Attribute-based access control (ABAC) is used to restrict access to specific instances of classes (to enforce instance-level or row-level security).
Access restrictions are enforced by defining access control policies. Conditions used in access control policies compare attributes in class instances to other information (typically, information about user’s identity, organizational reporting relationships, or other security credentials that might be case-specific).
Access is permitted only when all relevant policy conditions are satisfied.
Two rule types (Access Control Policy and Access Control Policy Condition) are used to define policies for different types of actions (Read, Update, Delete, Discover, PropertyRead). The rule types compare property values in class instances to clipboard property values.
When multiple policies are defined or inherited for a specific class, the conditions for those policies are aggregated by combining the filter logic strings for the conditions and the AND operator. Access is permitted only if all conditions are satisfied. This type of access differs from how role-based access is determined, where a user with multiple roles is granted access if any of those roles permit it.
Access control policies are enforced in all Pega Platform features that access and manipulate data from the Pega Platform database or from Pega Platform search indexes. These features include all report rules, searches, operations on individual cases such as opening cases, custom SQL, and so on.
Access control policies specify conditions that must be satisfied for an operator or user to view any data for a class instance. To prevent these conditions from being circumvented by end users, the following exceptions are made:
Special considerations apply when access control policies are enforced in certain features that retrieve data for potential use by multiple end users who might have different credentials, such as node-scoped data pages and scheduled reports.