Featured post

GetNextWork functionality in pega

What is GetNextWork in pega? Pega provided a functionality to get the most urgent assignment(task) for user to work on. This is configured o...

Attribute based access control in Pega (ABAC)


As we all know,securing our application and data is very important in real time. We can provide the  security to our application and data by defining some policies,conditions and controlling app features and user actions.
Pega defines some access control rules to define and secure our application.
Access roles, Access Role to object, Access deny, Privilege these are all to grant or deny access to an application to the user. Pega has two mechanisms ABAC and RBAC.

Role based access control vs Attribute based access control in pega

RBAC: Role based access control
We use RBAC to control user's role to access some UI elements or to perform only some actions on the UI elements. UI elements means sections harness flow actions.
For example: An assignment has 3 flow actions and we want to restrict one flow action to one or certain users, we use privileges in security tab of flow action rule.
We will configure RBAC by defining authorization and privilege rules.
RBAC uses three main rules:
  1. Access Roles (Rule- Access-Rolename)
  2. Access Role to object(Rule-Access-Role-Object) (ARO)
  3. Access Deny rules(Rule-Access-Deny-Obj)
Role + Class = ARO/Access Deny
RBAC enforces security based on user roles defined in access group.

Attribute based access control in pega

To restrict specific instance of a particular class or property to user we can use ABAC.
For example: In my application  want to restrict SSN number to particular user.Means i don't want to display my SSN number value to particular user or set of users (groups).
ABAC rules:
  1. Access Control Policies (Rule-Access-Policy)
  2. Access Control Policy Conditions (Rule-Access-PolicyCondition)
ABAC enforces explicit security through access control policy and conditions.

Pega defined some characteristics to ABAC access control polices:
1.Class limitations
We can define access control policies only for certain classes in pega rules data base.
Assign- , Data- and Work-
Access control policies uses Pega inheritance functionality.
3. AND conditions
We can combine multiple access policies to grant access. If we have both ABAC and RBAC is defined and combined, when ABAC policy grants access,RBAC must also grants access.
4.Control enforcement
We can use access control policies to enforce not only on UI elements but other areas.
    a. All Reporting rules (list view, summary view and report definition
            If we want to show/hide one property in the report to a particular user, we can do that.
  b. Search - we can restrict users not to search particular instance.
  c. Custom SQL written statements. 
How to configure ABAC in Pega?
To setup ABAC in application we need to determine three things.
1. Identify Attributes (ex: Properties)
2. Define Access Control Policy Conditions Condition (Rule-Access-PolicyCondition)
3. Define Access Control Policy (Rule-Access-Policy)

Attribute based access control examples

 I want to restrict sensitive information to particular users. In my Assistance Request application for car services user will enter SSN (Social Security Number- XXX-XX-XXXX) and pega will format that to XXX-XX-XXXX. I want to restrict (mask) this information to other user groups except Billing department.If the user is belongs to billing department then SSN will be shown fully otherwise pega will mask the SSN field.

Attribute based access control implementation.

1. Attributes - We have identified the SSN attribute.
2. Define access control policy conditions.
  From the Create menu, select Security > Access Control Policy Condition to open the Create Access Control Policy Condition form.
pega attribute based access control implementation

First we need to create Access When rule "IsBilling" then we use this access when in PolicyCondiiton rule and PolicyCondition rule in AccessPolicy rule.
Access When rule:
access when rule in pega
Access Policy Condition rule:
Create Access Policy Condition rule to define the conditions under which to avoid masking the SSN field. If the Operator ID is related to billing we are not masking the SSN field and when first user enters the SSN value we are not masking. In all other situations will mask the SSN field.
access policy condition rule in pega
First, Access When rule(IsBilling) will be evaluated if it is true then Policy Condition (A) will be applied. If Access When (IsBilling) returns false then Policy Condition (B) will be applied.
access control policy condition rule in pega

3. Access Control Policy:
Create Access Control Policy rule and refer Policy Condition rule and select masking settings for SSN property.
access control policy rule in pega
    • Read – The user can open a case that meets the policy conditions or view data for the case in lists, reports, searches, and so on.
    • Update – The user can create a case that meets the policy conditions or update data for such a case.
    • Discover – The user can see limited information (defined by a developer) about a case that does not meet Read policy conditions, but does satisfy the Discover policy conditions.
    • Delete – The user can delete a case that meets the policy conditions.
    • PropertyRead – The user has restricted visibility to property values, including property values with read and update access.
          .  PropertyEncrypt – The property is encrypted in the database, clipboard, logs, and search indexes.
access control policy rule in pega
From the above screen we can see three options to mask SSN. Full, first N or Lat N characters/letters. Lets Create a case and test it.
case creation in pega

User enters SSN and submits the case till Service stage. In Service stage case is routed to manager who is having different access group (GoGoRoad:Managers). When manager opens case from his work list SSN should be masked.
case life cycle in pega

Login with manager and open the case from work list and see the ssn field.
attribute based access control examples

Once Manager submits the case main case will be resolved and new child case (billing) will be created and routed to Billing department.If we open the case from Billing user work list SSN value should me visible.
SSN masking in pega


  1. Thanks for the detail. Explaination.I tried and its working like a charm,But this only works for UI (Display purpose) ,in backend values can be seen through DB or Clipboard. but property encript gives this option to encript values from backend as well.Kindly share property encript access policy implementation steps to encript property values thoroughly.

  2. Thank you Akhter. If the values are displaying clipboard means you are seeing as developer. Will post on Property encryption as well.

  3. very helpful and good explanation

    1. Thank you, hope you will like other posts as well.

  4. Sir, I red the RBAC & ABAC in PDN but it is very difficult to understand and had so many questions since then. But you explained it in such a way anybody can easily understand. Thank you soooooo much sir.

    1. Thanks Praveen, hope you will like posts as well. Please share. Sharing is Learning.