Attribute-based access control (ABAC) is an approach to access control in which access rights are granted through the use of policies that are made up of attributes working together. ABAC includes a policy decision engine that evaluates digital policies against available data (attributes) and renders a decision to permit or deny access to the requested resource.
In the Pega 7 Platform, the Access Control Policy and Access Control Policy Condition are the access control policies that use rules and conditions to determine access decisions. If a policy is defined, the condition defined in it is evaluated. For multiple policies all the policies are evaluated, and the overall result is generated by using the AND logic between all the individual policy results. If the result returns as true, the user is granted access to the instance for the specific operation. If the result returns false, the user is not granted access to the instance for the specific operation.
Access control policies specify conditions that must be satisfied for an operator or user to view any data for a class instance. The conditions of access control policies are automatically added to all queries against the Pega 7 Platform database and search indexes.
To prevent these conditions from being circumvented by end users in advanced search queries (for example, search queries that reference specific properties, like pxObjClass:Work-MyProperty AND CustomerName:MyCorp), when access control policies are defined on any Work- or Data- classes, advanced search queries are not allowed in the following situations: