Security rules are invisible in Multitenancy environment
I have installed Pega Platform 8.3.1 with Multitenancy Edition, and noticed that Security category is not visible in Records explorer as below.
[Tenant in Multitenancy]
Initially I thought this is intentionally designed as such because Multitenancy is special, but I started to wonder. Each individual tenant instance shares the same single database but any rules / data instances are invisible across tenant instances (they are logically partitioned). I guess there are some tricks to achieve this visibility control, but we still need to manage Security rules in each tenant instance. I do not see any reasons why Security rules (Access Group, Access Role Name, ARO, Privilege, etc) should be invisible in Records explorer. Actually, it is even possible to open Security rule instances from other interface than Records explorer.
Question: Why are Security rules hidden in Records explorer in tenant instance? Am I missing anything?
***Edited by Moderator Marissa to update platform capability tags****
By Default, we are restricting non security administrator role to view security category within record explorer for multi tenant application.
To access the needed security rules, one has to add PegaRULES:SecurityAdministrator role additionally.
"Actually, it is even possible to open Security rule instances from other interface than Records explorer." -- This has been actually fixed by hiding the security instances from other interfaces as well ( as part of bug) in the later release.
As you said, after adding "PegaRULES:SecurityAdministrator" Access Role, I am now able to see the Security category in the Records Explorer. I also understand that in the future release all the Security rule instances can't be opened without this Access Role. Thanks for the info.
Just quick additional question, this Access Group, which does not have "PegaRULES:SecurityAdministrator" Access Role, was not manually configured on my own but it was automatically generated when I created a tenant in the base Pega Platform (see below screenshot).
Generated Access Group looks like this.
Question: I believe it is better to add "PegaRULES:SecurityAdministrator" Access Role to the generated Access Group by default because otherwise it will cause confusion. Of course I understand security perspectives, but also let me point out it is very hard for most of people to figure out by themselves that they need to add additional Access Role. I read through the Multitenancy Administration Guide but it does not talk about it.
Agreed to your point. However it is intended to not add the securityadmin role by default considering security constraints, to be more precise adding pzCanManageSecurityPolicies privilege to 'Rule-Access-Policy' class should suffice the requirement.