Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application.
Access restrictions are enforced by defining access control policies. Conditions used in access control policies compare attributes in class instances to other information (typically, information about user’s identity, organizational reporting relationships, or other security credentials that might be case-specific).
Access is permitted only when all relevant policy conditions are satisfied.
Encryption policies under ABAC do not have associated conditions. These encryption policies are used to unconditionally encrypt sensitive property values, and can be used together with other access control policies to conditionally obfuscate or mask these values within application user interfaces.
Attribute-based access control policies do not restrict the processing of client-based access control requests.
Attribute-based access control in Pega Platform
Two rule types (Access Control Policy and Access Control Policy Condition) are used to define policies for different types of actions (Read, Update, Delete, Discover, PropertyRead, PropertyEncrypt). The rule types compare property values in class instances to clipboard property values.
When multiple policies are defined or inherited for a specific class, the conditions for those policies are aggregated by combining the filter logic strings for the conditions and the AND operator. Access is permitted only if all conditions are satisfied. This type of access differs from how role-based access is determined, where a user with multiple roles is granted access if any of those roles permit it.
Access control policies are enforced in all Pega Platform features that access and manipulate data from the Pega Platform database or from Pega Platform search indexes. These features include all report rules, searches, operations on individual cases such as opening cases, custom SQL, and so on.
Access control policy enforcement exceptions
Access control policies specify conditions that must be satisfied for an operator or user to view any data for a class instance. To prevent these conditions from being circumvented by end users, the following exceptions are made:
- Access control policies can be defined only for instances of Assign-, Data-, and Work- classes.
- Access control policies defined on Data- classes are not enforced in search queries.
- Only read policies are enforced in custom SQL.
- Advanced search queries (for example, search queries that reference specific properties such as pxObjClass:Work-MyProperty AND CustomerName:MyCorp ) are not allowed when access control policies are defined on any Assign-, Data-, or Work- classes.
Special considerations apply when access control policies are enforced in certain features that retrieve data for potential use by multiple end users who might have different credentials, such as node-scoped data pages and scheduled reports.
- Access Control Policy rule
You use access control policies to restrict user actions. In the Access Control Policy form, you define a policy that grants access to an object by evaluating the conditions that you specify. You can set one of four levels of access: read, update, discover, or delete.
- Access Control Policy Condition rule
An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy. They describe the conditions under which the access type is granted to a property.
- Client-based access control
If your application stores data that might be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control (CBAC) to track and process requests to view, change, or remove the data.