Security tab on the Operator ID form

Use the Security tab to manage operator, update passwords, and license authentication.

From the Security tab, you can do the following actions:
  • Update a password.
  • Allow application developers to check rules in and out.
  • Turn on external authentication for this operator.
  • Identify a starting activity to run after an operator is authenticated.
  • Force password change on next login.
  • Disable an operator.
  • Classify a user.
Note: The Unattended operator (robot) check box is selected if this operator is a robotic automation virtual machine (VM). Unattended operators are generated for each registered VM in a robotic process automation (RPA) solution.

Complete the following steps:

  1. To change your password, click Update password.

    1. In the Change Operator ID Password dialog box, in the New Password field, enter your new password.

    2. In the Confirm New Password field, reenter the password to confirm it.

    3. Click Submit.

    The system converts the password to a hash value by using the bcrypt algorithm. The hashed value is contained within the Storage Stream (BLOB) column of the pr_operators table. By using the View XML action, you can only discover the hashed form of any operator password.

    You can set the password policy from Configure > System > Security Policies.

    Any login failure is recorded as an instance of the Log-SecurityAudit class. You can view the date and time, remote host name and IP address, and user name of login failures by running the standard list view rule ListofLoginFailures.

    As a security feature, the passwords for [email protected] and three other initial Operator IDs can be changed only by logging in as one of those operators.

  2. To allow this user to update rules in rulesets that use rule checkout, select the Allow rule check out check box.

    When this check box is selected, the Check Out or Private Edit toolbar buttons are displayed instead of the Save button, for rulesets that require checkout. In addition, this user has a personal ruleset that is displayed at the top of the ruleset list.

    See the following list for checkout usage information:

    • When checkout is enabled, the system saves the previous rule each time you check in a new one, supporting the Restore operation. See Restoring the earlier state of a rule.

    • Select this check box for most users of Dev Studio, even if they do not expect to check out rules. Clear this check box for workers, managers, and anyone who does not use Dev Studio or does not update rules.

    • Select this check box for developers who plan to use the New Application wizard to generate applications. When the tool generates an application, the generated rulesets are set to use check out.

    • If this check box was selected but is then cleared at a time when the operator's personal ruleset contains one or more checked-out rules, you cannot save the Operator ID form. This restriction prevents the creation of orphaned rules - rules that are checked out but cannot be checked in.

      The operator can check in or delete all checked out rules from the personal ruleset before clearing the check box. The operator can select Pega Platform > Application > Development > Checked Out Rules to display a list of checked out rules.

      Note: For optimal performance on a production system, minimize the number of distinct users who can check out rules.

  3. To authenticate this operator only through external authentication facilities, select the Use external authentication check box.

    If external authentication is disabled, the system uses the password on this tab to authenticate this operator.

  4. To force the operator to change their password next time the operator logs in, select the Force password change on next login check box.
  5. To disable the operator, select the Disable Operator check box.
    Note: If the operator is provided with Pega Platform, enter a new password that is consistent with the security policies. Change the password by clicking Update Password and send the new password to the enabled operator.
  6. In the Starting activity to execute field, specify the first activity that the system runs after this user is authenticated. The default is Data-Portal.ShowDesktop.
  7. In the License type list, click the license type.
    • Named – Human users who do business operations by using a Pega application or customer-created interface
    • Invocation – Abstract users that are used for agents, services, and other background processes, and external users whose processing is typically done through the Directed Web Access feature

Operator IDs and external identity providers

If you implement authentication by using an external identity provider (IdP), the login process accesses IdP for authentication and ignores the password in this Operator ID instance. However, an Operator ID data instance is still needed for each user.

Security audits

Using the optional security audit feature, your application can present in the History Details information about which values were added, updated, or removed from an Operator ID instance.

Operator ID passwords are saved as hashed values in the PegaRULES database, using the bcrypt (default) algorithm. Two property types are used when changing the password, Password type for the New Password field, and Text type for the Confirm Password field. The Data-Admin-Operator-ID.pyPwdCurrent property stores the entered password after it is validated.

See Configuration Settings Reference on Pega Community for details on this and other cryptographic settings. See Using the bcrypt hashing algorithm for Password property types for more information about the Password property type.