Skip to main content

Support Doc

 Rupashree Som (Rupashree)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
IN
Rupashree Member since 2021 36 posts
MOD
Posted: 3 days 5 hours ago
Last activity: 1 day 8 hours ago
Posted: 4 Nov 2025 11:21 EST
Last activity: 6 Nov 2025 8:17 EST

Report to identify Basic Credentials Authentication user accounts

Overview

This guide outlines the steps to create a report that helps you determine the number of user accounts configured to use Basic Credentials Authentication, and their corresponding last login dates.  

Background

Basic Credentials Authentication relies on potentially reused passwords, making it easier to compromise accounts, and it increases the difficulty of monitoring and detecting unauthorized access. To reduce these risks and enhance control and compliance requirements, transition user accounts that are configured to use Basic Credentials Authentication to Single Sign-on (SSO). 

Beginning with release of Pega Infinity ‘24.2, Pega has deprecated Basic Credentials Authentication. This should only be used for non-personal operator records, such as [email protected], in emergency situations.  

Action to take

Pega Platform has two 2 options to help you follow industry best practices. You can configure an external Identity Provider (IDP) using either option:  

Utilizing an external IDP improves your security and will help meet compliance requirements for your Pega applications.

How to create a report?

1. Create a report on the 'Data-Admin-Operator-ID' class within your ruleset. 

2. Select the following columns for your query:

  • .pyUserIdentifier: Operator ID 
  • .pyLastSignon: Operator last sign-on time 
  • .pyUserName:  Full Name 
  • .pyAccessGroup: Default Access Group 

3. Sort the results by 'pyLastSignon':

An image of sorted results using 'pyLastSignon'

    4. Add the following filter conditions:

  • .pyImportedUser: False 
  • .pyOperatorIsDeactivated: False. Additionally, enable the 'Use null if empty' condition for this filter. 

the screen after you add filter conditions

   5. Apply an 'AND' condition for both filters. 

'AND' condition on both filters

   6. Save and run the report. 

To see attachments, please log in.
Pega Cloud

Did you find this content helpful?
Yes
No

  • Reply
Posted: 2 days ago
Posted: 4 Nov 2025 15:00 EST
Sathishkumar Jayapandian (SathishkumarJ17617111)
Ricoh

Ricoh
US

@RupashreeThis report does not check which authentication service they use to login. The report pulls all non-SSO operators, but they can use PRAuth platform authentication service and login using Username and password. I assume that is still supported and not deprecated.

To see attachments, please log in.
Posted: 2 days ago
Updated: 2 days ago
Posted: 5 Nov 2025 8:41 EST
Updated: 5 Nov 2025 8:42 EST
Itamar Budin (budii)
PEGA
Senior Director, Product Management, Security
Pegasystems Inc.
US

@SathishkumarJ17617111, yes, this report is designed to identify any operator set up to use PRAuth.

Starting in '24.2, we announced deprecation for the entire Basic Credentials Authentication feature, including PRAuth:

What's new in security '24.2

Deprecation means that we will no longer support this feature, including adding new capabilities. We may decide, in the future, to remove the feature altogether (Decommission). 

Our recommendation is to only use PRAuth for non-human operators for "Break-Glass" scenarios:

Pega Administrator account protection

I hope this answered your question. Please let me know if you have more questions

Thanks

To see attachments, please log in.
Posted: 1 day ago
Updated: 1 day ago
Posted: 5 Nov 2025 9:45 EST
Updated: 5 Nov 2025 14:53 EST
Sathishkumar Jayapandian (SathishkumarJ17617111)
Ricoh

Ricoh
US

@budii Hi Budii, I understand that basic authentication using both PRBasic and PRAuth are deprecated. Our application is customer facing app and accessed over internet. We have hybrid set of users from different organizations using both SSO and non-SSO. These users belong to different domains. We cannot push all users to use SSO. Do you have a product plan to support this usecase?

To see attachments, please log in.
Posted: 1 day ago
Updated: 1 day ago
Posted: 6 Nov 2025 8:14 EST
Updated: 6 Nov 2025 8:18 EST
Itamar Budin (budii)
PEGA
Senior Director, Product Management, Security
Pegasystems Inc.
US

@SathishkumarJ17617111 I think the issue here is the definition of deprecation:

Deprecated features no longer undergo active development and receive limited support due to a lack of enhancements or low adoption. Future releases do not support deprecated deployment options. While these features and deployment options continue to work for the current release, avoid their use in new deployments. Pega maintains deprecated features across several software versions to provide time for adoption of fully supported features, enabling you to achieve your business needs.

Features that have been withdrawn are no longer available in the Pega Platform. Pega announces the withdrawal of a feature in the release, in which Pega removes the feature from the Pega Platform code.

Withdrawn and deprecated features

So in that case, the term deprecation means that we (Pega) will not enhance the feature anymore. We are not currently planning to withdraw the feature, as it continues to serve the same use cases for our clients. 

To see attachments, please log in.
Posted: 1 day ago
Updated: 1 day ago
Posted: 6 Nov 2025 4:30 EST
Updated: 6 Nov 2025 4:31 EST
Venkateswara Reddy Yerasu (Venkateswara Reddy Yerasu)
ANZ Bank

ANZ Bank
AU

@budii

There are service accounts (operator IDs) configured as "basic auth" which are used in the integrations, and from Pega Infinity ‘24.2 onwards, Pega has deprecated Basic Credentials Authentication as per communication received.

I would like to know more about it, and service accounts are not possible to enable as SSO; it should be basic auth.

What are the options to exclude service accounts to use as a basic auth?

To see attachments, please log in.
Posted: 1 day ago
Posted: 6 Nov 2025 8:17 EST
Itamar Budin (budii)
PEGA
Senior Director, Product Management, Security
Pegasystems Inc.
US

@Venkateswara Reddy Yerasu, please see my reply to Sathishkumar J17617111 regarding the difference between Deprecation and Withdrawal.

That said, for "service account" type operators. If these operators are used to call DX APIs, I would recommend that you switch to OAuth 2.0 Client Credentials Flow. If needed, you can use the Pega Platform as an IDP and register the clients on it:

Creating and configuring an OAuth 2.0 client registration

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice