Authorization

Role-based access control

Role-based access control typically implements the first two sets of requirements, where based on the defined roles and privileges that are derived from the user’s access group, the access level for each user might be restricted to only certain UI elements, certain actions in the UI, or a class.

Attribute-based access control

Attribute-based access control restricts access to specific instances of classes or to specific properties within instances. Access control policies enforce these restrictions by specifying the type of access that is allowed. These policies define a set of policy conditions that compare user properties or other information on the clipboard to properties in the restricted class.

Access control policies have the following key characteristics:

• Polices can be defined only for Assign-, Data-, and Work- classes that are in the database.
• Attribute-based access control policies use the full inheritance functionality. Access policy rules can be inherited from multiple classes, in which case the policy conditions from the relevant policies are combined and access is allowed only when all such policy conditions are satisfied.
• All policy conditions are applied to the operator. As a result, the access is granted only when RBAC and ABAC are both true.
• Pega Platform enforces access control policies everywhere, not just within the UI, including in these areas:
  • All reporting rules (list views, summary views, report definitions)
  • Search
  • Custom SQL that is written by developers

Client-based access control

Client-based access control helps you to satisfy the data privacy requirements of the European Union (EU) General Data Protection Regulation (GDPR) and similar regulations. CBAC rules define where to store and how to access personal data. Personal data is associated with an actual person, not with an abstract entity such as a business.

For more information about the CBAC process, see Building a client-based access control environment.

Key rule and data classes in RBAC and ABAC authorization models

You can use role-based access control or attribute-based access control to restrict the following types of user access and actions:

• Accessing portions of the UI (for example, harnesses and controls) and performing actions by using those components

  For example, you can use a privilege to control access to a UI control such as a command button. A user might be denied access to the audit trail (History and Attachments) section of a case, but a manager might be granted this access.

• Creating, reading, updating, or deleting instances of any class
• Reading, updating, or deleting a specific instance of a class (instance-level or row-level security) or specific properties within that instance (property-level or column-level security)

The following diagram shows the key rule and data classes that are involved in the RBAC and ABAC authorization models.

Key security classes and relationships

Role-based access control uses the following key classes:

• Access group (Data-Admin-Operator-AccessGroup)
• Roles (Rule-Access-Rolename)
• Access of roles to objects (Rule-Access-Role-Obj)
• Deny rules (Rule-Access-Deny-Obj)
• Privileges (Rule-Access-Privilege)

Policy-based access control uses the following key classes:

• Access control policies (Rule-Access-Policy)
• Access control policy conditions (Rule-Access-PolicyCondition)