Creating authentication registration for external users

From PegaWiki
Revision as of 18:52, 26 August 2020 by BEAUM (talk | contribs) (add new design pattern document)

(diff) ← Older revision | Approved revision (diff) | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Curator Assigned
Request to Publish Yes
Description
Version as of
Application
Capability/Industry Area


The following are best practices to follow when authentication and registering external users in public-facing applications (that is, applications whose operators are not a client’s own employees). Users of such an application may be initially anonymous (identity unknown), and may have very restricted access to application features. They may then register themselves or have their identity verified partway through a session, and the session should continue transparently, with their operator context appropriately updated and with expanded privileges.

A common example is an online shopping site, in which unauthenticated users can browse and add items to a shopping cart, and then either create an account or enter their credentials to check out.

Our best practices for this are already captured in the Community article below. They are:

  • Use the OOTB Anonymous-type Authentication Service rule for authentication, and there specify an access group with the appropriate extremely-limited privileges that should be sufficient for an anonymous user.  They would usually ensure that such users can only case types required for them to create their cases, can only access data they have created themselves, and have no access to other application functionality such as reporting, etc., etc.
  • Once an end user is authenticated with a known identity, use the Re-Authentication gadget to change their context and access group info, rather than writing custom code.
  • In public-facing applications where end users do not need access to information about other operators, we recommend that you restrict all access to data in the Data-Admin-OperatorID class to only the end user’s data through an access control policy. You can do this by enabling the out-of-the-box rules pyDefault and pyRestrictToSelf in the Data-Admin-OperatorID class.

Please refer to the following articles on Pega Community for more information:

Basic requirements for deploying public-facing applications

Security Checklist