Operator ID form
Completing the Security tab

Description

Click to enter the user's password. After a user is authenticated, the user can change this password from the profile display.

The settings for passwords — -minimum length, number and types of characters required, whether you can re-use an old password, and so on--are set on the Security Policies landing page tab of the System landing page. Only operators with an access group including the privilege pzViewAuthPoliciesLP can see or work with the Security Policies landing page tab. For an example, see PDN article How to configure login security and password policies.

Depending on the enabled Security Policies, you may see and have to respond to a CAPTCHA test when changing a password.

Any log-in failure from any requestor type is recorded as an instance of the Log-SecurityAudit class. To view the date and time, remote host name and IP address, and user name of log-in failures, execute the standard list view rule ListofLoginFailures.

The system converts the password to a hash value using a one-way MD5 algorithm. The hashed value is also contained within the Storage Stream (BLOB) column of the pr_operators table. Using the View XML action, developers can only discover the hashed form of any operator password. The clear-text form of the password does not appear in the PegaRULES database and is never transmitted in any HTTP message to or from the workstation.

As a security feature, the passwords for [email protected] and three other initial Operator IDs can be changed only by logging in as one of the four. As a best practice, log into [email protected] and change these four passwords to private, secure values promptly after your system is installed. Repeat after any upgrade, as your passwords are overwritten by the upgrade processing. See Atlas — Initial Operator IDs.

Select to allow this user to update rules in rulesets that use checkouts.

When this check box is selected, the Check Out or Private Edit toolbar buttons appear rather than the Save button, for rulesets that require check-out. In addition, this user has a personal ruleset that displays at the top of the ruleset list.

Note the following:

• When check-out is enabled, the system saves the entire previous rule each time you check in a new one, supporting the Restore operation. See Restoring the earlier state of a rule.
• Select this check box for most users of the Designer Studio, even if they do not expect to check out rules. Clear this check box for workers, managers, and anyone who does not use the Designer Studio or does not update rules.
• Select this check box for developers who plan to use the Application Express to generate applications. When the tool generates an application, the generated rulesets are set to use check out.
• If this check box was selected, and is cleared at a time when the operator's personal ruleset contains one or more checked-out rules, you cannot save the Operator ID form. This restriction prevents the creation of orphaned rules — rules that are checked out but cannot be checked in. Have the operator check in or delete all checked-out rules from the personal ruleset before clearing the check box. Select Designer Studio > Application > Development> Checked Out Rules to display a list of checked-out rules.

Note: For optimal performance on a production system, minimize the number of distinct users who can check out rules.

Select to require that this operator be authenticated only through LDAP or other external authentication facilities. If this check box is not selected, the system uses the password on this tab to authenticate this operator.

Identify the first activity that the system executes after this user is authenticated. The standard activity for this purpose is named Data-Portal.ShowDesktop. This activity displays the user portal defined in the user's access group.

This field affects how the License Compliance facility classifies users who authenticate using this Operator ID instance. Depending on the terms of your license arrangement, the value you select might affect license compliance tracking and usage reporting. See Working with the License Compliance facility.

In most cases, select:

• Named if this Operator ID is a person who interacts with the system through a Web browser.
• Invocation if this Operator ID is for processing performed through service calls, or for processing by external users (typically, through the Directed Web access feature).