Hi - We have a requirement to access a Pega Work Object as a Public url. We thought of using the Pega Web Mashup, and passing the operator id & password as parameters in index.html of the server. We want to know if any other approach exists to achieve this. Requirement is when user clicks a url, it should open a work object without asking login information, and collect some details from visitors who launched the url and pass back them to Pega.
Any interaction to a Pega server that should be in some way restricted needs to know who the user is and what they are authorized to do must challenge the user to authenticate themselves. If you are using Mashup, then ideally your hosting website has already done this and can channel through an access token to Pega where an Authentication Service - perhaps specifically for this Mashup channel - determines the user.
FYI Pega Infinity has introduced a "URL Mappings" feature that allows you to create a case-type-specific URL for directly accessing a single work item instance, if your Pega instance is internet-facing. See Enable search by third-party search engines for more details. Again, the user will still need to be authorized to open instances of that type and will still therefore need to be authenticated.
If viewing the details of the work object is genuinely unrestricted, I recommend using a dedicated Authentication Service to this channel that authenticates to a default user - associated to an extremely locked down access group - that has no more access control than it needs to accomplish the public operations.