Configuring a client-based access control rule
Define the personal data properties and personal identifiers for a client-based access control rule (CBAC) so that requests for personal data can be tracked and processed. A CBAC rule defines access, update, and delete permissions for individual data elements.
- You can create a CBAC rule for each class where personal data is stored, within a ruleset that is accessible to your applications that gather personal data. In the simplest case where your data and identifiers are all in the same class, you can create one CBAC rule for the entire application. In more complex classes, where the personal data is stored on multiple classes, you create a CBAC rule for each class.
- If data is defined in a common abstract class, you can create one CBAC rule for the abstract class.
- You can create CBAC rules at different levels in the class hierarchy. They are added together at run time.
- Creation and update of CBAC rules are logged as client-based access change security events.
- Create a client-based access control rule, or open an existing rule from the navigation panel by clicking .
-
On the
Data elements
tab, list the personal data
properties:
- In the Property field, press the Down Arrow key and select a persistent property from the applies to class of the rule or one of its ancestor classes, or from a page list or page group within that class.
-
In the
External label
field, enter a label that
is used to resolve personal data requests for this property.
This label uniquely identifies the data for the purposes of CBAC. For example, if a person's home phone number is stored in class A as pyPhone and the same value is stored in class B as pyHomePhone, you define a CBAC for class A with an external label equal to Home Phone, and another CBAC for class B with the same external label ( Home Phone ).
- Optional:
In the
External description
column, click the
Pencil
icon, enter a description, and click
Submit.
For example, you might enter "Home phone number."
-
If personal data requests are allowed to change this data, select the
Rectify
check box.
You cannot select Rectify if the applies to class inherits from Index-.
-
If personal data requests are allowed to delete this data, select the
Erase
check box.
You cannot select Erase if the applies to class inherits from Index-.
- Optional: To add more properties to the CBAC rule, click the Add a row icon and repeat step 2.
- Optional: To remove a property from the CBAC rule, click the Delete this row icon.
- If more than one class contains personal identifiers, on the Pages & Classes tab, identify the classes that contain the identifiers.
-
On the
Identifier mapping
tab, list the personal
identifiers.
A client making a personal data request will supply one of these identifiers. These identifiers are also used to join multiple classes when needed to find the personal data.
-
In the
Identifier
field, press the Down Arrow
key and select an identifier from the applies to class of the rule or
from one of the classes that you have listed on the
Pages
& Classes
tab.
Each identifier must be optimized and indexed. Identifiers must also be listed as data elements.
-
In the
External label
field, enter a label that
is used to resolve personal data requests for this property.
A client making a personal data request will supply the external label and the identifier value, for example, Home Phone and 1234567.
- To define multiclass identifier relationships, in the Association field, press the Down Arrow key and select the class and property that contain a value equal to the value in the Identifier field.
-
In the
Identifier
field, press the Down Arrow
key and select an identifier from the applies to class of the rule or
from one of the classes that you have listed on the
Pages
& Classes
tab.
- Optional: To add more identifiers to the CBAC rule, click the Add a row icon and repeat step 6.
- Optional: To remove an identifier from the CBAC rule, click the Delete this row icon.
- Click Save.
Previous topic Creating a client-based access control rule Next topic Configuring client-based access control for a non-Pega data source