Skip to main content

Configuring attribute-based access control

Configuring attribute-based access control

Attribute-based access control allows you to control access to an object (case, report, property) by adding attribute values to objects, and configuring the access control policies. The access control policies determine whether specific users can access the objects. You can use one attribute to allow different actions in different objects. For example, you can assign the attribute Customer to a case to decide whether a user has permission to delete a case.

To configure attribute-based access control in your application, first determine the attributes used for access control purposes. Then, define the access control policy condition that compares the object's attribute values to the user's. Finally, define the access control policy to specify the action that is controlled by the evaluation of the condition logic.

Attributes

To configure the attribute-based access control in your application, start with defining the user and object attributes that you use.

You can define user attributes in various ways. For example, if you use an external directory, you can assign the attributes to users in the directory. You then map those attributes to the Pega application into the user's operator record or a requestor level data page.

Defining an attribute for an object is easier — you add the attribute value into a property field of the object's class.

You can use three data types to represent an attribute: a single string value, a list of string values, and a numerical value. Also, hierarchical attributes represent a specified order of values. You can use either string type properties or numerical data types to define hierarchical attributes.

  • When you use string type properties, you define a set of conditions to determine the hierarchy. In this example, you use three text values: Top Secret, Secret, and Unclassified, and a set of conditions:
    • A: Operator.SecurityClearance = “Top Secret”
    • B: Operator.SecurityClearance = “Secret”
    • C: Operator.SecurityClearance = “Unclassified”
    • D: .SecurityClearance = “Top Secret”
    • E: .SecurityClearance = “Secret”
    • F: .SecurityClearance = “Unclassified”

    Then combine the properties with the following logic:

    A or (B and (E or F) or (C and F))

  • The attributes are represented as a numerical data type. The attribute values must be mapped to a top-level numeric property on both the object (case) and the subject (operator). For example, using the Top Secret, Secret, and Unclassified attributes, you can create the following mapping and condition:

    Top Secret=1

    Secret=2

    Unclassified=3

Use a single condition with a numerical comparison to determine the access level:

Operator.SecurityClearance >= .SecurityClearance

Access Control Policy Condition

After you configure attributes that you are going to use, configure the Access Control Policy Condition rule form. In an Access Control Policy Condition rule form, you define a set of filters. You add logic to the filters that combines the conditions, for the access control policy. This means that the user can do one of the actions defined in the access control policy if the conditions in the access control policy condition rule are met.

In the policy, you can enter multiple sets of conditions with filter logic values. Each filter logic specification is associated with a when rule.

For more information on how to configure an access control policy condition, see the Help topic Creating an access control policy condition.

Access Control Policy

After you configure the Access Control Policy Condition rule form, configure an Access Control Policy rule form. In the policy form you choose from one of the following actions that limit what the user is allowed to do when accessing an object:

  • Read
  • Update
  • Discover
  • Delete
  • PropertyRead
  • PropertyEncrypt

For more information on how to configure an access control policy, see the Help topic Creating an access control policy.

For more information on attribute-based access control, see the Help topic Attribute-based access control.

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice