for experimental purposes, I have tried updating the Access Group by replacing "PegaRULES:AppArchitect" with "PegaRULES:SySAdm4" for greater controls, as this is the one that I usually use in regular Pega Platform environment (Standard Edition).
After this update, system got problematic.
(1) New Application can't be created any more. The menu is gone.
(2) In the Operator rule form, Access Group section is now invisible. (3) In the Access Group rule form, Access Role section is now also invisible.
This means, I can't configure Access Group, Operator ID, nor can I create a new application any longer. And, there is no way to fix it, because there are no OOTB users available in the system. Super user "firstname.lastname@example.org" only exists in base layer and it does not exist in Tenant instance.
What if I had added "PegaRULES:SecurityAdministrator" Access Role in the Access Group at the first update? This way, at least I am able to see Security sections. However, still I get an error when I try to update it back to "PegaRULES:AppArchitect" from "PegaRULES:SysAdm4" as below.
In conclusion, what does this all tell as a whole? I think, product intent was to stick to "PegaRULES:AppArchitect" Access Role in Multitenancy environment for both Tenant Administrator and Application Administrator in Tenant insance. If you configure to use "PegaRULES:SysAdm4" then system will break. However it is not restricted and once you do that there is no really simple way to fix it.
Am I correct in above statement? Please let me know.