Securing an application using attribute-based access control
4 Tasks
30 mins
Scenario
Each candidate case includes a Taxpayer Identification Number (TIN) to identify the candidate. This information is considered sensitive personal information. The Human Resources (HR) department is required to prevent unauthorized access to sensitive personal information. To satisfy this requirement, unless the user is a member of either the HR or Recruiting organization units, the HR department wants to mask the TIN. However, the field must be editable on the first step of the case life cycle so that users can enter their TIN on the form.
Create an access control policy condition for the Candidate case type. Configure the condition to perform the following tests.
- Create an Access When record to test if the user is a member of either the Recruiting or HR org units. Then apply the Access When record to the access control policy condition.
- Create a policy condition to test whether the property pxCreateOperator is not null when the user is a member of either the Recruiting or HR org units.
- Create a policy condition to test whether the property pxCreateOperator is null when the user is not a member of either the Recruiting or HR org units.
Create an access control policy for the Candidate case type. Configure the policy to mask all numbers of the TIN property if the access control policy condition is true.
Update the Collect Candidate Details process to set a value of the property pxCreateOperator once the user completes the Collect Personal Information assignment. To do this, copy the value of pxCreateOperator from pyWorkPage.
The following table provides the credentials you need to complete the challenge:
Role | User name | Password |
---|---|---|
System Architect | SSA@TGB | pega123! |
End user | Recruiter@TGB | pega123! |
Note: Your practice environment may support the completion of multiple challenges. As a result, the configuration shown in the challenge walkthrough may not match your environment exactly.
Challenge Walkthrough
Detailed Tasks
1 Create the Access When record
Note: Access control policy conditions can only test against clipboard data. The policy condition must test the org unit of the operator against two constant strings, "HR" and "Recruiting," to satisfy the requirement. Configure an Access When record to test a constant such as "HR" or "Recruiting."
- In the Pega instance for the challenge, enter the following credentials:
- In the User name field, enter SSA@TGB.
- In the Password field, enter pega123!.
- In Dev Studio, from the Create menu, select Security > Access When to open the Create Access When form.
- In the Label field, enter Is HR Or Recruiting to name the Access When record.
- In the Apply to field, enter TGB-HRApps-Data-Candidate.
- On the Create Access When form, click Create and open to create the Access When record.
- On the Access When record, double-click the text [Double click to add condition] to open the Condition dialog.
-
In the Condition dialog, enter the condition OperatorID.pyOrgUnit = “HR””.
- Click Submit to return to the Access When record.
- Select the OperatorID.pyOrgUnit= “HR” condition and click Actions > Insert Condition to open the Condition dialog to create a second condition.
- In the Condition dialog, enter the condition OperatorID.pyOrgUnit = “Recruiting”.
- Click Submit to return to the Access When record.
- To the left of the OperatorID.pyOrgUnit= “Recruiting” condition, click AND and select OR to change the condition and return a result of true if the org unit is either HR or Recruiting.
- Save your changes.
2 Create the access control policy condition record
- From the Create menu, select Security > Access Control Policy Condition to open the Create Access Control Policy Condition form.
- On the Create Access Control Policy Condition form, in the Label field, enter HR or Recruiting.
- In the Apply to field, enter TGB-HRApps-Data-Candidate to create the policy condition in the same class as the Tax Identification Number property.
- Click Create and open and use the following image or table to define the Access Control Policy Conditions and logic.
Conditional logic Column Source Relationship Treat Empty As Null Condition A When: IsHROrRecruiting .pxCreateOperator is not null Selected Condition B Otherwise .pxCreateOperator is null Selected - Click the Pages & Classes tab.
- In the Page name field, enter OperatorID.
- In the Class field, enter or select Data-Admin-Operator-ID.
- Click Save to complete the configuration of the access control policy condition.
Note: If multiple operator security attributes need to be evaluated from multiple sources, consider creating a data type and data page to aggregate these values onto a single page.
3 Create the access control policy record
- Create a new Access Control Policy.
- On the Create Access Control Policy form, in the Label field, enter Restrict TIN.
- From the Action drop-down list, select PropertyRead to apply the policy condition when reading a property value.
- In the Apply to field, enter TGB-HRApps-Data-Candidate to create the policy in the same class as the Tax Identification Number property.
- Create and open the Access Control Policy record.
- On the Access Control Policy record, in the Permit access if field, enter or select HROrRecruiting to apply the HR or Recruiting access control policy condition.
- Click Add Property.
- In the Property field, enter or select .TIN to apply the policy to the TIN field.
- Apply a full mask to mask all the digits of the TIN.
- Click the Gear icon to open the Masking and Formatting Options dialog.
- In the Masking and Formatting Options dialog, complete all fields as shown in the following image or table.
Field Value Restriction Method Full Mask Masking character * Display length is fixed Selected Display characters length 9 - Click Submit to close the Masking and Formatting Options dialog and return to the access control policy record.
- Save your changes to the access control policy.
4 Update the Collect Candidate Details process to set the value of .pxCreateOperator for the policy condition
- In Dev Studio, from the App Explorer, click Candidate > Process > Flow > CollectCandidateDetails_0 to open the Collect Candidate Details_0 process.
- In the Collect Candidate Details flow, double-click the Collect Personal Details connector to open the Connector properties dialog.
- In the Set Properties section, in the Name field, enter or select .Candidate.pxCreateOperator to set the value of the pxCreateOperator property on the Candidate page.
- In the Value field, enter or select .pxCreateOperator to copy the value of the pxCreateOperator property on pyWorkPage.
- Click Submit to return to the Collect Candidate Details process.
- Save your changes.
Confirm your work
- Create a new Candidate case. Note the case number.
- On the Collect Personal Information form, in the Taxpayer Identification Number (TIN) field, enter 111-22-2222.
Note: In the United States, the Social Security Administration issues the Taxpayer Identification Number, more commonly referred to as a Social Security Number (SSN). The SSN is a nine-digit number entered in the form NNN-NN-NNNN.
- Complete all remaining required fields
- Click Submit to submit the Collect Personal Information form.
- Advance the case to the Conduct Phone Screen form.
- Confirm that the Taxpayer Identification Number (TIN) field displays nine asterisks.
- Log out of the Pega instance for the challenge.
- In the Pega instance for the challenge, enter the following credentials:
- In the User name field, enter Recruiter@TGB.
- In the Password field, enter pega123!.
- On the Dashboard tab of the User portal open the case you noted in step 7 and advance the case to the Conduct Phone Screen form.
Tip: Add the Worklist widget to the Dashboard to display work from the Recruiter work queue.
- Confirm that the Taxpayer Identification Number (TIN) field displays the full number, 111-22-2222, without a mask.
This Challenge is to practice what you learned in the following Module:
Available in the following mission:
If you are having problems with your training, please review the Pega Academy Support FAQs.
Want to help us improve this content?