Application Security

1. Manage application access

2. Security policies.

Manage application access

1. how to access the application ? by providing the user name and password -
Credentials.
this process of confirming the identity of the user is called as Authentication.
This is the first level of securing the app.
after the user is authenticated, what is next level? Authorization
the process in which the user has got permissions to access the features.

In pega, the security is defined by three access control policy

1. RBAC - Role based access control policy
2. ABAC - Attribute based access control policy
3. CBAC - Client based access control policy

RBAC - Role based access control policy - providing the permission to the user
based on the role that they belong to.

ABAC - Attribute based access control policy -- used to provide the security to
information based on the property or the attribute.
i.e the sensitive data is not exposed to the user if they don't have the permission
to access.
example : 1. Salary information - can be viewed by the HR of the organization
2. some data will be masked. eg: account number can be in a masked format,
passwords, OTP has been sent to the mobile number ********98

CBAC - Client based access control policy - providing the permissions to the user
to manage their profile based on certain conditions . based on GDPR Compliance.

RBAC - Role based access control policy

========================

What are the rule types in pega is used to implement RBAC?

1. Access Groups
2. Access roles
3. Access of role to Object
4. Access When
5. Access Deny
6. Previlege
all these rule types belongs to Security rule category.

What is access group?

access group provides permissions for the user to access the application, portal
and defines the roles that the user belongs to.
the fundamental of the operator rule, each operator must be associated with one or
more access groups.
When does these access groups are created? what are default access group that is
provided by pega?
when the new application is created, pega creates two access groups
1. Authors - operators who belongs to authors access group can access development
portals
2. users - operators who belongs to users access group can access user portal for
processing the cases.

Each access groups should contains _____________to provide permissions to run the
case.
ans: access role
what are these access roles in the pega platform?
pega provides OOTB access roles : some examples of Sysadm4, securityadministrator,
PegaAPI, etc
all these access roles are used to provide permissions to the user to access the
case.

Each operator contains one or more access groups, but only one will be active at a
time.
but each access group contains one or more access roles, all these be active at a
time
eg: Employee - HOD role, faculty role.

to implement RBAC, we need to use 6 rule types, instead of creating all the rule
types one by one , all these can be centrally managed using a tool called "Access
manager"

Let us have 2 case types:

1. Employee Registration - accessed by all the candidates
2. Process offerletter - accessed by all the HR

Haritha@gmail.com -> Candidate -> can access only the Employee registration case
type
HR@cts.com -> HR -> can access only the Process offer letter case type.

For implementing this :

1. create 2 access group : Candidates , HR
2. create operator and associate them with the access group
3. Goto to access manager tool and set the permissions.

Haritha@gmail.com ->JobApp:Candidate -> role : JobApp:user4

HR@cts.com -> JobApp:HR -> Role : JobApp:HRRole

Whenever we add the permissions in the access manager tool, the rules are getting
added in the respective access roles.
these rules are called as ARO(Access of role to Objects)
what does this contains ? it contains the permissions to be assigned for the case
types
1. read instances
2. write instances
3. delete instances
4. read rules
5. write rules
6. delete rules
7. Execute reports
8. Execute activities
9. previleges
each of these permission has the range of values between 0 to 5
0 - > no access, 1 to 5 -> full access.

it depends on type of environment.

Sandbox or experimental - 1
Development - 2
Quality assurance or testing - 3
Staging - 4
Production - 5

We need to create a report : CandidateReports

these reports can be accessed by the HR , not by the candidates.
where is the report available ? on the employeeregistration case type.

=======================================================================
Security policies

different levels of security:

Application-level security

Application-level security focuses on protecting the application from outsiders and

unauthorized users

Reduce the risk of unauthorized users getting into or stealing data from your
application
Identify authorized users who need access to the application
Create password and authentication policies

Feature security:
Feature security focuses on the application by determining the Case Types,
features, and data that authorized users can or cannot access.

Set up security roles for Personas identified in each Case Type so that authorized
users can access the application features they need
Prevent users from viewing features or accessing data to which they should nrol
(RBAC), attribute-based access control (ABAC), and client-bot have access
Design role-based access contased access control (CBAC)

To access the security policies:

Dev studio
Configure -> Org and security -> Authentication -> Security policies

======================================================================
What is debugging ?
process of correcting errors in the application
Testing - process of checking if the results are as expected.
ER=AR
Expected Result = Actual result

Testing is of two types:

1. unit testing
2. Scenario testing

unit testing - fundamental and simplest testing for testing each individual rules
examples : if there are 450 rules, all these 450 rules has to be unit tested.

Rule1 Rule2 Rule3

Rule3 depends on Rule2
example :
flow action Datapage ReportDefinition
param param
all these three rules has to be unit tested.
how we can unit test a rule? open any rule -> Actions -> run.
this is called as unit testing.

Example : open the Report definition rule -> Actions -> run ,
if the data is fetched as expected, it indicates that the rule is working as
expected
Open the single data page rule -> Actions -> run,
if we pass the primary key column value, if the value is fetched from the database,
the rule is working as expected.
we can test declare expression , decision table , decision tree, activity etc.

output of any testing is called "test case".

What is a test case ? testcase is combination of one or more input values to check
if the output is as expected.
Test case will help to test multiple input values using Assertions.

Scenario testing:
automated testing. used to record the set of interactions and easily help us to
find the issue with the application.
It is mainly for UI . we can record either the case type or portals.
this can be on the user portals

on the developer tool bar, we can find a tool -> toogle automation recorder
=========================================================================