Skip to main content

Creating an access control policy condition

Pega Community logo

Note: The following content, referenced from Pega Community, is included here to help you better achieve the module learning objectives.

You can define a set of conditions and comparison logic to be evaluated to grant access to an object.

Before you begin:
  • You must have the pzCanManageSecurityPolicies privilege, which is included in the PegaRULES:SecurityAdministrator role.
  1. In the navigation panel, click Records Security Access Control Policy Condition , and then click Create.

  2. In the Label field, enter the policy condition name.

  3. In the Context section, in the Apply to (class) field, press the Down Arrow key and select the rule to which the policy condition applies.

  4. In the Add to ruleset field, select a ruleset.

  5. Click Create and open.

  6. Optional:

    Click Add conditional logic to configure a filter logic string for the condition.

    1. On the Definition tab, in the Conditional logic section, click Add conditional logic as needed to support situations where different logic needs to be applied.

    2. In the WHEN field, enter an Access When rule that evaluates whether the conditional logic should be used.

    3. In the second field, enter a filter logic string that is applied when the Access When rule evaluates to true. When the set of filters to be applied in an Access Control Policy Condition rule is determined conditionally by using Access When rules, leave the filter logic entry blank if you want to enforce no policy condition at all, for example, for certain highly privileged users.

    4. In the OTHERWISE field, enter the filter logic string that is used when all the when rules evaluate to false.

  7. On the Definition tab, in the Policy Conditions section, in the Condition field, enter a condition name.

  8. In the Column source field, press the Down Arrow key and select a property from the Apply To class from the list.

  9. In the Relationship list, click the comparison logic appropriate for the evaluated attribute type.

    For Numeric attributes:
    • Is equal – The Apply To property value and comparison value are equal.
    • Is not equal – The Apply To property value and comparison value are not equal.
    • Is greater than – The Apply To property value is greater than the comparison value.
    • Is greater than or equal to – The Apply To property value is greater than or equal to the comparison value.
    • Is less than – The Apply To property value is less than the comparison value.
    • Is less than or equal to – The Apply To property value is less than or equal to the comparison value.
    For String attributes:
    • Is equal – The Apply To property value and comparison value(s) are equal. The comparison value can be a single value or a comma-delimited list.
    • Is not equal – The Apply To property value and comparison value are not equal.
    • All of – Both the Apply To property value and the comparison value are strings that consist of a comma-delimited list. There should be no spaces within the string (except for spaces within a value), and all elements in the list must be capitalized, for example: “BRAZIL,CANADA,FRANCE,GERMANY,SOUTH AFRICA,UK,USA”. The condition is satisfied if every element of the list within the Apply To property value is also an element in the list within the comparison value
    • One of – Both the Apply To property value and the comparison value are strings that consist of a comma-delimited list. There should be no spaces within the string (except for spaces within a value), and all elements in the list must be capitalized, for example: “BRAZIL,CANADA,FRANCE,GERMANY,SOUTH AFRICA,UK,USA”. The condition is satisfied if at least one element of the list within the Apply To property value is also an element in the list within the comparison value.
    For all attributes:
    • Is null – The Apply To property value is null.
    • Is not null – The Apply To property value is not null.

    Note:
    • If you select Is null or Is not null in the Relationship field, the Treat Empty As Null check box is automatically selected. When Treat Empty as Null is checked, even empty values are considered null.
    • If you select Is null or Is not null in the Relationship field, the Value field is not active.
  10. In the Value field, enter the comparison value or values that you want the condition to check.

  11. Optional:

    To define additional conditions, click Add Condition and repeat steps 7 through 10.

  12. Optional:

    When you define multiple conditions, they are combined by using the AND operator by default. You can specify more complex Boolean operations in the Conditional Logic field.

  13. Click Save.

  • Access Control Policy Condition rule

    An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy. They describe the conditions under which the access type is granted to a property.

  • Attribute-based access control

    You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application. Restrict access to cases and properties by using attribute-based access control (ABAC)

  • Using security attributes markings

    Attributes are unique security markings, which are assigned to objects and operators. Each attribute has a value associated with it, which means that a user must possess an attribute value to access an object.

  • Storing of operator security attributes

    For the system of record, security attributes can be stored and maintained internally or externally to Pega Platform. You can access the operator security attributes that are used in policy conditions in several ways.

  • Using One Of and All Of conditions

    The One Of condition and the All Of condition specify how to compare the multivalue attributes between the user and the object that the user requests, in order to determine whether to grant access. You can create attributes on cases to determine who is authorized to access the case.

  • Managing access control policy condition performance

    When you define an access control policy condition, use the relationship that gives the best performance for your data profile.

  • Managing hierarchical attributes

    An attribute with a specified order of values (hierarchy) is the main attribute type that defines the access level, by being assigned to objects and operators. The value of this attribute can be internally represented by an integer. A simple numeric comparison is made to determine if the subject has access to the object.

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

100% found this content useful

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice