Access Control Policy rule
You use access control policies to restrict user actions. In the Access Control Policy form, you define a policy that grants access to an object by evaluating the conditions that you specify. You can set one of four levels of access: read, update, discover, or delete.
For example, an access control policy for a sales automation application might restrict access to a sales account to the user who owns the account or to a user who is included in an exception list of non-owners who have access.
Access control policies are enforced everywhere in Pega Platform, not just within the UI, including all reporting rules, search, and custom SQL written by developers.
Unlike role-based access controls, attribute-based access control policies use the system's full inheritance functionality. Access policy rules can be inherited from multiple classes, in which case the relevant policies are combined and access is allowed only when all such policy conditions are satisfied.
- Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application.
- Security attributes markings
Attributes are unique security markings, which are assigned to objects and operators. Each attribute has a value associated with it, which means that a user must possess an attribute value to access an object.
- Creating an access control policy
In the access control policy rule form, you define a policy that grants access to an object by evaluating selected conditions. For each rule, you can set one level of access, such as read, update, or delete, and the condition that defines whether the access is granted.
- Excluding properties with access control policies from search results
You can include or exclude properties with access control policies from search results, which lets you control who can view sensitive data. When you select the option to display properties with access control policies, access control policies are ignored. When you do not select the option to display properties with access control policies, properties with access control policies are excluded from search results, whether or not the access control policies are satisfied.