Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 RISHABH GORE (RishabhG3964)
Macquarie Group

Macquarie Group
AU
RishabhG3964 Member since 2014 2 posts
Macquarie Group
Posted: May 18, 2022
Last activity: May 19, 2022
Posted: 18 May 2022 21:18 EDT
Last activity: 19 May 2022 3:37 EDT
Closed

How to deny admin access to users

Our application is facing a security concern wherein admin rule forms such as access groups, data types, operator rules can be opened by end users by hitting the rule form url.

Hence this resulted in vertical privilege escalation.

The end users' access group is mapped to the role - PegaRULES:WorkMgr4. 

Can you please direct how can we deny admin access to the users.

Steps to reproduce:

 

  1. Login using admin user id. Open access group rule. Open the rule form in new tab (using scroll of the mouse) . Copy the URL of the ruleform in the new tab.
  2. Login using end user operator id in incognito. Open new tab. Paste the URL copied in step1.
  3. The rule form opens, though in the current session we have logged in just using the end user operator id.
***Edited by Moderator: Pooja Gadige to change category from General to Product, add product details tag, add capability tag***
To see attachments, please log in.
Pega Platform
Low-Code App Development
Support Case Exists

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice