Security tab on the Operator ID form

Use the Security tab to manage operator, update passwords, and license authentication.

From the Security tab, you can do the following actions:
  • Update a password.
  • Allow application developers to check rules in and out.
  • Turn on external authentication for this operator.
  • Identify a starting activity to run after an operator is authenticated.
  • Force password change on next login.
  • Disable an operator.
  • Classify a user.
Note: The Unattended operator (robot) check box is selected if this operator is a robotic automation virtual machine (VM). Unattended operators are generated for each registered VM in a robotic process automation (RPA) solution.

Complete the following steps:

  1. Click Update password to change your password.

    1. In the Change Operator ID Password dialog box, in the New Password field, enter your new password.

    2. In the Confirm New Password field, reenter the password to confirm it.

    3. Click Submit.

    The system converts the password to a hash value by using the bcrypt algorithm. The hashed value is contained within the Storage Stream (BLOB) column of the pr_operators table. By using the View XML action, you can only discover the hashed form of any operator password.

    You can set the password policy from Designer Studio > System > Security Policies.

    Any login failure is recorded as an instance of the Log-SecurityAudit class. You can view the date and time, remote host name and IP address, and user name of login failures by running the standard list view rule ListofLoginFailures.

    As a security feature, the passwords for [email protected] and three other initial Operator IDs can be changed only by logging in as one of those operators.

  2. Select the Allow rule check out check box to allow this user to update rules in rulesets that use rule checkout.

    When this check box is selected, the Check Out or Private Edit toolbar buttons are displayed instead of the Save button, for rulesets that require checkout. In addition, this user has a personal ruleset that is displayed at the top of the ruleset list.

    See the following list for checkout usage information:

    • When checkout is enabled, the system saves the previous rule each time you check in a new one, supporting the Restore operation. See Restoring the earlier state of a rule.

    • Select this check box for most users of Designer Studio, even if they do not expect to check out rules. Clear this check box for workers, managers, and anyone who does not use Designer Studio or does not update rules.

    • Select this check box for developers who plan to use the New Application wizard to generate applications. When the tool generates an application, the generated rulesets are set to use check out.

    • If this check box was selected but is then cleared at a time when the operator's personal ruleset contains one or more checked-out rules, you cannot save the Operator ID form. This restriction prevents the creation of orphaned rules - rules that are checked out but cannot be checked in.

      The operator can checkin or delete all checkedout rules from the personal ruleset before clearing the check box. The operator can select Pega Platform > Application > Development > Checked Out Rules to display a list of checked out rules.

      Note: For optimal performance on a production system, minimize the number of distinct users who can check out rules.
  3. Select the Use external authentication check box so that this operator is authenticated only through external authentication facilities.

    If external authentication is disabled, the system uses the password on this tab to authenticate this operator.

  4. Select the Force password change on next login check box for an enabled operator so that the next time the operator logs in, the password must be changed.
  5. Select the Disable Operator check box to disable the operator.
    Note: If the operator is provided with Pega Platform, enter a new password that is consistent with the security policies. Change the password by clicking Update Password and send the new password to the enabled operator.
  6. In the Starting activity to execute field, specify the first activity that the system runs after this user is authenticated. The default is Data-Portal.ShowDesktop.

Operator IDs and external identity providers

If you implement authentication by using an external identity provider (IdP), the login process accesses IdP for authentication and ignores the password in this Operator ID instance. However, an Operator ID data instance is still needed for each user.

Security audits

Using the optional security audit feature, your application can present in the History Details information about which values were added, updated, or removed from an Operator ID instance.

Operator ID passwords are saved as hashed values in the PegaRULES database, using the bcrypt (default) algorithm. Two property types are used when changing the password, Password type for the New Password field, and Text type for the Confirm Password field. The Data-Admin-Operator-ID.pyPwdCurrent property stores the entered password after it is validated.

See Configuration Settings Reference, on the PDN, for details on this and other cryptographic settings. See Using the bcrypt hashing algorithm for Password property types for more information about the Password property type.