Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      


Updated on April 21, 2021

Define the authorization and authentication strategies for your application. Authentication proves to the application that you are who you say you are. Authorization determines the functions that you can perform in the application. This corresponds to an access group and role configuration.

Security planning involves defining authorization and authentication strategies for your application. It is a best practice to create new access groups and roles that are based on the default access groups and roles that come with the product. Security planning also involves setting up the organization structure and operator attributes. The application provides security in the form of access settings and denial rules. Many integration rules also incorporate authentication.

The following topics are included in this section:

  • Implementing the security model and organization structure
  • Configuring your organization structure
  • Authentication schemes
  • Authorization scheme
  • Operator attributes

Implementing the security model and organization structure

After you review the existing groups and roles to determine additional groups and roles that you need, create them in Dev Studio when logged in as an administrator.

  • For Access groups, click ConfigureApplicationStructureAccess Groups and Users.
  • For Access roles, click ConfigureOrg & SecurityToolsSecurityRole Names.
For more information, see Groups and related topics.

Defining the organization structure

Use the organization structure for routing and reporting within the application. Typically, the application organization structure does not map operators exactly to the site's organization chart but instead, it maps the work that those operators do.

Tip: For design guidance, see Setting up your organization structure.
  1. In the header of Dev Studio, click ConfigureOrg & SecurityOrganizationOrganizational Chart.
  2. Review the existing structure.
  3. Determine the organization, division, and unit levels of the hierarchy.

Authentication schemes

The Pega Platform offers the following authentication types:

Based on passwords in the Operator ID data instances and the login form. This is defined by the HTML @baseclass.Web-Login rule, which your application can override.
Similar to PRBasic, but passes credentials by using Secure Sockets Layer (SSL) with Basic HTTP authentication. The login form is defined by the HTML @baseclass.Web-Login-SecuredBasic rule, which your application can override.
Supports access to an external LDAP directory or a custom authentication scheme.
Supports external assignments (Directed Web Access).
Specifies that the application server in which the Pega Platform is deployed uses JAAS to authenticate users.

Authorization scheme

Pega Care Management comes with a predefined set of access groups, roles, and privileges. You can use the application roles as a starting point, but you should create your own application-specific access groups and roles to avoid any future problems when updating.

Other rule types such as sections, flow actions, and activities use roles and privileges to allow access to these rules at run time.

For additional information, see Pega Care Management access roles and privileges.

Note: You can review the Pega Care Management access groups and roles in App Studio.

Access roles and privileges

Pega Care Management includes a set of predefined access roles and privileges for the standard application user roles. For information, see Pega Care Management access roles and privileges on the Pega Care Management product page.

For information about creating your own access roles and privileges, see Access roles.

Access groups and users

Your care management application includes access groups and users.

To view the access groups, in the header of Dev Studio, click ConfigureOrg & SecurityGroups & RolesAccess Groups.

To view the access roles, in the header of Dev Studio, click ConfigureOrg & SecurityGroups & RolesAccess Roles.

Defining the operator attributes

An operator's access group affects what the operator can do in the application. In addition to the access group, the following fields in the operator record influence how the application handles assignment of work to the user.

Tip: In many implementations, it is more efficient for the application to set values in the operator record during the authentication process than it is to have an administrator manually maintain these records. These rules must be configured as part of the authentication mechanism for your site. For more information, see Authentication services.

For more information, see Operators.

Defining the operator work group

The work group setting in the operator record affects how your application delivers work to the operator. Review the Operator record and determine the rules for assigning a work group to an operator or the role that multiple operators hold.

  1. In the header of Dev Studio, click ConfigureOrg & SecurityOrganizationOperators.
  2. Select an operator ID.
  3. On the Work tab, review the work group information for the operator record.
  4. Determine your policy for assigning a work group to an operator or the role that multiple operators hold.

Defining the operator skills

Skill settings in the operator record affect how the application routes work to the operator. Skill settings also affect how the application gets the most appropriate work when using the Get Next Work feature. You must determine the skills that are appropriate for your application and operators.

  1. Define the skills that are needed for the application.
  2. Determine which operator records or roles should be associated with those skills.

Defining the operator calendar

The application calendar affects date calculations within the application, such as the date between business days calculation, and the SLA goal and deadline date calculation. The calendar on the operator record is relevant only if you have users who are not working in the same time zone as the rest of the organization. Otherwise, the application uses the calendar on the organization record and you can skip this step.

Operator calendars will have an impact on chat availability. If a chat request comes in after or before the business hours defined in the specified calendar, then the requestor receives "Off-hours behavior" message.
  1. Determine the calendar instances that are needed for your application.
  2. Determine which operator roles need a distinct calendar.
  3. Determine the operator location.
    For more information, see Specifying calendar navigation options.
  • Previous topic Configuring Pega Care Management general application settings
  • Next topic Modifying rules to support General Data Protection Regulation

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us