Masking property visibility for users

You can restrict access to values of one or more properties by using a property-level access control policy. By using various masking options in the access control policy, you can display partial information about a value to users who are not allowed to see the full value.

Before you begin: 
  • You must configure your system to support attribute-based access control (ABAC). For more information, see Enabling attribute-based access control.
  • You must have the pzCanManageSecurityPolicies privilege, which is included in the PegaRULES:SecurityAdministrator role.
Property-level policies can be enforced only on optimized properties. Also, the policies cannot be enforced in some Pega Platform features. For example, polices cannot be enforced in features that retrieve data for potential sharing across multiple users whose credentials are not available at the time of retrieval, and whose credentials might vary and might change following retrieval, such as node-scoped and cluster-scoped data pages and scheduled reports. These same limitations also apply to row-level policies.
  1. In the navigation panel, click Records > Security > Access Control Policy, and then click Create.
  2. In the Label field, enter the policy name.
  3. In the Action list, click PropertyRead.
  4. In the Context section in the Apply to field, enter a class.
  5. In the Add to ruleset field, select a ruleset.
  6. Click Create and open.
  7. On the Definition tab, select the Disallow creation of a policy with the same name at a descendant class check box to prevent overriding the policy in a descendant class.
  8. In the Permit access if field, enter the condition rule name under which the access is permitted.
  9. Click Add property.
  10. In the Property field, select the property to mask.
    You can mask DateTime, Integer, and Text property types.
  11. In the Restriction Method field, select one of the following masking options for the property.
    DateTime
    • Mask entire Date – All the date information is replaced.
    • Mask Year – Only the year information is replaced.
    • Mask Day and Month – Only the day and month information is replaced.
    Integer
    • Mask with N digits – The whole value is replaced with a defined number of characters.
    Text
    • Full Mask – The whole text is replaced with one character.
    • Mask all but last 'N' – The whole value is replaced, except for the last N characters.
    • Mask all but first 'N' – The whole value is replaced, except for the first N characters.
  12. Click the Gear icon.
  13. In the Masking and Formatting Options form, fill out the required fields.
    Note: When the value for a restricted property is NULL for a case, the value looks as though it is not set.
    DateTime property type
    1. Depending on the selected masking option, in the Masking values section, in the Month, Day, or Year field, select or enter the value to replace.
    2. Click Submit.
    Integer property type
    1. In the Masking digit field, enter a digit, letter, or symbol to replace the property value.
    2. In the Number of digits field, enter the number that is the number of times the digit, letter, or symbol appears in the property values.
    3. Click Submit.
    Text – Full Mask
    1. In the Masking character field, enter a digit, letter or symbol that should be used to replace the property value.
    2. Select the Display length is fixed check box or Display length matches value check box, to specify the length of the replaced property.
    3. If you selected Display length is fixed check box, enter a digit in the Display characters length field to specify the length of the replaced property.
    4. Click Submit.
    Text – Mask all but last 'N' and Mask all but first 'N'
    1. In the Masking character field, enter a digit, letter, or symbol to replace the property value.
    2. In the Number of unmasked character field, enter a digit to specify the length of the characters that are not replaced in a property.
    3. Select the Display length is fixed check box or the Display length matches value check box to specify the length of the replaced property.
    4. Click Submit.
  14. Click Save.