Attribute-based access control (ABAC) security model
Attribute-based access control (ABAC) is used to control access to an object (case, report, property) by comparing characteristics of the object to attributes of the operator requesting access to the object. The access control policies determine whether specific users can access the objects, doing so independently of an access group role, and may leverage the inheritance functionality of Pega Platform™. For example, you can assign the attribute Customer to a case to decide whether a user has permission to delete a case based on whether or not the Customer is on a list of customer names for which the user is responsible.
Restrictions that broadly limit users by their membership in access group roles are configured through role-based access control (RBAC). In contrast, ABAC affords more granular control over row-level and column-level security based on defined user attributes. ABAC supplements and extends the security capabilities of RBAC. Use cases that are more suited to an ABAC approach include those that redact information from users without an appropriate clearance level or allow users to perform actions only if they are assigned to a particular department. The following table illustrates using the Clearance Level attribute to control task access:
|User Role||Clearance Level||Read Reports||Submit Reports||Redact Reports|
To configure attribute-based access control in your application, first, determine the attributes used for access control purposes. Then, define the access control policy condition that compares the object's attribute values to the user's. Finally, define the access control policy to specify the action that is controlled by the evaluation of the condition logic.
Access control policy conditions
Restrictions in ABAC are enforced through access control policies that specify the type of allowed access. For each policy, one or more access control policy conditions determine whether or not to grant access.
After you configure the attributes that you intend to use, configure the Access Control Policy Condition rule form (Rule-Access-PolicyCondition). In an Access Control Policy Condition rule form, you define a set of filters and add logic that combines conditions for the access control policy. The rule form describes conditions under which the access type is granted to the protected object. If the conditions in the Access Control Policy Condition rule form are met, the user can perform the actions that are defined in the access control policy. For example, conditions defined on an Access Control Policy Condition rule form can ensure that only the manager for a specific team of support agents can approve service credits processed by members of that team.
In the Access Control Policy Condition rule form, you can enter multiple sets of conditions with filter logic values. Each filter logic specification is associated with an Access When rule. Each set of filters compares a case attribute (property value) to any clipboard property value at runtime that you want. This comparison value typically represents information about the user attempting to access the protected object.
Access control policies
After you configure the Access Control Policy Condition rule form, configure an Access Control Policy rule form (Rule-Access-Policy). In the policy form, you choose from one of the following actions that limit what the user is allowed to do when accessing an object:
You can define access control policies for only the Assign-, Data-, Index-, and Work- classes in the Pega Platform database, and access control policies can inherit from multiple classes. The policy conditions combine from all relevant policies and allow access only when all policy conditions are satisfied. Unlike RBAC, ABAC policies leverage the inheritance functionality built into Pega Platform.
If an ABAC policy grants access, RBAC also applies and must also grant access.
Assignment of attributes
To configure the attribute-based access control in your application, define the user and object attributes that you use. You can define user attributes in various ways. For example, if you use an external identity provider (IDP) for authenticating users, you can assign the attributes to users in the information stored in the IDP. You then map those attributes to the Pega Platform application to the user's operator record or a requestor-level data page. Optionally, add an attribute for an object by adding the attribute value to a property field of the object's class.
You can use three data types to represent an attribute: a single string value, a list of string values, and a numerical value.
Single string value
You can use string type properties to define specific attributes that must match before granting access to a user. In the following example, access is granted to the user who has a Security Clearance of Top Secret:
Operator.SecurityClearance = “Top Secret”
List of string values
You can evaluate a comma-separated list of string values using the special comparison operators All of and One of. For example, if security policies require a Security Clearance level of Top Secret or Secret, the One of operator grants access to users with either attribute. The All of operator evaluates all attributes in the list of string values and grants access only if all attributes are present.
You can represent attributes as a numerical data type. Attribute values must be mapped to a top-level numeric property on both the object (case) and the subject (operator). This is helpful if security specifications require an access hierarchy. For example, using the Top Secret, Secret, and Unclassified attributes, you can create the following numerical mapping:
|Attribute Name||Numeric property|
You can then use a single condition with a numerical comparison to determine the access level:
Operator.SecurityClearance >= .SecurityClearance
Check your knowledge with the following interaction.