Skip to main content

Defining the authorization scheme

Archived

9 Tasks

30 mins

 Visible to: All users
Advanced Pega Platform 8.5 English
This content is now archived and is no longer updated. Progress is not calculated. Pega Cloud instances are disabled, and badges are no longer awarded. Click here to continue your progress in the latest version.

Scenario

Front Stage's organization wants to implement the following security requirements:

  • Only sales executives and executive managers are allowed to see financial information.
  • A sales executive can work on cases that are created by other sales executives. However, a sales executive cannot access a peer’s case for an event larger than 10,000 attendees.
  • Event managers are only able to work on cases assigned to them. However, the event manager's team lead can work on cases assigned to any event manager.
  • Facility coordinators can only see and work on cases assigned to them.
  • Executive officers can view cases throughout the life cycle and create new custom reports.

Front Stage's organizational structure for event planning is displayed as in the following image.

 

FSG org structure

The following table provides the credentials you need to complete the challenge.

Role User name Password
Administrator Admin@Booking rules

The following table provides a list of sample users that are available for testing.

Department Role User name Password
Executives Executive Officer and CEO CEO@Booking rules
Sales Sales Executive SalesExecutive1@Booking rules
Sales Sales Executive SalesExecutive2@Booking rules
Facility Facility Coordinator specialized in Parking FacilityCoordinator1@Booking rules
Facility Facility Coordinator specialized in Weather Preparation FacilityCoordinator2@Booking rules
Facility Facility Coordinator specialized in Weather Preparation and Parking FacilityCoordinator3@Booking rules
EventManagers Event Manager and Team Lead EventManager1@Booking rules
EventManagers Event Manager EventManager2@Booking rules
EventManagers Event Manager EventManager3@Booking rules

Design and implement the authorization scheme to fulfill the requirements.

  • Identify access groups and roles.
  • Implement the above requirements.

Detailed Tasks

1 Review the solution detail

Create units

Add the following units:

Organization unit
Executives
EventManagers
Facilities
Sales

Create Operators and assign skills 

Create/update skills

Add the CEO, TeamLead, Parking, Weather Skills with Low-High range 1-10.
Create the Operators with Manager access group and default access group.

User name
SalesExecutive1@Booking
SalesExecutive2@Booking

For each of the following operators, update skills and ratings for the operators defined in the table.

User name Skill(s) and rating
CEO@Booking CEO (5), TeamLead (5)
FacilityCoordinator1@Booking Parking (5)
FacilityCoordinator2@Booking Weather (5)
FacilityCoordinator3@Booking Parking (5), Weather (5)
EventManager1@Booking TeamLead (5)

Assign access groups and roles

System-generated roles

The New Application wizard creates a Booking:Administrator / Booking:Authors role and two user roles: Booking:User and Booking:Manager.

Users with the Booking:User role can open any case in the application and perform any assignment. The Booking:Manager role provides the ability to create and update reports, delegated rules, and workgroups.

Check the Booking access groups

Create and configure access groups and roles for each department since access is granted based on the department.

When the Event Booking application was first developed, the following access groups may have created. If so, the access group names may not comply with Pega naming conventions. Rename them as needed using the information in the following table.

POC access group name New access group name
Booking:FacilityCoordinator Booking:Facilities

To rename the existing access groups, perform the following steps:

  1. From your exercise system, log on as Admin@Booking.
  2. In the Dev Studio menu, click System > Configure > Refactor > Rules and open the Search/Replace a String wizard.
  3. Select Search/Replace a String.
  4. In the Original String Value field, enter Booking:FacilityCoordinator.
  5. In the New String Value field, enter Booking:Facilities.
  6. Set Limit search to RuleSets in my RuleSet list? to No.
  7. In the Select RuleSet Scope section, select the Booking ruleset.
  8. Click Next to display a report showing the number of Records with Occurrences and Occurrences Found.
  9. Click Next to display a report that shows the Selectable rules available which have references to the class being refactored.
  10. In the header of the report, select the Rule Type check box to select all the records.
  11. Optional: Export to Excel to keep a log of the affected records.
  12. Select Finish to display a confirmation that the refactoring process is complete and displays a report of the rule and data instances that were not refactored.
  13. Optional: Export Page to Excel or Review Log.
  14. Click Done.
  15. In the Booking:Facilities access group, click Save as to create three more access groups:
    Access Group
    Booking:Executives
    Booking:Sales
    Booking:EventManagers

Create Event Booking roles

Create the following roles for each department since permissions and privileges are granted based on the department. Save the roles to the Event ruleset.

Role name identifier Label Dependent on
Booking:Executive Executive PegaRULES:WorkMgr4
Booking:SalesExecutive Sales Executive PegaRULES:WorkMgr4
Booking:EventManager Event Manager PegaRULES:WorkMgr4
Booking:FacilityCoordinator Facility Coordinator PegaRULES:WorkMgr4

Assign roles to the Event Booking access groups

Assign the following roles to the renamed access groups. Remove all other roles.

Access group Roles
Booking:Executives Booking:Executive, Booking:Manager, Booking:User, PegaRULES:PegaAPI
Booking:Sales Booking:SalesExecutive, Booking:User, PegaRULES:PegaAPI
Booking:Facilities Booking:FacilityCoordinator, Booking:User, PegaRULES:PegaAPI
Booking:EventManagers Booking:EventManager, Booking:User, PegaRULES:PegaAPI

Create Event Booking workgroups

Create the following workgroups for each department because work is often assigned to them. Save the workgroups to the Event ruleset. Also, add the authorized managers named Admin@Booking and Author@Booking to each workgroup.

Workgroup identifier Description Manager Default workbasket
Executives@FSG FSG Executives CEO@Booking Booking:Executives
Sales@FSG FSG Sales SalesExecutive1@Booking Booking:Sales
EventManagers@FSG FSG Event Managers EventManager1@Booking Booking:EventManagers
Facilities@FSG FSG Facility Coordinators FacilityCoordinator1@Booking Booking:Facilities

Create/Update Event Booking workbaskets

Create or update the following workbaskets.

Workbasket Organization unit Workgroup Role
Booking:Executives Executives Executives@FSG Booking:Executive
Booking:EventManagers EventManagers EventManagers@FSG Booking:EventManager
Booking:Facilities Facilities Facilities@FSG Booking:FacilityCoordinator
Booking:Sales Sales Sales@FSG Booking:SalesExecutive

Update to the operators

For each of the following operators, update the default Access Group, Workgroups, and Unit.

Operator ID Default Work group Default Access Group Unit
CEO@Booking Executives@FSG Booking:Executives Executives
SalesExecutive1@Booking Sales@FSG Booking:Sales Sales
SalesExecutive2@Booking Sales@FSG Booking:Sales Sales
FacilityCoordinator1@Booking Facilities@FSG Booking:Facilities Facilities
FacilityCoordinator2@Booking Facilities@FSG Booking:Facilities Facilities
FacilityCoordinator3@Booking Facilities@FSG Booking:Facilities Facilities
EventManager1@Booking EventManagers@FSG Booking:EventManagers EventManagers
EventManager2@Booking EventManagers@FSG Booking:EventManagers EventManagers
EventManager3@Booking EventManagers@FSG Booking:EventManagers EventManagers

2 Allow Executive Officers access to cases throughout the Event Booking life cycle

To allow Executive officers to view cases throughout the life cycle, edit their operator IDs, and perform the following steps:

  1. Open the CEO@Booking operator ID record.
  2. In the Work tab, in the Routing section, perform the following steps:
    1. Add the following workgroups: Executives@FSG, Sales@FSG, EventManagers@FSG, and Facilities@FSG.
    2. Specify Executives@FSG as the default. The completed section looks like the following image.
      Routing
  3. Open the Booking:Executives access group.

  4. In the Definition tab, add the following available roles: Booking:Executive, Booking:SalesExecutive, Booking:EventManager, Booking:FacilityCoordinator, Booking:Manager, Booking:User and PegaRULES:PegaAPI.

    The completed access group looks like the following image.

    Available roles

     

  5. Save the Executive access group.

Update Event Booking case type routing

  1. From the Case Explorer, open the Event Booking case type.
  2. In the Preparations stage, open the Hotels process.
  3. Open the Select Search Hotels assignment properties pane and verify that Specific user is set to EventManager as shown in the following image.
    Event Booking case type routing

     

Update Parking case type routing

  1. From the Case Explorer, open the Parking case type.
  2. In the Preparation stage, open the Prepare for Parking process.
  3. Open the Reserve Shuttles assignment properties pane and verify the following settings.
    Field Setting
    Route to Custom
    Assignment type Worklist
    Router ToLeveledGroup
    Workgroup Facilities@FSG
    Skill Parking
  4. In the Execution stage, open the Collect Results process.
  5. Open the Enter Number of Cars Parked assignment properties pane and verify the following settings.
     
    Field Setting
    Route to Custom
    Assignment type Worklist
    Router ToWorkParty
    Party FacilityCoordinator
  6. In the Preparation stage, open the Prepare for Parking process.
  7. On the Reserve Shuttles connector, open the ReserveShuttles flow action.
  8. On the flow action, on the Action tab, in the Post-processing section, enter the following information.
     
    Field Setting
    Run activity addWorkObjectParty
    PartyRole parameter Facility coordinator
    PartyClass parameter Data-Party-Operator
    PartyModel parameter CurrentOperator

    The completed Run activity settings are shown in the following image.

    Add work object party

     

Update Weather case type routing

  1. In the Forecast Weather process of the Forecasting stage, open the Track Preparation assignment properties panel and verify that it is configured with the following information.

    Field Setting
    Route to Custom
    Assignment type Worklist
    Router ToLeveledGroup
    Workgroup Facilities@FSG
    Skill Weather

  2. In the Prepare for Weather process of the Preparing stage, open the Review Preparations assignment properties panel and verify that it is configured with the following information.

    Field Setting
    Custom Custom
    Assignment type Worklist
    Router ToWorkParty
    Party FacilityCoordinator

3 Enable attribute-based access control security

Use attribute-based access control (ABAC) to configure your authorization scheme. 

Restrict access to financial information using ABAC

To restrict access to the financial information as described in the scenario, you:

  • Create SalesExecutive and ExecutiveOfficer access when records to test if an operator belongs to the sales executives or executive officers access group.
  • Create a SalesAndExecutives access control policy condition that references your new access when records.
  • Create a RestrictFinancialInformation read properties access control policy that references your new access control policy condition. Users defined in the SalesAndExecutives access control policy condition can view the .Profit , .Totalcost, .TotalPrice,  .DiscountPercentage, .PricingDisplay.EventPrice, .PricingDisplay.HotelServicePrice  properties.

Create Sales Executive and ExecutiveOfficer access when records

  1. In the Records Explorer, expand the Security category.
  2. Select the Access When record type.
  3. Click Create.
  4. In the new record form, enter the following information.
     
    Field Setting
    Label Sales Executive
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
  5. Click Create and open to create the new access when record.
  6. On the Conditions tab, enter the following When expression:

    pxThread.pxCurrentAccessGroup = "Booking:Sales".

    The completed Conditions tab looks like the following image.

    Sales executive

     

  7. Save the new SalesExecutive access when record.
  8. Repeat steps 1-4.
  9. In the new record form, enter the following information.
     
    Field Setting
    Label Executive Officer
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
  10. Click Create and open to create the new access when record.
  11. On the Conditions tab, enter the following When expression:

    pxThread.pxCurrentAccessGroup = "Booking:Executives"

    The completed Conditions tab looks like the following image.

    Executive officer
  12. Save the new ExecutiveOfficer access when record.
Note: Create a BookingAdministrator access when record with pxThread.pxCurrentAccessGroup = "Booking:Authors" or  specify the required access group in the expression so that you can continue editing and viewing the restricted properties as Admin@Booking or any other author operator (administrator).
Booking admin

Create an SalesAndExecutives access control policy condition

  1. Open the Records Explorer.
  2. Expand the Security category.
  3. Select Access Control Policy Condition record types.
  4. Click Create.

  5. In the new record form, enter the following information:

    Field Setting
    Label Sales And Executives
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
  6. Click Create and open to create the new SalesAndExecutives access control policy condition.
  7. In the access control policy condition Definition tab, in the Conditional Logic section, add the ExecutiveOfficer and SalesExecutive access when records that you created.
  8. Optional: In the Policy Conditions section, specify a condition that always returns false to ensure that access is only provided if one of the access when rules evaluates to true.
  9. Save the new SalesAndExecutives access control policy condition record.
    Note: Add a BookingAdministrator access when condition so you can continue editing and viewing the restricted properties as Admin@Booking.

    The completed Definition tab looks like the following image.

    Sales and Executives

Create a RestrictFinancialInformation access control policy

  1. Open the Records Explorer.
  2. Expand the Security category.
  3. Select Access Control Policy record types.
  4. Click Create.

  5. In the new record form, enter the following information.

    Field Setting
    Label Restrict Financial Information
    Action PropertyRead
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Booking
  6. Click Create and open to create the new RestrictFinancialInformation access control policy.
  7. In the access control policy Definition tab, in the Permit access if field, enter the SalesAndExecutives policy control policy condition that you created.
  8. Add the.Profit , .Totalcost, .TotalPrice,  .DiscountPercentage, .PricingDisplay.EventPrice, .PricingDisplay.HotelServicePrice  properties. For all of the properties, use Mask with N digits as the Restriction Method.

    The completed Definition tab looks like the following image.

    Sales and executives
  9. Save the new RestrictFinancialInformation access control policy record.

4 Restrict access to Event Booking cases using ABAC

To restrict access to the Event Booking cases as described in the scenario:

  • Create the EventManager access when record to test whether an operator is in the EventManager access group.
  • Create the TeamLeadEventManager access when record to test whether an operator is in the Event Manager access group and has a Team Lead skill.
  • Configure the properties used in the access control policy condition to be used in searches and reports.
  • Create a HasEventReadAccess access control policy condition that references your new access when conditions and includes policy conditions and access permissions.
  • Create a RestrictEventAccess access control policy that references your new access control policy condition.

Create EventManager and TeamLeadEventManager access when records

Perform the following steps to create the EventManager access when record to test whether an operator belongs to the EventManagers access group.

  1. From the Records Explorer, expand the Security category.
  2. Select Access When record types.
  3. Click Create.
  4. In the new rule form, enter the following information.
    Field Setting
    Label Event Manager
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
  5. Click Create and open to create the EventManager access when record.

  6. On the Conditions tab, enter the following When expression:
    pxThread.pxCurrentAccessGroup = "Booking:EventManagers".

    The completed Conditions tab looks like the following image.
     

    Event Manager
  7. Save the new EventManager access when record.

Perform the following steps to create the TeamLeadEventManager access when record to test whether an operator belongs to the Event Managers access group and has the TeamLead skill.

  1. From the Records Explorer, expand the Security category.
  2. Select Access When record types.
  3. Click Create.
  4. In the new rule form, enter the following information.
    Field Setting
    Label Team Lead Event Manager
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
  5. Click Create and open to create the TeamleadEventManager access when record.

  6. In the Conditions tab, use the following When expression:
    pxThread.pxCurrentAccessGroup = "Booking:EventManagers" AND function @IsInPageList("TeamLead","pySkillName",OperatorID.pySkills) .

    The completed Conditions tab looks like the following image.

    Team lead event manager
  7. Save the new TeamLeadEventManager access when record.

Configure the access control policy condition properties

Before you can configure the new HasEventReadAccess access control policy condition, perform the following actions:

  • Create a new Property EventManager and assign a value
  • Optimize the .EventManager and .NumAttendees properties for reporting.
  • Make NumAttendees a filterable search property.

Create a new Property EventManager and assign a value

  • Create a new text type property EventManager in the FSG-Booking-Work-BookEvent class.
  • Create a new data transform name PopulateEventManager to populate EventManager from .pyAssignedOperator as shown in the following image:
    Populate Event Manager
  • Update the flow action ManagerAssignment by adding the data transform PopulateEventManager on the post-processing as shown in the following image:
    Manager assignment

Optimize the EventManager and NumberOfAttendee properties

In the App Explorer, right-click the following properties, and then select Optimize for reporting.

  • (FSG-Booking-Work-BookEvent) EventManager
  • (FSG-Booking-Work-BookEvent) NumberOfAttendees

Make NumAttendees a filterable search property

  1. In the header of Dev Studio header, click Create > SysAdmin > Custom Search Properties.
  2. In the Class Name field, enter FSG-Booking-Work-BookEvent.
  3. Click Create and open.
  4. In the record header, set the Associated RuleSet to Event.
  5. Select the Use dedicated index check box.
  6. Save the rule form
  7. Click on Create dedicated index button which is available only on save of the rule form.
  8. In the Definition tab of the custom search properties, select the FSG-Booking-Work-BookEvent property.
  9. Click Add to open the Property Configurations dialog box.
  10. In the Property Configurations dialog box, select the NumAttendees property.
  11. Click Submit to save your updates and close the dialog.

  12. Expand FSG-Booking-Work-BookEvent.

  13. Select the Include in search results check box.

    The completed Definition tab on the custom search properties record looks like the following image.

    pySearch
  14. Save the FSG-Booking-Work-BookEvent • pySearch custom search properties record.

5 Configure the HasEventReadAccess access control policy condition

  1. In the Records Explorer, expand the Security category.
  2. Select Access Control Policy Condition record types.
  3. Click Create.
  4. In the new rule form, enter the following information.
     
    Field Setting
    Label Has Event Read Access
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
  5. Click Create and open to create the HasEventReadAccess access control policy condition.
  6. On the Pages & Classes tab, add the Page name OperatorID using Class Data-Admin-Operator-ID.
  7. On the Definition tab, do the following:
    1. in the Conditional Logic section, add the TeamLeadEventManager, EventManager, and SalesExecutive access when records you created as conditions.

    2. In the Policy Conditions section, specify the following conditions. Condition D always returns true to ensure that access is not prevented if none of the access when rules evaluates to true.

    Condition Column source Relationship Value
    A .NumberOfAttendees is less than 10000
    B .pxCreateOperator Is equal OperatorID.pyUserIdentifier
    C .EventManager Is equal OperatorID.pyUserIdentifier
    D .pxCreateOperator Is not null  

    The completed Definition tab on the access control policy condition record looks like the following image.

    HasEventReadAccess
  8. Save the HasEventReadAccess access control policy condition.

Create the RestrictEventAccess access control policy

In the Event Booking case type, create an access control policy with an action Read to restrict access to the Event Booking cases.

  1. Open the Records Explorer.
  2. Expand the Security category.
  3. Select Access Control Policy record types.
  4. Click Create.
  5. In the new rule form, enter the following information.
     
    Field Setting
    Label Restrict Event Access
    Apply to FSG-Booking-Work-BookEvent
    Add to ruleset Event
    Action Read
  6. Click Create and open to open the new RestrictEventAccess access control policy.

  7. In the Permit access if field, enter the HasEventReadAccess access control policy condition you created.

    The completed Read • RestrictEventAccess access control policy is shown in the following image.

    Restrict event access
  8. Save the RestrictEventAccess access control policy.

Restrict access to facility cases

You can restrict opening Facility cases using role-based access control. To do so, open the Facility case type and use the Access Manager to configure No Access for Perform.
 

6 Confirm your work

  1. Log off as Admin@Booking.
  2. Log in as User@Booking, and create a new Event Booking Case. Notice that the .Profit , .Totalcost, .TotalPrice,  .DiscountPercentage fields are all masked and are read-only.
  3. Log off.

  4. Log on as SalesExecutive1@Booking, and create a new Event Booking Case. Notice the .Profit , .Totalcost, .TotalPrice,  .DiscountPercentage, .PricingDisplay.EventPrice, .PricingDisplay.HotelServicePrice fields are not masked and are editable.

  5. Create two Event Booking cases:
    1. One with under 10,000 attendees and another
    2. One with more than 10,000 attendees.
      Do not complete the Customer Approval step in either case.
  6. Log off.
  7. Log in as SalesExecutive2@Booking, and switch to the Case Manager portal and do the following:
    1. On the Dashboard select Sales Executive 1 in the Team members section to view SalesExecutive1@Booking's open cases.
    2. Select Customer Approval for the case with under 10,000 attendees. As a result, you can work on the case.
    3. Select Customer Approval for the case with more than 10,000 attendees. The following error message is displayed: Access Control Policy denied access for class FSG-Booking-Work-BookEvent and action Open.
    4. Log out.
  8. Log in as EventManager2@Booking. Switch to the Case Manager portal and do the following:
    1. On the Dashboard select Event Manager 1 in the Team members section to view EventManager1@Booking's open cases.
    2. Select Approve Assignment for any case listed. As a result, you should receive an error message to the effect that, "Access Control Policy denied access for class FSG-Booking-Work-BookEvent and action Open."
    3. Log out.
  9. Log in as EventManager1@Booking. Switch to the Case Manager portal and do the following.
    1. On the Dashboard, select Event Manager 2 in the Team members section to view EventManager2@Booking's open cases.
    2. Select Approve Assignment for any case listed. As a result, you can work on the selected case.

7 Alternative approaches

The following alternative approaches are presented. They do not have to be developed. The detailed instructions provided are a guide in case you would like to experiment using role-based access control (RBAC) to restrict access to Event Booking cases or restrict access to Facilities assignments using ABAC.

Restrict access to financial information

There are no alternative approaches for restricting access to the financial information.

Restrict access to events cases using RBAC

Create a role for events and add it to appropriate access groups. Use the Access Manager to create an Access of Role to Object record with an access when record defining the restrictions.

Restrict access to Event Booking cases: Comparing RBAC and ABAC

The following table describes the pros and cons of each approach.

Design Pros Cons
Attribute based access control Easy to configure Not shown in Access Manager
Role based access control Shown in Access Manager Requires an additional role

Restrict access to Facilities assignments using ABAC (optional)

  1. For the Assign-Worklist class, create an access when condition named FacilityCoordinator in the Event ruleset.

  2. In the Conditions tab, use the following When... expression:

    pxThread.pxCurrentAccessGroup = "Booking:Facilities"

    The Conditions tab should look like the following image.

    Facility coordinator
  3. For the Assign-Worklist class, create a new FacilityCaseAssignedToMe access control policy condition in the Event ruleset.
  4. In the Pages & Classes tab on the access control policy condition record, enter OperatorID in the Page name field and enter Data-Admin-Operator-ID in the Class field.

  5. In the Definition tab, check if the user is a facility coordinator, and check if the case is assigned to that user. For all others, grant access.
    The Definition tab configuration is shown in the following image.

    Facility coordinator
  6. For the Assign-Worklist class, create a RestrictFacilityCases access control policy in the EventBooking ruleset. Set the Action to Read to restrict other facility coordinators from opening the assignment and performing work.

  7. In the Permit access if field, enter the FacilityCaseAssignedToMe access control policy condition you created.

    The access control policy should look like the following image.

    Facility case managed

     

Restrict access to Facilities assignments: comparing RBAC and ABAC

The following table describes the pros and cons of each approach.

Design Pros Cons
Attribute based access control Easy to configure Not shown in Access Manager
Role based access control Shown in Access Manager Requires an additional role

8 Review alternative options

The following alternative approaches are presented. They do not have to be developed. The detailed instructions provided are a guide in case you would like to experiment using role-based access control (RBAC) to restrict access to Event Booking cases or restrict access to Facilities assignments using ABAC.

Restrict access to financial information

There are no alternative approaches for restricting access to the financial information.

Restrict access to events cases using RBAC

Create a role for events and add it to appropriate access groups. Use the Access Manager to create an Access of Role to Object record with an access when record defining the restrictions.

Restrict access to Event Booking cases: Comparing RBAC and ABAC

The following table describes the pros and cons of each approach.

Design Pros Cons
Attribute based access control Easy to configure Not shown in Access Manager
Role based access control Shown in Access Manager Requires an additional role

Restrict access to Facilities assignments using ABAC (optional)

  1. For the Assign-Worklist class, create an access when condition named FacilityCoordinator in the Event ruleset.

  2. In the Conditions tab, use the following When... expression:

    pxThread.pxCurrentAccessGroup = "Booking:Facilities"

    The Conditions tab should look like the following image.

    Facility coordinator
  3. For the Assign-Worklist class, create a new FacilityCaseAssignedToMe access control policy condition in the Event ruleset.
  4. In the Pages & Classes tab on the access control policy condition record, enter OperatorID in the Page name field and enter Data-Admin-Operator-ID in the Class field.

  5. In the Definition tab, check if the user is a facility coordinator, and check if the case is assigned to that user. For all others, grant access.
    The Definition tab configuration is shown in the following image.

    Facility coordinator
  6. For the Assign-Worklist class, create a RestrictFacilityCases access control policy in the EventBooking ruleset. Set the Action to Read to restrict other facility coordinators from opening the assignment and performing work.

  7. In the Permit access if field, enter the FacilityCaseAssignedToMe access control policy condition you created.

    The access control policy should look like the following image.

    Facility case managed

     

Restrict access to Facilities assignments: comparing RBAC and ABAC

The following table describes the pros and cons of each approach.

Design Pros Cons
Attribute based access control Easy to configure Not shown in Access Manager
Role based access control Shown in Access Manager Requires an additional role

9 Review the solution

The solution RAP (Rule Admin Product) file provided in the Application design mission of this course does not contain a complete implementation of all the authorization requirements specified in the Front Stage Scenario Requirements. All the given requirements can be implemented using a combination of RBAC and ABAC.

To review the implemented solution, switch the application to Booking Authorization when you are logged in with Admin@Booking operator.

Available in the following mission:

Return to mission

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice