Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Defining client-based access control rules

Updated on March 15, 2022

Client-based access control (CBAC) rules define where personal data is stored and how it can be accessed. These CBAC rules are used by the application server that receives and processes the requests.

CBAC rules are only one part of the overall processing of client-based access requests. For information, see General Data Protection Regulation.

Follow these general steps to define CBAC rules for client-based data requests:

  1. List the applications – Identify the applications that store personal data. By listing the applications, you can determine the rulesets that contain the rules needed for personal data requests. If all your applications are built on the same parent application, you can use the parent application for this purpose. Otherwise, define CBAC rules separately for each application.
  2. List the data elements – Identify the data elements that contain protected information that could be used to identify an actual person. For example, personal data might include genetic data, health data, Internet cookies, fingerprints, names, addresses, ages, national identification numbers, and personally identifiable data gathered over the Internet. In Pega Platform, identify the class names and property names where this data is stored.
  3. List the identifiers – Establish how your application identifies the person who is described by the personal data. Your application identifies the person with one or more unique properties such as, for example, a national identification number or, if your application equates an email address with a person, an email address. You must optimize and index these client identifiers on all the classes that contain them.
  4. Create the CBAC rules – Create the CBAC rules that describe the personal data and identifiers:
    • The applies to class of the CBAC instance is the class where the personal data is stored or where an identifier is referenced. The applies to class can be an abstract class if the data is stored on different concrete classes within the same abstract class. The instances are of Data-, Index- or Work-.
    • The ruleset of the CBAC instance belongs to the application that controls the personal data. You can create CBAC instances in a ruleset that is shared by multiple applications, or in separate rulesets by application.

For detailed steps on creating the CBAC rules, see the steps listed below.

  1. Creating a client-based access control rule

    Create client-based access control (CBAC) rules to identify the personal data and personal identifiers in your Pega Platform application. CBAC rules define how an incoming request finds the personal data in your data store. CBAC rules also define the type of access the client has for each data instance (view, modify, or delete).

  2. Configuring a client-based access control rule

    Define the personal data properties and personal identifiers for a client-based access control rule (CBAC) so that requests for personal data can be tracked and processed. A CBAC rule defines access, update, and delete permissions for individual data elements.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us