Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Kensho Tsuchihashi (KenshoTsuchihashi)
PEGA
Senior Project Delivery Leader
Pegasystems Inc.
JP
KenshoTsuchihashi Member since 2010 205 posts
PEGA
Posted: Jan 6, 2020
Last activity: Jan 7, 2020
Posted: 6 Jan 2020 2:34 EST
Last activity: 7 Jan 2020 8:53 EST
Closed

Security issues with Multitenancy environment

Hi,

In Multitenancy environment, Multitenant Administrator (namely, "administrator@pegacom"), creates a Tenant Administrator in each individual Tenant environment.

Show More

Hi,

In Multitenancy environment, Multitenant Administrator (namely, "administrator@pegacom"), creates a Tenant Administrator in each individual Tenant environment.

Here is how to create a Tenant Administrator in base layer.
After Tenant creation, Tenant Administrator can log in to corresponding Tenant environment. Below is the auto created Access Group for this Tenant Administrator. Per Multitenancy Administration Guide, two OOTB Access Roles are given by itself - "PegaRULES:AppArchitect" and "PegaRULES:SysOpsObserver".

With only these given Access Roles, it is hard for me to get around the system - for example, you can't view any Security rules (Please see https://community1.pega.com/community/pega-support/question/security-rules-are-invisible-multitenancy-environment for details).

Just for experimental purposes, I have tried updating the Access Group by replacing "PegaRULES:AppArchitect" with "PegaRULES:SySAdm4" for greater controls, as this is the one that I usually use in regular Pega Platform environment (Standard Edition).

After this update, system got problematic.
(1) New Application can't be created any more. The menu is gone.

(2) In the Operator rule form, Access Group section is now invisible.
(3) In the Access Group rule form, Access Role section is now also invisible.

This means, I can't configure Access Group, Operator ID, nor can I create a new application any longer. And, there is no way to fix it, because there are no OOTB users available in the system. Super user "[email protected]" only exists in base layer and it does not exist in Tenant instance.

What if I had added "PegaRULES:SecurityAdministrator" Access Role in the Access Group at the first update? This way, at least I am able to see Security sections. However, still I get an error when I try to update it back to "PegaRULES:AppArchitect" from "PegaRULES:SysAdm4" as below.

In conclusion, what does this all tell as a whole? I think, product intent was to stick to "PegaRULES:AppArchitect" Access Role in Multitenancy environment for both Tenant Administrator and Application Administrator in Tenant insance. If you configure to use "PegaRULES:SysAdm4" then system will break. However it is not restricted and once you do that there is no really simple way to fix it.

Am I correct in above statement? Please let me know.

Thanks,


Show Less
To see attachments, please log in.
Security

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice