Authorization settings for a user include security rules and data instances. These settings determine the class objects that users can access and the rules and operations that they can run on those objects.
The following rule and data types are available in Pega Platform:
The metadata provided in this policy creates the policy condition rules. The policy condition rules define the conditions used by attribute-based access control to grant access to the requested resource.
Access Control Policy Condition rule
Defines a set of conditions and the logic where the conditions should be evaluated to grant access to the requested resource.
Restricts user access to instances of specific classes under certain conditions.
An access group is associated with a user through the Operator ID data instance. The access group specifies the applications that are available to the user, the user's access roles, portal layout, and work pools.
An access role rule defines a name for a role, which is used for configuring user authorization settings. Security administrators can also use privilege inheritance to simplify the process of granting operator access to a feature protected by privileges.
Access of Role to Object rules
Relates role names to access rights to objects of specific classes. Access right types include open, update, and delete.
Defines a condition that the system evaluates to allow or disallow a user to perform an operation, or access information based on security requirements.
A set of directives that inform a client's browser of locations that it can pull content from.
Cross Origin Resource Sharing data instance
Controls access for other systems or websites (origins) to resources (APIs and services) provided by your application.
Provides a name and storage for a certificate file that contains keystores.
Your applications can act as an OAuth 1.0 consumer/client. As a result, your application can access private resources stored on external websites such as LinkedIn which support the OAuth 1.0 protocol.
OAuth 2.0 Client Registration data instance
A standard framework that enables secure, delegated access to services via HTTPS. This is the next evolution of the OAuth protocol.
The Pega 7 Platform acts as an OAuth 2.0 provider to protect your REST services by using the client credentials grant type. The user receives an access token and can access the private resources for a defined period of time.
OAuth 2.0 Identity Mapping data instance
Specifies how to identify an operator with attribute values that are provided in the SAML assertion.
OAuth 2.0 Provider data instance
The application acts as an OAuth 2.0 client to access protected resources that are stored in external websites such as Twitter and Facebook. The Pega 7 Platform supports the client credentials and authorization code grant types.
Restrict access to specific rules rather than to entire classes or ruleset versions. Privileges differentiate the capabilities of different groups of users within the application and restrict access to certain functions in an application.
Restrict access to properties by specifying required privileges for a property. Attach a privilege to a property to restrict access to report definitions that reference the property.
The JSON Web Token (JWT) data instance contains information about a user that can be used by another party to authenticate the identity of the user between different processes.
WS-Security Profile data instances
Enable Web Services Security (WS Security) on a SOAP connection to securely move messages to and from your application.