PRPC 6.1 SP2

Access Security

LEVEL – LEARNER

2

Security combines authentication which ensuring that a person or system is an known, identified person or system and access control limiting which application facilities and capabilities are available to the person (or system). At runtime, Process Commander compares the capabilities that a user holds with the limitations and restrictions associated with a rule or an object, to allow or deny access. In PRPC, Security Model is implemented using the following elements:

Operator ID Access Group Access Role Privilege

Overview

3

After completing this chapter you will learn: How to create the Operator ID Details about Operator ID How to create the Access Group Details about Access Group How to create the Access Role Details about Access Role How to create the Privilege Details about Privilege

Objectives

4

Operator ID

Do You Know?

5

Introduction: An Operator ID is an instance of the Data-Admin-Operator-ID class. The

Operator ID references an Access Group that contains the RuleSet Versions, Roles, Portal Layouts, and Applications available to users. An authenticated or unauthenticated user (requestor) cannot access a Process Commander application without the Process Commander security model. Therefore, by default, all access is denied. In brief, the operator defines what a user is capable of doing, not what the user is allowed to do.

Operator ID: Overview

6

Rules Explorer, expand the Organization link. Right-click on Operator ID, and click New.

Create Operator ID

7

Operator ID (cont…)

General Tab In General tab enter personal details of the Operator (i.e. Title, Full Name,

Position/Title, Phone and Email) The highlighted portion shows the Access Group (Data-Admin-Operator-

AccessGroup) associated with the Operator.

8

Work Settings Tab Organization Unit: The Organizational Unit section contains the name of the

Organization, Division & OrgUnit to which the operator belongs.

Operator ID (cont…)

9

Work Settings Tab Work Group:

Work Group is logical collection of Operators and usually Work Group will have a manager.

A work group is an instance of Data-Admin-WorkGroup. Operator ID data instance usually identifies a Work Group to which the

user belongs. Work Group facilitates for better monitoring and reporting of tasks.

Operator ID (cont…)

10

Work Settings Tab Skills (Optional):

In Skills section enter the name of a skill rule (Rule-Admin-Skill rule type) associated with this user. Select a user proficiency rating for this skill between 1 and 10, where 10 indicates highest proficiency

WorkBaskets: A workbasket is a named queue of open assignments that are not

associated with a particular operator. It is an instance of the Data-Admin-WorkBasket class.

Enter a list of workbaskets that may contain assignments for this user with urgency threshold values

Operator ID (cont…)

11

Work Settings Tab Get From WorkBaskets First:

When selected, system retrieves an assignment from the user's WorkList only when all of the WorkBaskets listed in the WorkBaskets array are empty.

If not selected, the Get Most Urgent button when clicked retrieves the top assignment on the user WorkList, and accesses WorkBaskets only if this user's WorkList is empty.

Merge WorkBasket: Select to cause the Get Most Urgent button that appears on the Process Work

navigation panel for this user to consolidate assignments from all the WorkBaskets in the WorkBaskets list below, then sorted by assignment urgency, returning most urgent in any WorkBasket.

If not selected, processing searches the WorkBaskets in the WorkBaskets array in the order listed on this tab, and the most urgent assignment from the first non-empty WorkBasket is returned.

Operator ID (cont…)

12

Work Settings Tab Use Scheduled Absence section to define:

When and whether this user is available to receive assignments When this user is unavailable (e.g., on vacation or otherwise not able to

process assignments) Who is to receive assignments when this user is unavailable

Operator ID (cont…)

13

Work Settings Tab In ”Substitute Operator Type” section complete the fields to control how

Process Commander routes assignments for this operator when this operator is marked absent or unavailable. For Substitute Operator Type choose either ”Operator” or ”Workbasket” so that routing rules can redirect the assignments to a substitute operator or to a workbasket during those periods.

In ”LookUp In DecisionTree” field select a decision tree rule that returns an Operator ID or one that returns a workbasket name, matching your selection in the Substitute Operator Type field.

In ”Default To Assignee” identify the Operator ID or Workbasket name of a substitute for new assignments routed to the user identified by this Operator ID instance when that user is unavailable

Operator ID (cont…)

14

Advanced Tab Security Settings:

Change Password: To set the Operator password for authentication. External Authentication: Select to require that this operator be authenticated

only through LDAP or other external authentication facilities Allow Rule Checkout : Select to allow this user to update rules in RuleSets that

require check out

Operator ID (cont…)

15

Advanced Tab Security Settings:

Starting Activity to execute: Identifies the first activity that the system executes after this user is authenticated. The standard activity for this purpose is named Data-Portal.ShowDesktop.

Operator ID (cont…)

16

Advanced Tab Security Settings:

License Type: Select ”Named” if this Operator ID is a person who interacts with Process Commander through a Web browser. ”Invocation” if this Operator ID is for processing performed through service calls, or for processing by external users (typically through the Directed Web access feature)

Default Locale: It affects the processing of input dates, times, and numbers, and the presentation of displayed dates, times, and numbers. This is optional.

Operator ID (cont…)

17

Do You Know?

Access Group

18

Introduction: Access Groups determine which applications and which parts of those Applications

a user can access. An access group is an instance of the Data-Admin-Operator-AccessGroup class. It specifies the Access Roles, RuleSets accessible to the user and the Portal Layout

to display when the user logs in. A sample PRPC access group form looks as follows.

Access Group: Overview

19

From Rules Explorer, expand the Security link. Right-Click on Access Group, and Click New.

Access Group: Create

20

Enter a name for this Access Group in the Access Group Name field. Click Create. After that fill in the tabs specified below.

Access Group: Create

21

Layout Tab Complete this tab to identify the Work Pools (Class Groups), Application

Name, Version, and Access Roles (e.g. PegaRULES:SysAdm4) available to the Operator IDs or requestors that reference this Access Group.

Access Group (cont…)

22

Layout Tab The Application section specifies the name of the Application Rule and its Version. The Application Rule on the other hand contains set of RuleSets specific to the

Application. These RuleSets can also be specified in the Production RuleSets section in the

form, but as a best practice, the Production RuleSets is left blank and application rule is referred.

The Roles section refers to the Access Role for that Access Group. e.g. PegaRULES:SysAdm4 PegaRULES:SysArch4

The WorkPools section lists all Class Groups for Work Pools in which users associated with this Access Group are permitted to enter new work objects. Each Class Group defines a Work Pool, a named collection of work types.

Access Group (cont…)

23

Settings Tab Use this tab to define the HTTP/HTTPS Home Directory, Portal Layout, and

other capabilities for users or other requestors who reference this Access Group.

Access Group (cont…)

24

Settings Tab Login Settings:

HTTP/HTTPS Home directory : Typically, accept the default of /webwb. Directories within this directory hold important static XML forms, JavaScripts, style sheets, and images

Default Portal layout: Identify a portal rule to indicate which portal presentation supports those requestors who reference this access group.

Typical choices referencing standard portal rules are: For a worker, select WorkUser. For a manager, select WorkManager. For all developers, select Developer. Authentication Timeout (seconds): Enter a number of seconds after which the

system challenges idle browser sessions (for users of this access group), asking users to re-enter their Operator ID and password.

Access Group (cont…)

25

Settings Tab Secondary Portal Layout:

Portal Layout: Optional. For developers, you can define alternative layouts, to allow them to quickly switch between layouts; this is useful in debugging. Enter the name of a Portal Rule to make an additional portal presentation available to this user.

Local Customization: Leave these fields blank for an Access Group that supports logging on to

Process Commander from external systems, or that supports workers or managers who never create rules.

Access Group (cont…)

26

Associations Tab Use this read-only tab to review or quickly access Operator ID instances that

reference this Access Group.

Access Group (cont…)

27

Access Role

Do You Know?

28

Introduction: An access role is defined as having certain class access rights. A user can have one

or more access roles, which are listed in access groups. All users in the same access group have the same roles.

Your application includes one or more predefined access groups. These access roles typically exist for users who work with the application: system administrators, architects, managers, supervisors, and basic operators, for example.

Access Role: Overview

29

From Rules Explorer, expand the Security link. Right-Click on Access Role Name, and Click New.

Access Role: Create

30

Enter a name for this Access Role in the Access Role field. Click Create. After that fill in the tabs specified below.

Format – <Application-Name> : <Role-Name>

Access Role: Create

31

Rule Details An access role rule defines a name for a role, and represents a set of capabilities.

To deliver the capabilities to users, you reference the access role name in other rule types to assign the access role to users and to provide, or restrict, access to certain classes.

Create access role names using the format <application name>:<role name>, where <application name> is the name of your application and <role> name is the name of a role that uses the application.

An access role identifies a job position or responsibility defined for an application. For example, an access role can define the capabilities of LoanOfficer or CallCenterSupervisor. The system grants users specified capabilities, such as the capability to modify instances of a certain class, based on the access roles they acquire at sign on.

Access Role (cont…)

32

Role Tab This read-only tab provides quick access to any Access of Role to Object rules

which have this access role as the first key part. Click a row to open the Access of Role to Object rule.

Access Role (cont…)

33

Privilege

Do You Know?

34

Introduction: A Privilege allows a user with a particular role to execute certain application

functions. Privileges are associated with access roles, not directly to users.

If a user has the access role with which the privilege is associated, the user has the privilege. Privileges also play a role in routing work, as users can only receive work items for which they have privileges.

Privilege: Overview

35

From Rules Explorer, expand the Security link. Right-Click on Privilege, and Click New. Click New. The New form appears.

Privilege: Create

36

Enter the name of the class to which this privilege applies in the Applies To field. Remember that privileges are inherited by child classes, so enter the name of a class at the appropriate point in the hierarchy.

Enter the privilege name in the Privilege Name field. Begin with a letter and use only letters, digits, and dashes.

Select your RuleSet and version if necessary from the selection boxes. Choose the status of this rule from the Available selection box (see the Application

Developer Help) and click Create.

Privilege: Create

37

Privileges complement the security and access control features provided by access roles and RuleSet lists, by restricting access to specific rules rather than to entire classes or RuleSet versions.

Use privileges to differentiate the capabilities of different groups of users within your application.

As users (or other requestors) work with your application, the system compares the privileges they hold with the privileges required

About Privilege Rules

38

Role Tab This read-only tab provides quick access to any Access of Role to Object rules

(Rule-Access-Role-Objrule type) that references this privilege rule (on the Privileges tab). Click a row to open the Access of Role to Object rule.

Privilege (cont…)

39

Questions?

40

Welcome Break

41

Create - Operator ID RuleSet Version Application Version Access Group

Associate - Access Group to Operator ID

Add – Work User & Work Manager Portals to the Access Group

Lend a Hand

42

Operator ID is the instance of class–– Data-Admin-Operator-ID– Data-Admin-OperatorID

Access Group is the instance of class -– Data-Admin-Operator-AccessGroup– Data-Admin-Operator-Access-Group

Where do you mention the Access Group? What is WorkBasket? What is WorkGroup?

Test Your Understanding

43

An Operator ID is an instance of the Data-Admin-Operator-ID class An Access Group is an instance of the Data-Admin-Operator-AccessGroup

class. Access Groups determine which applications and which parts of those

applications a user can access. A user can have one or more Access Roles, which are listed in Access Groups. All users in the same Access Group have the same Access Roles. A Privilege allows a user with a particular role to execute certain application

functions. Privileges are associated with Access Roles, not directly to users.

Access Security: Summary

PRPC Access Security

You have successfully completed Access Security