Access control policy condition performance
When you define an access control policy condition, use the relationship that gives the best performance for your data profile.
Consider the following performance factors when you define an access control policy condition.
- For policy conditions that use the All of and One of relationships, ensure that the Column source properties are optimized and included in returnable form in the custom search properties that are stored in the search index.
- Test the performance of your conditions by using realistic data. Pega Platform evaluates your filter by using database queries or Elasticsearch, depending on the report definition. Different relationships perform differently, depending on the filter and data profiles.
- For best performance when comparing a scalar value to a comma-delimited list of values, use the Is equal relationship.
However, if the number of comparison values in the Is equal relationship(s) in your policies is very large, queries against the database or the Elasticsearch index might generate error messages, because these data stores restrict the number of terms allowed in queries. The error message explains the cause of the problem.
When using database queries for Is equal, Pega Platform generates SQL statements with IN clauses, which your database might limit. You should identify this limit for your database, and use the One of relationship if you expect the limit to be exceeded in your application.
When using Elasticsearch for Is equal, about 1,000 comparisons are allowed by default. If you exceed this limit, you can either use One of, or increase the limit by updating the dynamic system setting indexing/distributed/search_maxclausecount.
- Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application.
- Creating an access control policy condition
You can define a set of conditions and comparison logic to be evaluated to grant access to an object.
- One Of and All Of conditions
The One Of condition and the All Of condition specify how to compare the multivalue attributes between the user and the object that the user requests, in order to determine whether to grant access. You can create attributes on cases to determine who is authorized to access the case.