Authorization design considerations
Authorization in Pega Platform™ involves controlling access to application features and data based on user roles and privileges. When designing your authorization scheme, it's essential to align access controls with organizational policies, compliance requirements, and application architecture. Consider the following points to help you effectively structure and secure your authorization model:
Matrix planning and model selection
Create a matrix that outlines access roles, privileges, and attributes that require protection. Choose one or more of the following models:
- Role-based access control (RBAC): Grants permissions based on predefined roles. Suitable for static job functions such as Manager or Customer Service Agent.
- Attribute-based access control (ABAC): Evaluates dynamic attributes such as time, location, or data sensitivity. Enables context-aware access decisions.
- Client-based access control (CBAC): Protects personal customer data, especially for GDPR compliance. Tracks and processes requests to view, update, or delete personally identifiable information (PII).
- Basic access control (BAC): Prevents unauthorized UI-layer requests, such as URL-based exploits. Recognized by OWASP as a top security measure.
You can use these models individually or in combination to meet specific security and compliance needs. For more information, see Authorization.
Rule security mode and access groups
To enforce least privilege, configure access groups with the Deny rule security mode. If your application requires explicit privileges for access:
- Set rule security mode to Deny.
- Review the rule security mode setting on each access group to ensure alignment with your security posture. For more information, see Deny Rule security mode.
Securing reports, attachments, and background processes
Define security for the following elements:
- Reports: Use ABAC to restrict visibility based on user attributes or case sensitivity.
- Attachments: Ensure that sensitive files are accessible only to authorized roles.
- Background processes: Assign scoped access groups to automated processes such as job schedulers or batch jobs.
Developer access controls
Secure developer access by applying the following controls:
- Limit administrator rights to only necessary developers.
- Restrict which developers can create Activity rules or SQL Connector rules.
- Enforce rule-level auditing to track modifications to sensitive rules.
- Prevent developers from updating passwords for other users.
Least privilege principle
Assign users the minimum level of access required to perform their job functions. This reduces the risk of unauthorized access and potential data breaches.
Compliance alignment
Ensure that your authorization model complies with applicable industry standards and regulatory requirements, including:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX)
- Federal Information Processing Standards (FIPS 140-3) for encryption
Dynamic authorization
Implement dynamic authorization to support adaptive security policies. This approach evaluates conditions such as time, location, and workload in real time.
Example: Traders can make trades only during market hours when a supervisor is online.
Ongoing maintenance
Regularly review and update roles and permissions to reflect changes in job functions or business needs. This ensures that your authorization scheme remains effective and compliant.
Check your knowledge with the following interaction:
This Topic is available in the following Module:
Want to help us improve this content?