Skip to main content
close Search
Close search

Challenge

Securing an application using attribute-based access control

5 Tasks

30 mins

Visible to all users
Beginner Pega Platform 8.2 English

Scenario

Each candidate case includes a Taxpayer Identification Number (TIN) to identify the candidate. This information is considered sensitive personal information. The Human Resources (HR) department is required to prevent unauthorized access to sensitive personal information. To satisfy this requirement, unless the user is a member of either the HR or Recruiting organization units, the HR department wants to mask the TIN. However, the field must be editable on the first step of the case life cycle so that users can enter their TIN on the form.

The following table provides the credentials you need to complete the exercise.

Role Operator ID Password
System Architect SSA@TGB rules
End user Recruiter@TGB rules

Your assignment

Create an access control policy condition for the Candidate case type. Configure the condition to perform the following tests.

  • Create an Access When record to test if the user is a member of either the Recruiting or HR org units. Then apply the Access When record to the access control policy condition.
  • Create a policy condition to test whether the property pxCreateOperator is null when the user is a member of either the Recruiting or HR org units.
  • Create a policy condition to test whether the property pxCreateOperator is not null when the user is not a member of either the Recruiting or HR org units.

Create an access control policy for the Candidate case type. Configure the policy to mask all numbers of the TIN property if the access control policy condition is true.

Update the Collect Candidate Details process to set a value of the property pxCreateOperator once the user completes the Collect Personal Information assignment. To do this, copy the value of pxCreateOperator from pyWorkPage.

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

Detailed Tasks

1 Create the Access When record

Create an Access When record to test whether the operator is a member of either the HR or Recruiting org units.

Access control policy conditions can only test against clipboard data. The policy condition must test the org unit of the operator against two constant strings, "HR" and "Recruiting," to satisfy the requirement. Configure an Access When record to test a constant such as "HR" or "Recruiting."
  1. In Dev Studio, from the Create menu, select Security > Access When to open the Create Access When form.
  2. In the Label field, enter Is HR Or Recruiting to name the Access When record.
  3. In the Apply to field, enter or select TGB-HRApps-Data-Candidate.
  4. On the Create Access When form, click Create and open to create the Access When record.
  5. On the Access When record, double-click the text [Double click to add condition] to open the Condition dialog.
  6. In the Condition dialog, enter the condition OperatorID.pyOrgUnit = “HR”.
    access-when-condition
  7. Click Submit to return to the Access When record.
  8. Select the OperatorID.pyOrgUnit= “HR” condition and click Actions > Insert Condition to open the Condition dialog to create a second condition.
  9. In the Condition dialog, enter the condition OperatorID.pyOrgUnit  = “Recruiting”.
  10. Click Submit to return to the Access When record.
  11. To the left of the OperatorID.pyOrgUnit= “Recruiting” condition, click AND and select OR to change the condition to return a result of true if the org unit is either HR or Recruiting.
    access-when-HR-or-Recruiting
  12. Click Save to complete the configuration of the Access When record.

2 Create the access control policy condition record

Create an access control policy condition to define the conditions under which to avoid masking the Taxpayer Identification Number field: when the operator is a member of either the HR or Recruiting org unit, or when the user first creates the case and must enter a Tax Identification Number.

  1. From the Create menu, select Security > Access Control Policy Condition to open the Create Access Control Policy Condition form.
  2. On the Create Access Control Policy Condition form, in the Label field, enter HR or Recruiting.
  3. In the Apply to field, enter TGB-HRApps-Data-Candidate to create the policy condition in the same class as the Tax Identification Number property.
  4. Click Create and open to open the Access Control Policy Condition record.
  5. In the Conditional Logic section, click Add conditional logic to create a test condition.
  6. In the WHEN field, enter IsHROrRecruiting to apply the access when rule you created earlier.
  7. In the Policy Conditions section, in the Column source field, enter or select .pxCreateOperator.
  8. From the Relationship drop-down list, select Is not null.
    Policy condition
  9. Click Add condition to create a second policy condition.
  10. In the empty policy condition row, in the Column source field, enter or select .pxCreateOperator.
  11. From the Relationship drop-down list, select Is null.
    Condition complete
  12. In the Conditional Logic section, under WHEN, in the Permit access if field, enter A to apply the first policy condition if the Access When record returns a result of true.
    Access a
  13. Under OTHERWISE, in the Permit access if field, enter B to apply the second policy condition if the Access When record returns a result of false.

    Access b
  14. Click the Pages & Classes tab.
  15. In the Page name field, enter OperatorID.
  16. In the Class field, enter or select Data-Admin-Operator-ID.
  17. Click Save to complete the configuration of the access control policy condition.
If multiple operator security attributes need to be evaluated from multiple sources, consider creating a data type and data page to aggregate these values onto a single page.

3 Create the access control policy record

Create an access control policy to mask all but the last four digits of the Taxpayer Identification Number (TIN).

  1. From the Create menu, select Security > Access Control Policy to open the Create Access Control Policy form.
  2. On the Create Access Control Policy form, in the Label field, enter Restrict TIN.
  3. From the Action drop-down list, select PropertyRead to apply the policy condition when reading a property value.
  4. In the Apply to field, enter TGB-HRApps-Data-Candidate to create the policy in the same class as the Tax Identification Number property .TIN.
  5. Click Create and open to open the Access Control Policy record.
  6. On the Access Control Policy record, in the Permit access if field, enter or select HROrRecruiting to apply the HR or Recruiting access control policy condition.
  7. Click Add Property.
  8. In the Property field, enter or select .TIN to apply the policy to the TIN field.
  9. From the Restriction Method drop-down list, select Full Mask to apply a mask to all the digits of the TIN.
    Restrict TIN
  10. Click the Gear icon to open the Masking and Formatting Options dialog.
  11. In the Masking and Formatting Options dialog, in the Restriction Method field, select Full Mask.
  12. Under Restriction Method, in the Masking character field, select * to use asterisks for masking.
  13. Under Masking character, select Display length is fixed to set the display length.
  14. In the Display characters length field, enter 9 to set the display length to 9 characters.
  15. Click Submit to close the Masking and Formatting Options dialog and return to the access control policy record.
  16. Click Save to complete the configuration of the access control policy.

4 Update the Collect Candidate Details process to set the value of .pxCreateOperator for the policy condition

To ensure that the Tax Identification Number field is editable on the Collect Personal Information form and is masked on all other forms, the policy condition tests the value of the pxCreateOperator property. Update the Collect Candidate Details process to copy the value of the pxCreateOperator property from pyWorkPage to the Candidate page so the policy condition record can test the property value.

  1. In Dev Studio, from the Explorer panel, click App to open the App Explorer.
  2. In the App Explorer, click Candidate > Process > Flow > CollectCandidateDetails_0 to open the Collect Candidate Details_0 process.
  3. In the Collect Candidate Details process, double-click the connector between the Collect Personal Details and Collect Professional Details assignments to open the Connector Properties dialog.
  4. In the Connector Properties dialog, in the Set Properties section, in the Name field, enter or select .Candidate.pxCreateOperator to set the value of the pxCreateOperator property on the Candidate page.
  5. In the Value field, enter or select .pxCreateOperator to copy the value of the pxCreateOperator property on pyWorkPage.
  6. Click Submit to return to the Collect Candidate Details process.
  7. Click Save to complete the configuration of the process.

5 Confirm your work

  1. Create a new Candidate case. Note the case number.
  2. On the Collect Personal Information form, in the Taxpayer Identification Number (TIN) field, enter 111-22-2222.
    In the United States, the Social Security Administration issues the Taxpayer Identification Number, more commonly referred to as a Social Security Number (SSN). The SSN is a nine-digit number entered in the form NNN-NN-NNNN.
  3. Click Submit to submit the Collect Personal Information form.
  4. Advance the case to the Conduct Phone Screen form.
  5. Confirm that the Taxpayer Identification Number (TIN) field displays nine asterisks.
    confirm-work-masked
  6. Log out of Dev Studio.
  7. Log in as the user Recruiter@TGB, with the password rules.
  8. On the dashboard, under Work queues, click Recruiter workbasket to display the contents of the Recruiter workbasket.
  9. Open the case you just created and advance to the Conduct Phone Screen form. Confirm that the Taxpayer Identification Number (TIN) field displays the full number, 111-22-2222, without a mask
    confirm-work-unmasked

If you are having problems with your training, contact Pega Academy technical support.

Did you find this content helpful?

100% found this content useful

Want to help us improve this content?

Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice