Basic access control
While authentication verifies the identity of users, authorization determines their access rights and permissions within the application. This mechanism manages what users can access, as well as the roles and permissions required to perform specific actions, which helps ensure that users interact with the application following predefined security policies.
Pega Platform™ offers four types of authorization:
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- Client-based access control (CBAC)
- Basic access control (BAC)
Each of these types of authorization complements the other, to provide secure access to the application. You can also use these authorization features together to provide the strictest level of control. The RBAC mechanism is your top priority when configuring the actions that users can perform in the application. Access control begins by associating users with a Persona (users associated with an Access Group).
RBAC focuses on access to objects where instance-level or row-level security access is defined. ABAC complements RBAC to define security access at a specific property in the instance of a class, where property-level or column-level security is defined. ABAC is particularly useful when you want to mask some characters of an attribute value or when you want to discover the presence of the instance but cannot permit users to open and read the instance.
The next level of access control is protecting the personally identifying information of customers. CBAC helps you satisfy the data privacy requirements of the European Union General Data Protection Regulation and similar regulations. CBAC rules define where to store and how to access personal data. Personal data is associated with an actual person, not an abstract entity such as a business.
Basic access control
Basic Access Control (BAC) is a Pega Platform security feature that prevents unauthorized requests from the user interface layer, including sections, custom controls, and harnesses. BAC validates requests at the application layer to block URL tampering and unauthorized server-side activity calls through JavaScript or AJAX.
BAC addresses the OWASP Broken Access Control vulnerability by ensuring that only authorized UI components can invoke activities. BAC adds a layer of protection beyond authentication, preventing authenticated users from making unauthorized server calls.
How BAC works
- Operates at the application layer by using autogenerated controls.
- Enforces security rules in the
@baseclassby using the following When Rules:pzSecureFeaturespyShowSecureFeatureWarningspyBlockUnregisteredRequests
Development considerations
- Custom code can introduce broken access controls.
- Use the Access Control Check tool in Dev Studio to identify and fix issues before enabling BAC enforcement. Otherwise, features might fail.
- Access Control Check provides a list of rules that you must refactor for compliance.
Attack vectors and scenarios that BAC prevents
Basic Access Control (BAC) mitigates critical security risks by validating requests at the application layer. It prevents:
URL manipulation
Users attempt to alter URL parameters to access restricted sections. BAC verifies requests at the application layer and blocks unauthorized access attempts that rely on URL manipulation.
Direct activity invocation
Malicious scripts attempt to invoke activities directly by using JavaScript or AJAX. BAC ensures that requests originate from authorized UI components and prevents execution of sensitive operations such as data changes or privilege escalation.
Unauthorized server calls
Authenticated users attempt to perform actions that exceed their role-based permissions. BAC verifies authorization for each server call to prevent misuse of privileges.
Troubleshoot Basic Access Control issues
Use this topic to identify and resolve common issues related to BAC in Pega Platform applications.
Warning signs of BAC issues
- Features work in development but fail when BAC enforcement is enabled.
- SECU0019 alerts appear in logs that indicate unauthorized requests.
- Custom code bypasses access control patterns.
- Activities are incorrectly set to allow direct invocation from clients or services.
Common implementation issues and resolutions
Issue 1: Misconfigured access roles
- Review role definitions.
- Apply the least privilege principle.
- Use access control reports.
- Test with different roles.
Issue 2: Incorrect When rule configuration
- Review When Rules in
@baseclass. - Extend security controls correctly.
- Use Tracer to observe rule execution.
Issue 3: Custom code bypassing BAC
- Use Access Control Check to identify issues.
- Review custom JavaScript and AJAX calls.
- Register all custom controls.
Issue 4: Broken access controls during development
- Run Access Control Checks during sprints.
- Add security checkpoints before deployment.
- Train developers on secure coding practices.
- Use a BAC checklist during code reviews.
Resolution framework for BAC issues
Follow this structured process to address BAC issues:
-
Identify symptoms
Record indicators such as alerts, failed functionality, or audit findings. -
Diagnose the issue
Use the Access Control Check tool to determine the root cause. -
Review documentation
Examine applicable policies, technical documentation, and Rule configurations for compliance and accuracy. -
Apply corrective actions
Reconfigure settings, update rules, or refactor code as needed. -
Validate the resolution
Conduct comprehensive testing that confirms successful resolution and prevents recurrence. -
Document outcomes
Record corrective measures and results to support future reference and organizational learning.
Check your knowledge with the following interaction: