Skip to main content

Securing an application using attribute-based access control

Archived

4 Tasks

30 mins

Visible to: All users
Intermediate Pega Platform 8.6 Security English
This content is now archived and is no longer updated. Progress is not calculated. Pega Cloud instances are disabled, and badges are no longer awarded. Click here to continue your progress in the latest version.

Scenario

Each candidate case includes a Taxpayer Identification Number (TIN) to identify the candidate. This information is considered sensitive personal information. The Human Resources (HR) department is required to prevent unauthorized access to sensitive personal information. To satisfy this requirement, unless the user is a member of either the HR or Recruiting organization units, the HR department wants to mask the TIN. However, the field must be editable on the first step of the case life cycle so that users can enter their TIN on the form.

Create an access control policy condition for the Candidate case type. Configure the condition to perform the following tests.

  • Create an Access When record to test if the user is a member of either the Recruiting or HR org units. Then apply the Access When record to the access control policy condition.
  • Create a policy condition to test whether the property pxCreateOperator is null when the user is a member of either the Recruiting or HR org units.
  • Create a policy condition to test whether the property pxCreateOperator is not null when the user is not a member of either the Recruiting or HR org units.

Create an access control policy for the Candidate case type. Configure the policy to mask all numbers of the TIN property if the access control policy condition is true.

Update the Collect Candidate Details process to set a value of the property pxCreateOperator once the user completes the Collect Personal Information assignment. To do this, copy the value of pxCreateOperator from pyWorkPage.

The following table provides the credentials you need to complete the challenge.

Role User name Password
System Architect SSA@TGB rules
End user Recruiter@TGB rules
Note: Your practice environment may support the completion of multiple challenges. As a result, the configuration shown in the challenge walkthrough may not match your environment exactly.

Challenge Walkthrough

Detailed Tasks

1 Create the Access When record

Note: Access control policy conditions can only test against clipboard data. The policy condition must test the org unit of the operator against two constant strings, "HR" and "Recruiting," to satisfy the requirement. Configure an Access When record to test a constant such as "HR" or "Recruiting."
  1. In Dev Studio, from the Create menu, select Security > Access When to open the Create Access When form.
  2. In the Label field, enter Is HR Or Recruiting to name the Access When record.
  3. In the Apply to field, enter or select TGB-HRApps-Data-Candidate.
  4. On the Create Access When form, click Create and open to create the Access When record.
  5. On the Access When record, double-click the text [Double click to add condition] to open the Condition dialog.
  6. In the Condition dialog, enter the condition OperatorID.pyOrgUnit = “HR”.

    access-when-condition
  7. Click Submit to return to the Access When record.
  8. Select the OperatorID.pyOrgUnit= “HR” condition and click Actions > Insert Condition to open the Condition dialog to create a second condition.
  9. In the Condition dialog, enter the condition OperatorID.pyOrgUnit = “Recruiting”.
  10. Click Submit to return to the Access When record.
  11. To the left of the OperatorID.pyOrgUnit= “Recruiting” condition, click AND and select OR to change the condition and return a result of true if the org unit is either HR or Recruiting.
    access-when-HR-or-Recruiting
  12. Save your changes.

2 Create the access control policy condition record

  1. From the Create menu, select Security > Access Control Policy Condition to open the Create Access Control Policy Condition form.
  2. On the Create Access Control Policy Condition form, in the Label field, enter HR or Recruiting.
  3. In the Apply to field, enter TGB-HRApps-Data-Candidate to create the policy condition in the same class as the Tax Identification Number property.
  4. Click Create and open and use the following image to define the Access Control Policy Conditions and logic.
    access-control-policy-condition-record
  5. Click the Pages & Classes tab.
  6. In the Page name field, enter OperatorID.
  7. In the Class field, enter or select Data-Admin-Operator-ID.
  8. Click Save to complete the configuration of the access control policy condition.
Note: If multiple operator security attributes need to be evaluated from multiple sources, consider creating a data type and data page to aggregate these values onto a single page.

3 Create the access control policy record

  1. Create a new Access Control Policy.
  2. On the Create Access Control Policy form, in the Label field, enter Restrict TIN.
  3. From the Action drop-down list, select PropertyRead to apply the policy condition when reading a property value.
  4. In the Apply to field, enter TGB-HRApps-Data-Candidate to create the policy in the same class as the Tax Identification Number property.
  5. Create and open the Access Control Policy record.
  6. On the Access Control Policy record, in the Permit access if field, enter or select HROrRecruiting to apply the HR or Recruiting access control policy condition.
  7. Click Add Property.
  8. In the Property field, enter or select .TIN to apply the policy to the TIN field.
  9. Apply a full mask to mask all the digits of the TIN.
    Access control policy TIN mask
  10. Click the Gear icon to open the Masking and Formatting Options dialog.
  11. In the Masking and Formatting Options dialog, complete all fields as shown in the following image.
    masking-formatting-options
  12. Click Submit to close the Masking and Formatting Options dialog and return to the access control policy record.
  13. Save your changes to the access control policy.

4 Update the Collect Candidate Details process to set the value of .pxCreateOperator for the policy condition

  1. In Dev Studio, from the App Explorer, click Candidate > Process > Flow > CollectCandidateDetails_0 to open the Collect Candidate Details_0 process.
  2. In the Collect Candidate Details flow, double-click the Collect Personal Details connector to open the Connector properties dialog.
  3. In the Set Properties section, in the Name field, enter or select .Candidate.pxCreateOperator to set the value of the pxCreateOperator property on the Candidate page.
  4. In the Value field, enter or select .pxCreateOperator to copy the value of the pxCreateOperator property on pyWorkPage.
  5. Click Submit to return to the Collect Candidate Details process.
  6. Save your changes.

Confirm your work

  1. Create a new Candidate case. Note the case number.
  2. On the Collect Personal Information form, in the Taxpayer Identification Number (TIN) field, enter 111-22-2222.
    Note: In the United States, the Social Security Administration issues the Taxpayer Identification Number, more commonly referred to as a Social Security Number (SSN). The SSN is a nine-digit number entered in the form NNN-NN-NNNN.
  3. Complete all remaining required fields
  4. Click Submit to submit the Collect Personal Information form.
  5. Advance the case to the Conduct Phone Screen form.
  6. Confirm that the Taxpayer Identification Number (TIN) field displays nine asterisks. 
    conduct-ph-screen-TIN-masked
  7. Log out of Dev Studio.
  8. Log in as the Recruiter@TGB user with password rules.
  9. On the Dashboard tab of the User portal open the case you noted in step 7 and advance the case to the Conduct Phone Screen form.
    Tip: Add the Worklist widget to the Dashboard to display work from the Recruiter work queue.
  10. Confirm that the Taxpayer Identification Number (TIN) field displays the full number, 111-22-2222, without a mask.
    conduct-ph-screen-TIN-unmasked


Available in the following mission:

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice