Authorization ensures that after logging in, users have access to only the features and data that they need for their work. Pega Platform offers three types of authorization: role-based access control, attribute-based access control, and client-based access control. You can use these authorization features together to provide the strictest level of control.
Authorization, or access control, is a security mechanism that determines access rights and privileges that are related to system resources, including data and application features. Authorization is normally preceded by authentication for user identity verification.
You can use authorization features in Pega Platform to determine the access rights and privileges to restrict or increase the scope of user actions.
Pega Platform offers the following basic authorization models that provide different yet complementary functionality:
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- Client-based access control (CBAC)
Role-based access control
Role-based access control typically implements the first two sets of requirements, where based on the defined roles and privileges that are derived from the user’s access group, the access level for each user might be restricted to only certain UI elements, certain actions in the UI, or a class.
Attribute-based access control
Attribute-based access control restricts access to specific instances of classes or to specific properties within instances. Access control policies enforce these restrictions by specifying the type of access that is allowed. These policies define a set of policy conditions that compare user properties or other information on the clipboard to properties in the restricted class.
For example, an access control policy for a sales automation application might restrict access to a sales account to the user who owns the account or to a user who is included in an exception list of non-owners who have access. You can express this policy condition as one of the following values:
OperatorID.pyUserIdentifier = Account.Owner
OperatorID.pyUserIdentifier OneOf Account.AccessExceptionList
Access control policies have the following key characteristics:
- Polices can be defined only for Assign-, Data-, and Work- classes that are in the database.
- Attribute-based access control policies use the full inheritance functionality. Access policy rules can be inherited from multiple classes, in which case the policy conditions from the relevant policies are combined and access is allowed only when all such policy conditions are satisfied.
- All policy conditions are applied to the operator. As a result, the access is granted only when RBAC and ABAC are both true.
- Pega Platform enforces access control policies everywhere,
not just within the UI, including in these areas:
- All reporting rules (list views, summary views, report definitions)
- Custom SQL that is written by developers
Client-based access control
Client-based access control helps you to satisfy the data privacy requirements of the European Union (EU) General Data Protection Regulation (GDPR) and similar regulations. CBAC rules define where to store and how to access personal data. Personal data is associated with an actual person, not with an abstract entity such as a business.
For more information about the CBAC process, see Building a client-based access control environment.
Key rule and data classes in RBAC and ABAC authorization models
You can use role-based access control or attribute-based access control to restrict the following types of user access and actions:
- Accessing portions of the UI (for example, harnesses and controls) and
performing actions by using those components
For example, you can use a privilege to control access to a UI control such as a command button. A user might be denied access to the audit trail (History and Attachments) section of a case, but a manager might be granted this access.
- Creating, reading, updating, or deleting instances of any class
- Reading, updating, or deleting a specific instance of a class (instance-level or row-level security) or specific properties within that instance (property-level or column-level security)
Key security classes and relationships
Role-based access control uses the following key classes:
- Access group (Data-Admin-Operator-AccessGroup)
- Roles (Rule-Access-Rolename)
- Access of roles to objects (Rule-Access-Role-Obj)
- Deny rules (Rule-Access-Deny-Obj)
- Privileges (Rule-Access-Privilege)
Policy-based access control uses the following key classes:
- Access control policies (Rule-Access-Policy)
- Access control policy conditions (Rule-Access-PolicyCondition)
- Role-based access control
Use role-based access control (RBAC) to restrict users from having access to certain UI elements, to performing only certain actions in the UI, or to having any access to a class, based on defined roles and privileges that are derived from the user’s access group. Access groups define the actions that groups of users can do in an application. For example, you can configure a case manager access group so that case managers can approve important cases that are not permitted for other case workers.
- Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application. Restrict access to cases and properties by using attribute-based access control (ABAC).
- Client-based access control
If your application stores data that might be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control (CBAC) to track and process requests to view, change, or remove the data.