Skip to main content


Implementing the security model

Suggest edit Updated on April 15, 2021

Security planning involves defining authentication and authorization strategies for your application:

Validates your identity.
Determines the work objects you can access and the application functions you can perform.

For information about defining authentication and authorization strategies for your application, see the following topics:

Authentication schemes

The Pega Platform offers the following authentication types:

Based on passwords in the Operator ID data instances and the login form. This is defined by the HTML @baseclass.Web-Login rule, which your application can override.
Similar to PRBasic, but passes credentials by using Secure Sockets Layer (SSL) with Basic HTTP authentication. The login form is defined by the HTML @baseclass.Web-Login-SecuredBasic rule, which your application can override.
Supports access to an external LDAP directory or a custom authentication scheme.
Supports external assignments (Directed Web Access).
Specifies that the application server in which the Pega Platform is deployed uses JAAS to authenticate users.

Implementing your authentication scheme

Your site can use a centralized, automated means of maintaining operator data instead of maintaining it manually in your application.

  1. Discuss the authentication schemes with your site's security and application server teams.
  2. Determine the appropriate authentication type.

    For more information on authentication scheme planning, see Authentication.

Authorization model

The security authorization model determines user access privileges and work object permissions for the Pega Sales Automation application. Your security authorization model is based on the operator ID privileges and territory permissions structure that you define for your sales team. Access to portals and work objects in the application is determined by operator ID privileges. The ability to read, update, and create specific work objects is determined by the territory to which the work objects belong.

For more information about configuring territories and operators, see Set up your sales team structure.

Work object permissions

The application access privileges and territory permissions that you assign to operators in Pega Sales Automation determine how a user can interact with the work objects in the application.

  • Operator privileges (role-based) give the user access to particular types of work objects in the application.
  • Read, update, and create permissions for work objects are controlled by the territory that owns the work object.

For example, an operator with a Sales Representative role has access to opportunity work objects; however, to update an opportunity in the Northwest territory, you must grant the operator permission to update opportunity work objects in that territory.

  • You can grant different levels of access to work objects within the same territory. For example, you can give a new operator read, update, and create access for lead and opportunity work objects in the Northwest territory, but only read access to organization objects in the same territory.
  • A primary territory is defined and used as the default when new work objects are created. The owner of a work object has full access to the work object, regardless of territory access.

For more information, see Setting up persona-based access rights to the User portal navigation pane and Configuring permission access templates.

Attribute Based Control (ABAC)

Attribute Based Access Control (ABAC) controls row-level or column-level security through security policy rules available as part of the Pega Platform's ABAC feature.

For more information, see Attribute-based access control and Upgrading Pega Sales Automation to use attribute-based access control (ABAC).

Client-based access control (CBAC)

Implementing client-based access control (CBAC) helps you satisfy the data privacy requirements of the European Union (EU) General Data Protection Regulation (GDPR) and similar regulations.

For more information about GDPR and CBAC, see Supporting EU GDPR data privacy rights in Pega Infinity with client-based access control.

For more information about configuring CBAC in Pega Sales Automation, see CBAC section in the Pega Sales Automation Release Notes on the Pega Sales Automation product page.

Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us