Question RISHABH GORE (RishabhG3964) Macquarie Group Macquarie Group AU View Profile RishabhG3964 Member since 2014 2 posts Macquarie Group Posted: May 18, 2022 Last activity: May 19, 2022 Posted: 18 May 2022 21:18 EDT Last activity: 19 May 2022 3:37 EDT Closed How to deny admin access to users Report View translated message Our application is facing a security concern wherein admin rule forms such as access groups, data types, operator rules can be opened by end users by hitting the rule form url. Hence this resulted in vertical privilege escalation. The end users' access group is mapped to the role - PegaRULES:WorkMgr4. Can you please direct how can we deny admin access to the users. Steps to reproduce: Login using admin user id. Open access group rule. Open the rule form in new tab (using scroll of the mouse) . Copy the URL of the ruleform in the new tab. Login using end user operator id in incognito. Open new tab. Paste the URL copied in step1. The rule form opens, though in the current session we have logged in just using the end user operator id. ***Edited by Moderator: Pooja Gadige to change category from General to Product, add product details tag, add capability tag*** Pega Platform Low-Code App Development Support Case Exists Like (0) Share Share this page Facebook Twitter LinkedIn Email Copy link Copying... Copied!