Skip to main content

Table of Contents

Defining client-based access control rules


Only available versions of this content are shown in the dropdown

Client-based access control (CBAC) rules define where personal data is stored and how it can be accessed. These CBAC rules are used by the application server that receives and processes the requests.

CBAC rules are only one part of the overall processing of client-based access requests. For information, see General Data Protection Regulation.

Follow these general steps to define CBAC rules for client-based data requests:

  1. List the applications – Identify the applications that store personal data. By listing the applications, you can determine the rulesets that contain the rules needed for personal data requests. If all your applications are built on the same parent application, you can use the parent application for this purpose. Otherwise, define CBAC rules separately for each application.
  2. List the data elements – Identify the data elements that contain protected information that could be used to identify an actual person. For example, personal data might include genetic data, health data, Internet cookies, fingerprints, names, addresses, ages, national identification numbers, and personally identifiable data gathered over the Internet. In Pega Platform, identify the class names and property names where this data is stored.
  3. List the identifiers – Establish how your application identifies the person who is described by the personal data. Your application identifies the person with one or more unique properties such as, for example, a national identification number or, if your application equates an email address with a person, an email address. You must optimize and index these client identifiers on all the classes that contain them.
  4. Create the CBAC rules – Create the CBAC rules that describe the personal data and identifiers:
    • The applies to class of the CBAC instance is the class where the personal data is stored or where an identifier is referenced. The applies to class can be an abstract class if the data is stored on different concrete classes within the same abstract class. The instances are of Data-, Index- or Work-.
    • The ruleset of the CBAC instance belongs to the application that controls the personal data. You can create CBAC instances in a ruleset that is shared by multiple applications, or in separate rulesets by application.

For detailed steps on creating the CBAC rules, see the steps listed below.

  1. Creating a client-based access control rule
  2. Configuring a client-based access control rule
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us