Defining client-based access control rules
Client-based access control (CBAC) rules define where personal data is stored and how it can be accessed. These CBAC rules are used by the application server that receives and processes the requests.
CBAC rules are only one part of the overall processing of client-based access requests. For information about the overall process, see the Pega Community article Supporting EU GDPR data privacy rights in Pega Infinity with client-based access control.
Follow these general steps to define CBAC rules for client-based data requests:
- List the applications – Identify the applications that store personal data. By listing the applications, you can determine the rulesets that contain the rules needed for personal data requests. If all your applications are built on the same parent application, you can use the parent application for this purpose. Otherwise, define CBAC rules separately for each application.
- List the data elements – Identify the data elements that contain protected information that could be used to identify an actual person. For example, personal data might include genetic data, health data, Internet cookies, fingerprints, names, addresses, ages, national identification numbers, and personally identifiable data gathered over the Internet. In Pega Platform, identify the class names and property names where this data is stored.
- List the identifiers – Establish how your application identifies the person who is described by the personal data. Your application identifies the person with one or more unique properties such as, for example, a national identification number or, if your application equates an email address with a person, an email address. You must optimize and index these client identifiers on all the classes that contain them.
- Create the CBAC rules – Create the CBAC rules that describe the personal data and identifiers:
- The applies to class of the CBAC instance is the class where the personal data is stored or where an identifier is referenced. The applies to class can be an abstract class if the data is stored on different concrete classes within the same abstract class. The instances are of Work-, Data-, or Index-.
- The ruleset of the CBAC instance belongs to the application that controls the personal data. You can create CBAC instances in a ruleset that is shared by multiple applications, or in separate rulesets by application.
For detailed steps on creating the CBAC rules, see the steps listed below.
- Creating a client-based access control rule
Create client-based access control (CBAC) rules to identify the personal data and personal identifiers in your Pega Platform application. CBAC rules define how an incoming request finds the personal data in your data store. CBAC rules also define the type of access the client has for each data instance (view, modify, or delete).
- Configuring a client-based access control rule
Define the personal data properties and personal identifiers for a client-based access control rule (CBAC) so that requests for personal data can be tracked and processed. A CBAC rule defines access, update, and delete permissions for individual data elements.
- Client-based access control
If your application stores data that might be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control (CBAC) to track and process requests to view, change, or remove the data.
- Configuring client-based access control for a non-Pega data source
By default, client-based access control applies to personal data that is stored in the Pega Platform database. By doing additional configuration, you can also apply client-based access control to non-Pega databases and other data sources.
- Specifying a client-based access control rule on an abstract class
You can define client-based access control (CBAC) rules on concrete classes and on abstract classes. At run time, Pega Platform combines multiple CBAC rules, starting from the concrete class. If the CBAC rule is on an abstract class and not on any of its concrete classes, you must do extra configuration to ensure that the abstract class is included.