Step 5: Define the security model and organization structure
Security planning involves defining authorization and authentication strategies for your application.
- Authentication
Proving to the application that you are who you say you are.
- Authorization
Determines the functions that the application allows you to perform. This corresponds to access group and role configuration.
Security planning also involves setting up the organization structure and operator attributes.
The application provides a fine level of security in the form of access settings and denial rules. Many integration rules also incorporate authentication. For more information on the additional aspects of security, enroll in the Lead System Architect course on Pega Academy and cover the Security lessons corresponding to the following topics:
- Define authentication scheme
- Define authorization scheme
- Define organizational structure
- Define operator attributes
- Access groups, operators, and portals
Authentication schemes
The Pega 7 Platform offers the following authentication types:
- PRBasic
Based on passwords in the Operator ID data instances and the log-in form (defined by the HTML rule @baseclass.Web-Login, which your application can override).
- PRSecuredBasic
Similar to PRBasic but passes credentials using Secure Sockets Layer (SSL) using Basic HTTP authentication. The log-in form is defined by the HTML rule @baseclass.Web-Login-SecuredBasic, which your application can override.
- PRCustom
Supports access to an external LDAP directory or a custom authentication scheme.
- PRExtAssign
Supports external assignments (Directed Web Access).
- J2EEContext
Specifies that the application server in which the Pega 7 Platform is deployed uses JAAS to authenticate users.
Defining your authentication scheme
Your site can use a centralized, automated means of maintaining operator data instead of maintaining it manually in Care Management Application.
Use the Security model worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
- Discuss Authentication schemes with your site's security and application server teams.
- Determine the appropriate authentication type.
For more information on authentication scheme planning, read Authentication in PegaRULES Process Commander.
Defining your authorization scheme
Care Management Application comes with a pre-defined set of access groups, roles, and privileges. You can use the application roles as a starting point, but you should create your own application-specific access groups and roles to avoid any future problems when upgrading.
Other rule types such as sections, flow actions, and activities leverage roles and privileges to allow access to these rules at run time.
Defining your access groups
Three access groups were created for you: <MyApp>:Administrator, <MyApp>:WorkManager and <MyApp>:WorkUser.
Use the Security model worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
- Identify additional access groups needed for your application.
- Identify portals associated with these access groups.
Defining access roles and privileges
You can associate one or more roles to an access group. Roles are additive. The more roles that you add to an access group, the more authorization there is. Privileges can be associated with one or more roles.
Use the Security model worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
- Determine which roles are needed for your application. You can use the Care Management Application roles as a starting point.
- Determine which privileges to associate with each role.
- Associate each role with an access group.
For more information, see access group and role configuration in the Pega 7 Platform help.
Defining the organization structure
Leverage the organization structure for routing and reporting within the application. Typically, the application organization structure does not map operators exactly to the site's organization chart but instead, it maps the work that those operators do.
Use the Organization structure worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
- Click Designer Studio > Org & Security > Organization > Organizational Chart.
- Review the existing structure.
- Determine the organization, division, and unit levels of the hierarchy.
Defining the operator attributes
An operator's access group affects what the operator can do in the application. In addition to the access group, three fields in the operator record influence how the application handles assignment of work to the user:
- Work group
- Skills
- Calendar
Defining the operator work group
The work group setting on the operator record affects how the application delivers work to the operator.
- Review the Operator record.
- Determine the rules for assigning a work group to an operator or the role that multiple operators hold.
Use the Organization structure worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
Defining the operator skills
Skill settings in the operator record affect how the application routes work to the operator. Skill settings also affect how the application gets the most appropriate work when using the Get Next Work feature. You must determine the skills that are appropriate for your application and operators.
Use the Organization structure worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
- Define the skills needed for the application.
- Determine which operator records or roles should be associated with those skills.
Defining the operator calendar
The application calendar affects date calculations within the application, such as the date between business days calculation, and the SLA goal and deadline date calculation.
Use the Organization structure worksheet in the Implementation Planning Workbook to record your decisions during this procedure.
- Determine the calendar instances needed for your application.
- Determine which operator roles need a distinct calendar.
- Determine the operator location.
For more information, see Setting up calendar instances in the Pega 7 Platform help.
Access groups, operators, and portals
Care Management Application includes the following operators and access groups. Passwords are set to install.
| Operator | Access Group |
|---|---|---|
PegaCare:Configurator | CareTemplateManager@MyHealthPlan | CMBusinessAnalyst |
PegaCare:FulfillmentCoordinator | CareFullfillmentUser@MyHealthPlan | CMFullfillment |
PegaCare:CareManager | CareManager@MyHealthPlan | CMFManager |
PegaCare:MedicalDirector | MedicalDirector1@MyHealthPlan | CMFManager |
PegaCare:MedicalDirector | MedicalDirector2@MyHealthPlan | CMFManager |
PegaCare:CareTriage | CareSupportUser@MyHealthPlan | CMFSupport |
PegaCare:CareCoordinator | CareCoordinator1@MyHealthPlan | CMFUser |
PegaCare:CareCoordinator | CareCoordinator2@MyHealthPlan | CMFUser |
PegaCare:CareCoordinator | CareCoordinator3@MyHealthPlan | CMFUser |
PegaCare:CareCoordinator | CareCoordinator4@MyHealthPlan | CMFUser |
PegaCare:Administrator | CMSysAdmin@MyHealthPlan | Developer |
PegaCare:UMCoordinator | UMServiceCoordinator@MyHealthPlan | UMServiceCoordinator |
PegaCare:UMManager | UMServiceManager@MyHealthPlan | UMServiceManager |
PegaCare:PHPTriage | CustomerSupportUser@MyHealthPlan | CustomerSupportUser |
Access roles and privileges
Care Management Application includes a set of predefined access roles and privileges for the standard application user roles. For information about how to create your own access roles and privileges, see the Pega 7 Platform help or the Pega Discovery Network.
Case Types
| New Auth Request | New Auth x12/278 | New Notify | New Enroll | New Program Referral | Search Patient |
|---|---|---|---|---|---|---|
Access Role |
|
|
|
|
|
|
PegaCare:Configurator |
|
|
|
|
|
|
PegaCare:Fulfillment Coordinator |
|
|
|
|
|
|
PegaCare:CareTriage | x |
| x |
|
| x |
PegaCare:CareManager | x | x | x | x | x | x |
PegaCare:MedicalDirector |
|
|
|
|
| x |
PegaCare:CareCoordinator | x | x | x | x | x | x |
PegaCare:Administrator | x | x | x | x | x | x |
PegaCare:UMCoordinator | x | x | x |
|
| x |
PegaCare:UMManager | x | x | x |
|
| x |
PegaCare: PHPTriage |
|
|
|
|
|
|
| Appeal Case | PHP Intake |
|---|---|---|
Access Role |
|
|
PegaCare:Configurator |
|
|
PegaCare:Fulfillment Coordinator |
|
|
PegaCare:CareTriage |
| x |
PegaCare:CareManager | x | x |
PegaCare:MedicalDirector | x |
|
PegaCare:CareCoordinator |
| x |
PegaCare:Administrator | x | x |
PegaCare:UMCoordinator | x |
|
PegaCare:UMManager | x |
|
PegaCare:PHPTriage |
| x |
Previous topic Step 4: Define the data model Next topic Step 6: Customize the user experience