We are in process of getting security approval for our Pega platform. As we are not implementing SSO for the first release, we have been asked by security to implement corporate security guideline. Now most of the things are easily configurable in Pega but there are a few where we are not able to make any progress.
Passwords shall be stored in a securely hashed form. Only algorithms specifically designed for password storage shall be used (e.g. bcrypt or PBKDF2).
The channels for providing users with their username and password shall be different from one-another.
The system shall restrict users to only one session at a time.
The solution shall ensure that a single entity cannot be assigned both administrator and user roles
Do you have any idea whether these can be configured out of the box?
In the documentation, it says that passwords are stored as encrypted, but it does not detail out what encryption algorithm is used.
Any help will be very much appreciated.
***Edited by Moderator: Pallavi to update platform capability tags***
***Edited by Moderator Marissa to update SR Details***
2. The channels for providing users with their username and password shall be different from one-another
Means once a user is created in Pega, two separate intimation emails should go out to the user. First one containing the user id and the second one containing the temporary password.
4. The solution shall ensure that a single entity cannot be assigned both administrator and user role
means basically the same user should not be both Administrator and a normal user.
- My take on this is, pega does not limit this. Its more of an organisation thing which needs to be maintained by the administrators. Though it can so happen that email@example.com will not have access to the applications developed in pega.