Attribute-based access control
Attribute-based access control (ABAC) is used to restrict access to specific instances of classes (to enforce instance-level or row-level security).
Access restrictions are enforced by defining access control policies. Conditions used in access control policies compare attributes in class instances to other information (typically, information about user’s identity, organizational reporting relationships, or other security credentials that might be case-specific).
Access is permitted only when all relevant policy conditions are satisfied.
Encryption policies under ABAC do not have associated conditions. These encryption policies are used to unconditionally encrypt sensitive property values, and can be used together with other access control policies to conditionally obfuscate or mask these values within application user interfaces.
Attribute-based access control in Pega Platform
Two rule types (Access Control Policy and Access Control Policy Condition) are used to define policies for different types of actions (Read, Update, Delete, Discover, PropertyRead, PropertyEncrypt). The rule types compare property values in class instances to clipboard property values.
When multiple policies are defined or inherited for a specific class, the conditions for those policies are aggregated by combining the filter logic strings for the conditions and the AND operator. Access is permitted only if all conditions are satisfied. This type of access differs from how role-based access is determined, where a user with multiple roles is granted access if any of those roles permit it.
Access control policies are enforced in all Pega Platform features that access and manipulate data from the Pega Platform database or from Pega Platform search indexes. These features include all report rules, searches, operations on individual cases such as opening cases, custom SQL, and so on.
Access control policy enforcement exceptions
Access control policies specify conditions that must be satisfied for an operator or user to view any data for a class instance. To prevent these conditions from being circumvented by end users, the following exceptions are made:
- Access control policies can be defined only for instances of Assign-, Data-, and Work- classes.
- Access control policies defined on Data- classes are not enforced in search queries.
- Only read policies are enforced in custom SQL.
- Advanced search queries (for example, search queries that reference specific properties such as pxObjClass:Work-MyProperty AND CustomerName:MyCorp ) are not allowed when access control policies are defined on any Assign-, Data-, or Work- classes.
Special considerations apply when access control policies are enforced in certain features that retrieve data for potential use by multiple end users who might have different credentials, such as node-scoped data pages and scheduled reports.