Executive Summary
Security best practices require operator accounts to have only the minimum privileges necessary for their role. In some cases, operators may have access to Pega development portals and studio experiences such as Dev Studio (Developer), Admin Studio (pxAdminStudio), App Studio and related low-code design experiences (including pxExpress and pxApplicationWizardPortal), or Prediction Studio (pxPredictionStudio).
Alternatively, operators may be assigned Access Roles that permit design-time or administrative actions intended only for developer or administrative personas. This may indicate over-entitlement caused by provisioning patterns, Access Group configuration, or overly broad role assignments.
Immediate action is required to review and restrict Pega development portal access, Access Group assignments, and elevated Access Roles so they align with least-privilege security principles.
Impact
Granting access to Pega development portals and studio experiences such as Dev Studio (Developer), Admin Studio (pxAdminStudio), App Studio and related low-code design experiences (including pxExpress and pxApplicationWizardPortal), or Prediction Studio (pxPredictionStudio), or assigning overly permissive Access Roles, can introduce the following risks:
|
Risk |
Examples include |
|---|---|
|
Unintended rule or configuration changes |
Examples include unauthorized or unnecessary creation or modification of Case Types, flows, views, Data Objects, Decision Rules, RuleSets, or Application Settings through App Studio, Dev Studio, or related low-code design experiences. |
|
Exposure of administrative capabilities to non-technical users |
Examples include access to administrative Landing Pages, Data Maintenance utilities, Access Management settings, Integration configuration, or Case Management controls in Dev Studio, Admin Studio, or App Studio that are not intended for end-user personas. |
|
Expanded attack surface and higher impact of credential compromise |
Examples include an attacker using a compromised credential tied to elevated Access Roles to update Application Rules, change Access Group assignments, modify Operator settings, alter Integrations, or introduce unauthorized configuration changes through Dev Studio, Admin Studio, App Studio, or equivalent administrative functions. |
|
Reduced ability to meet audit and compliance requirements |
Examples include difficulty proving that only approved developer or administrative personas can create or update application artifacts, change Access Controls, or modify configuration in Dev Studio, App Studio, Admin Studio, Prediction Studio, or related low-code design surfaces. |
|
Difficulty enforcing least-privilege access |
Examples include SSO or directory group mappings that assign Access Groups exposing Dev Studio, Admin Studio, App Studio, Prediction Studio, or related design capabilities more broadly than intended, making least-privilege enforcement difficult across operator populations. |
Root Cause
This issue is typically caused by access configuration and provisioning patterns that assign overly permissive Access Groups, Access Roles, or portal access to operators who do not require them. In Pega, risk is introduced not only by access to development portals such as Dev Studio or App Studio, but by the combination of portal access and the roles included in the Access Group.
In many cases, the assigned roles are the more significant factor because they can allow administrative or design-time actions even when development portal access is limited.
Pega has observed several recurring causes for excessive studio access:
- Model operators configured with overly permissive Access Groups: A model operator used for operator provisioning includes Access Groups with development portals and/or roles intended for developer or administrative personas. As a result, newly created operators inherit excessive privileges by default.
- SSO or directory mappings assigning overly broad access: Identity mappings assign Access Groups that include development portals, administrative capabilities, or Access Roles beyond what the user requires.
- Temporary or legacy access: Access granted during implementation, testing, or troubleshooting was not removed, leaving development portal access and/or elevated Access Roles in place longer than necessary.
How can I tell if I’m affected?
Your environment may be impacted if end users, model operators, or broadly assigned SSO or directory-mapped accounts are assigned Access Groups, portals, Access Roles that allow development, administrative, or other design-time actions beyond what their intended persona requires.
An Access Group should be treated as studio-enabled if it exposes development or administrative portals such as Dev Studio, App Studio, Admin Studio, or Prediction Studio, and/or includes roles and privileges that permit design-time or administrative actions.
The supported methods below can be used to identify likely excessive access and then validate whether that access aligns with approved developer, architect, administrator, end-user, or provisioning personas. In addition, please see: Viewing Access Groups and operators
|
Step |
Action |
|---|---|
Step 1: Identify studio-enabled Access Groups |
Use the Access Group administration capabilities available in your environment to review Access Groups and identify those that should be treated as studio-enabled. Depending on your version and configuration, this review may be performed from Dev Studio, an administrative landing page, or another supported security administration area.
|
Step 2: Determine which operators and provisioning sources use those Access Groups |
For each Access Group identified in Step 1, determine which operators, model operators, and provisioning sources are associated with it by using the administration UI, available reports, or exports supported in your environment.
|
Step 3: Validate access against intended personas |
For each operator or mapped population identified in Step 2, confirm whether the assigned access aligns with the intended persona.
If end users, model operators, or broadly mapped directory populations are found to have studio-enabled Access Groups or elevated Access Roles that are not required for their intended persona, your environment should be treated as affected and remediated. |
Optional Method 2: Access Group-Centric Review
- Use the Access Group administration capabilities available in your environment to open each Access Group identified as studio-enabled.
- For each Access Group, determine which operators, model operators, or mapped populations are associated with it by using supported UI views, reports, or exports available in your environment.
- Open the Access Group
- View associated operators
This approach can be efficient when the number of operators is large, but findings should still be validated against assigned roles and intended personas.
Optional Method 3: Reporting for Ongoing Governance
Where supported, reporting can be used to make the review repeatable for governance purposes.
- Create a Report Definition on:
- Class: Data-Admin-Operator-ID
- Include fields:
- .pyUserIdentifier (Operator ID)
- .pyAccessGroup
- Apply filter:
- Access Group IN (list of studio-enabled Access Groups)
Important: Reporting feasibility depends on how Access Group relationships are stored and exposed in your environment. Some configurations may maintain Access Group relationships in structures that affect reporting behavior, completeness, or performance. Any report output should be treated as an aid to identification and validated against Access Group configuration and intended personas.
Optional Method 4: SQL-Based Analysis (Advanced Use Cases Only)
In environments that require large-scale or automated analysis, database-level review may be considered only where it is supported by your operational and governance model.
- Query operator-to–Access Group relationships at the database level
- Filter results based on identified studio-enabled Access Groups
Conceptual example only:
SELECT OperatorID, AccessGroup
FROM pr_operator_access_group_map
WHERE AccessGroup IN ('<studio-enabled-access-group-1>', '<studio-enabled-access-group-2>');
Important considerations:
- Exact table structure and naming may vary by version, deployment model, and client implementation.
- Access Group relationships may require transformation, joins, or interpretation of implementation-specific structures.
- Any SQL-based output should be validated against supported administration views before remediation decisions are made.
Operator Access Validation
To validate that identified operators have studio-enabled access:
- Review Access Group configuration to confirm that it enables studio capabilities.
- Where appropriate, sign in with a representative operator account and confirm access behavior.
Required Actions
- Restrict studio-enabled access to named developers, architects, and administrators only.
- Remove studio-enabled access from the following:
- Model operators used for provisioning
- End-user Access Groups
- Create dedicated run-time-only Access Groups for end users.
- Remove the following where no longer required:
- Legacy or temporary access
- Overly permissive configurations
Recommended Target State
- End users are assigned run-time-only Access Groups; studio-enabled Access Groups are reserved for named developer, architect, and administrator personas.
- Model operators used for automated provisioning, including SSO, LDAP, or other identity-based provisioning mechanisms, are run-time only and do not include studio-enabled Access Groups or elevated Access Roles for end-user populations.
- External identity group mappings are reviewed so that end-user directory groups cannot map to studio-enabled Access Groups.
- A designated administrator or security owner performs periodic access reviews, including during major releases, after SSO changes, and as part of routine security reviews.
Validation (Post-Remediation)
Validate remediation by:
- Verifying end users do not have studio-enabled Access Groups
- Ensuring provisioning sources (model operators and SSO/directory mappings) cannot reassign studio access on login for end-user populations.
- Spot-checking a representative sample of operators against expected personas (end-user run-time vs. named developer/admin).
- Reviewing monitoring/audit logs for unexpected studio access from end-user populations after changes are deployed.
These changes are configuration-based and can typically be implemented incrementally without downtime.
Frequently asked questions
|
Question |
Answer |
|
Do end users need access to Dev Studio, App Studio, etc., to use a Pega application? |
No. End users can fully run Pega applications through run-time portals without access to any studio. |
|
What counts as a “studio-enabled” Access Group? |
Any Access Group that provides Dev Studio or App Studio portals (or equivalent design-time capabilities) and the associated roles/privileges that allow rule creation or configuration changes should be treated as studio-enabled and restricted to approved personas. |
|
Does this apply to SSO-provisioned users? |
Yes. Environments that use SSO commonly rely on model operators and Access Group mappings. If a model operator or external directory group mapping points to a studio-enabled Access Group, large numbers of end users can unintentionally inherit studio access. |
|
What is the recommended target state? |
(1) End users have run-time-only Access Groups. (2) Studio-enabled Access Groups are limited to named developers, architects, and administrators. (3) Provisioning sources, including model operators and SSO or directory mappings, cannot assign studio-enabled Access Groups to end-user populations. |
|
Will removing studio access disrupt users? |
It should not impact end users when they have appropriate run-time-only Access Groups. Validate remediation by having a representative sample of end users sign in and perform typical business tasks after changes are deployed. |
|
Why does studio access come back after I remove it from operators? |
This usually indicates that an upstream source is re-provisioning access, such as a model operator, an external group-to-Access-Group mapping, or an automation process. Update the provisioning source to the run-time-only target state, then validate again after the next login or provisioning cycle. |
|
How do I validate remediation? |
Validate remediation by: (1) confirming end-user operators are not assigned studio-enabled Access Groups, (2) confirming provisioning sources (model operators and SSO/directory mappings) cannot recreate studio access on the next login/provisioning cycle, and (3) reviewing audit logs/monitoring (if available) for unexpected studio logins from end-user populations. |
|
How often should studio access be reviewed? |
Pega recommends a periodic access review owned by an administrator or security owner, at minimum during major releases, after authentication or SSO changes, and as part of routine security reviews. |
Next Steps
Review your environments promptly and take corrective action where appropriate. Ensure that Pega development portal access, Access Group assignments, and Access Roles are restricted to authorized developer and administrative personas only.
If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.