Skip to main content

Role-based access control (RBAC)

Application and data security are major concerns due to the risk of data breaches that lead to customer loss and legal or financial penalties. You can satisfy common security requirements by controlling user access to application features and functions.

Note: Securing access to features occurs during each feature development and not towards the end of the development cycle.

The role-based access control model

Consider a Process for employee review that includes an Assignment to authorize a raise for an employee. The Assignment is routed to a common Work Queue that is accessible by all members of the Human Resources (HR) department. Stakeholders want to keep employee compensation information, such as raises, private. Only members of the HR department may have access to compensation data. By granting authorization to specific members of the HR department, you can reduce the chance of unauthorized access to personal identifying information (PII).

To satisfy the requirement to restrict access to PII, you can implement role-based access control (RBAC). RBAC is an access-control model that organizes users into roles and assigns permissions to each role as appropriate. With RBAC, you can create a role for HR members who are authorized to access compensation information and grant that role permission to authorize employee raises. Users in other roles that are not granted permission are prohibited from authorizing raises.

Authentication versus authorization

The Pega Platform™ implementation of role-based access control is based on two factors: authentication and authorization.

  • Authentication confirms the identity of the user by validating login credentials such as the user name and password. In Pega Platform, the operator ID record contains information needed to authenticate a user.
  • Authorization determines the applications that the users can access, including Actions that the user can perform and information that the user can view. In Pega Platform, the Access Group record lists any authorized applications and roles assigned to members of the Access Group.

When a user signs in, Pega Platform™ identifies the default Access Group for the user and opens the corresponding application in the specified Portal. A user can belong to multiple Access Groups, but only one Access Group is active at a time.

Note:  The following example describes the out-of-the-box (OOTB) authentication. However, SSO authentication is the most typical implementation. For more information, see Single sign-on (SSO).

In the following image, click the + icons to explore how Pega Platform uses authentication and authorization to identify the correct application and Portal to open when users sign in:

Role-based access control record types

The RBAC model provides several types of records that are used to configure behavior satisfying access control needs.

  • Access Group – Identifies the application, default Portal, and assigned Access Roles for a group of users
  • Role – Maintains a list of all access records associated with a role
  • Access Deny – Restricts users access under certain conditions
  • Access of Role to Object (ARO) – Specifies permissions that are granted to a role and access class
  • Class – Defines collections of objects that are available to other classes or to instances of the class
  • Privilege – Associates an Access Role with a Rule that needs to be secured
  • Rule – Defines the behavior of an application by serving as the building block

In the following image, click the + icons to learn more about each type of access control record: 

Check your knowledge with the following interaction:

This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

100% found this content useful

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice