Creating an access control policy condition
You can define a set of conditions and comparison logic to be evaluated to grant access to an object.
Before you begin:
- You must configure your system to support attribute-based access control (ABAC). For more information, see Enabling attribute-based access control.
- You must have the pzCanManageSecurityPolicies privilege, which is included in the PegaRULES:SecurityAdministrator role.
- In the navigation panel, click Records > Security > Access Control Policy Condition, and then click Create.
- In the Label field, enter the policy condition name.
- In the Context section, in the Apply to (class) field, press the Down Arrow key and select the rule to which the policy condition applies.
- In the Add to ruleset field, select a ruleset.
- Click Create and open.
- Optional:
Click Add conditional logic to configure a filter logic string
for the condition.
- On the Definition tab, in the Conditional logic section, click Add conditional logic as needed to support situations where different logic needs to be applied.
- In the WHEN field, enter an Access When rule that evaluates whether the conditional logic should be used.
- In the second field, enter a filter logic string that is applied when the Access When rule evaluates to true. When the set of filters to be applied in an Access Control Policy Condition rule is determined conditionally by using Access When rules, leave the filter logic entry blank if you want to enforce no policy condition at all, for example, for certain highly privileged users.
- In the OTHERWISE field, enter the filter logic string that is used when all the when rules evaluate to false.
- On the Definition tab, in the Policy Conditions section, in the Condition field, enter a condition name.
- In the Column source field, press the Down Arrow key and select a property from the Apply To class from the list.
-
In the Relationship list, click the comparison logic appropriate
for the evaluated attribute type.
For Numeric attributes:
- Is equal – The Apply To property value and comparison value are equal.
- Is not equal – The Apply To property value and comparison value are not equal.
- Is greater than – The Apply To property value is greater than the comparison value.
- Is greater than or equal to – The Apply To property value is greater than or equal to the comparison value.
- Is less than – The Apply To property value is less than the comparison value.
- Is less than or equal to – The Apply To property value is less than or equal to the comparison value.
For String attributes:- Is equal – The Apply To property value and comparison value(s) are equal. The comparison value can be a single value or a comma-delimited list.
- Is not equal – The Apply To property value and comparison value are not equal.
- All of – Both the Apply To property value and the
comparison value are strings that consist of a comma-delimited list. There should be no
spaces within the string (except for spaces within a value), and all elements in the
list must be capitalized, for example: “
BRAZIL,CANADA,FRANCE,GERMANY,SOUTH AFRICA,UK,USA
”. The condition is satisfied if every element of the list within the Apply To property value is also an element in the list within the comparison value - One of – Both the Apply To property value and the
comparison value are strings that consist of a comma-delimited list. There should be no
spaces within the string (except for spaces within a value), and all elements in the
list must be capitalized, for example: “
BRAZIL,CANADA,FRANCE,GERMANY,SOUTH AFRICA,UK,USA
”. The condition is satisfied if at least one element of the list within the Apply To property value is also an element in the list within the comparison value.
For all attributes:- Is null – The Apply To property value is null.
- Is not null – The Apply To property value is not null.
Note:- If you select Is null or Is not null in the Relationship field, the Treat Empty As Null check box is automatically selected. When Treat Empty as Null is checked, even empty values are considered null.
- If you select Is null or Is not null in the Relationship field, the Value field is not active.
- In the Value field, enter the comparison value or values that you want the condition to check.
- Optional: To define additional conditions, click Add Condition and repeat steps 7 through 10.
- Optional: When you define multiple conditions, they are combined by using the AND operator by default. You can specify more complex Boolean operations in the Conditional Logic field.
- Click Save.