Rule security mode
Rule security mode is a critical feature in Pega Platform™ that helps protect access to certain types of Rules, such as Activities, reports, and flow actions. These Rules might provide access to sensitive data. As a best practice, assign privileges to these Rules to prevent unauthorized access.
As shown in the following figure, the Rule security mode on the Access Group enforces a deny-first policy. In this policy, you must have privileges granted to you to access certain information or perform specific actions. The Rule security mode determines how the system runs Rules that members of the Access Group access.
The three supported security modes for Rules are Allow, Deny, and Warn.
The default security mode is Allow. It permits users in the Access Group to run a Rule with no defined privilege or to run a privileged Rule for which the user has the appropriate privilege. If your organization requires a specific security setting for an individual Rule, specify a privilege for that Rule.
Use Deny if you want to require privileges for all Rules and users. This setting is recommended if your organization's security policies require a granular and strict security definition.
The system automatically generates a privilege if Deny is the active selection and a privilege is not defined for a Rule. It checks whether a user has that privilege. The privilege is made up of <RuleType>:Class.RuleName (5). for example, Rule-Obj-Flow:MyCo-Purchase-Work-Request.CREATE (5). The system does not add the generated privilege to the Rule.
If the user has the generated privilege, the system runs the Rule. If the user lacks the generated privilege, the system denies the run and writes an error message to the PegaRULES log.
Use Warn to identify missing privileges for a user role. The system performs the same checking as in Deny mode but only logs when the Rule or the user role does not have a specified privilege. It acts like a precheck to see whether any Rule lacks specified privileges. The pyRuleExecutionMessagesLogged activity generates the warning messages that the system writes to the PegaRULES log for missing privileges for user roles.
Ensure that you have enough time and resources available to perform a system-wide test, including all expected users, before changing the Rule security mode.
補足: The SECU0007 security alert is generated when an attempt is made to run a Rule that the user is not authorized to run, and the Rule security mode is set to WARN or DENY.
Check your knowledge with the following interaction:
このトピックは、下記のモジュールにも含まれています。
トレーニングを実施中に問題が発生した場合は、Pega Academy Support FAQsをご確認ください。