Skip to main content

Creating an access control policy

Pega Community logo

Note: The following content, referenced from Pega Community, is included here to help you better achieve the module learning objectives.

In the access control policy rule form, you define a policy that grants access to an object by evaluating selected conditions. For each rule, you can set one level of access, such as read, update, or delete, and the condition that defines whether the access is granted.

Before you begin:
  • You must have the pzCanManageSecurityPolicies privilege, which is included in the PegaRULES:SecurityAdministrator role.
Note: Access control policies only work when a rule is checked in. Therefore, any changes in a checked out rule will be ignored. When changing or modifying any ABAC policy rules, you must Check out the rule, make changes, Save those changes, then Check in the new rule for the changes to take effect.
Note: You can create access control policies only for Work-, Data-, and Assign- classes.
  1. In the navigation panel, click Records Security Access Control Policy , and then click Create.

  2. In the Label field, enter the policy name.

  3. In the Action list, click the action.

    • Read – The user can open a case that meets the policy conditions or view data for the case in lists, reports, searches, and so on.
    • Update – The user can create a case that meets the policy conditions or update data for such a case.
    • Discover – The user can see limited information (defined by a developer) about a case that does not meet Read policy conditions, but does satisfy the Discover policy conditions.
    • Delete – The user can delete a case that meets the policy conditions.
    • PropertyRead – The user has restricted visibility to property values, including property values with read and update access.
    • PropertyEncrypt – The property is encrypted in the database, clipboard, logs, and search indexes. If no PropertyRead policy obfuscates the property, then the decrypted property value is visible to the user in a UI control. In report definitions, the property can be displayed in report results and can also be referenced on the left side of filter conditions that use the Is equal and Is not equal operators. It cannot otherwise be referenced in report definitions (for example, to sort, rank, or group results in SQL functions, and so forth).
      Note:
      • Properties specified in a PropertyEncrypt policy are encrypted unconditionally. Access control policy conditions are not used for PropertyEncrypt. Define PropertyRead policies to obfuscate or mask these values depending on who is viewing them. To get the cleartext value outside of UI controls (for example, in the background processing of cases), use the @decryptPW function.
      • You can define PropertyEncrypt access control policies for properties that are optimized for reporting only if the property type is equal to Text. To define a report filter for an encrypted property that is not Text, convert the values to text and store them in a Text property that is encrypted and optimized.
      • When you want to configure property encryption for embedded properties, then you need to a specify PropertyEncrypt policy at both the class level and at the property level for the Embedded page properties. For example, for the property PageProp1.PageProp2.Property1 you need to define a PropertyEncrypt policy on the pageProp1 class and at the Proptery1 class.
      • When you create a property encrypt policy, you need to configure an encryption mechanism in order to encrypt your data. You can do this using a custom cipher or a key management system. For more information see:
      Note: If you define a PropertyEncrypt policy for a property, make the column size greater than the number of characters of your longest cleartext value to avoid truncation of the exposed values. The required size of a PropertyEncrypt property depends on your cipher. In most cases, for 64 characters of cleartext, 255 characters are adequate for the encrypted value.
  4. In the Context section in the Apply to field, enter a class.

  5. In the Add to ruleset field, select a ruleset.

  6. Click Create and open.

  7. Optional:

    To prevent overriding the policy in a descendant class, on the Definition tab, select the Disallow creation of a policy with the same name as a descendant class check box.

  8. If the action is not PropertyEncrypt, in the Permit access if field, enter the access control policy condition rule name.

  9. If the action is PropertyRead or PropertyEncrypt, do the following steps.

    • Click Add property and select a property name that exists on the case type target.
    • If the action is PropertyRead, specify the masking method (Full Mask, Mask all but last 'N', or Mask all but first 'N').
  10. Click Save.

  • Attribute-based access control

    You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application. Restrict access to cases and properties by using attribute-based access control (ABAC)

  • Masking property visibility for users

    You can restrict access to values of one or more properties by using a property-level access control policy. By using various masking options in the access control policy, you can display partial information about a value to users who are not allowed to see the full value.

  • Access Control Policy rule

    You use access control policies to restrict user actions. In the Access Control Policy form, you define a policy that grants access to an object by evaluating the conditions that you specify. You can set one of four levels of access: read, update, discover, or delete.

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

100% found this content useful

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice