Configuring a client-based access control rule

Define the personal data properties and personal identifiers for a client-based access control rule (CBAC) so that requests for personal data can be tracked and processed. A CBAC rule defines access, update, and delete permissions for individual data elements.

Before you begin: To configure a client-based access control rule, you must have the pzCanManageSecurityPolicies privilege, which is included in the PegaRULES:SecurityAdministrator role.

You can create a CBAC rule for each class where personal data is stored, within a ruleset that is accessible to your applications that gather personal data. In the simplest case where your data and identifiers are all in the same class, you can create one CBAC rule for the entire application. In more complex classes, where the personal data is stored on multiple classes, you create a CBAC rule for each class.
If data is stored in a common abstract class, you can create one CBAC rule for the abstract class.
You can create CBAC rules at different levels in the class hierarchy. They are added together at run time.
Creation and update of CBAC rules are logged as client-based access change security events.
For information about the overall CBAC process, see the Pega Community article Supporting EU GDPR data privacy rights in Pega Infinity with client-based access control.

Create a client-based access control rule, or open an existing rule from the navigation panel by clicking Records > Security > Client Based Access.
On the Data elements tab, list the personal data properties:
1. In the Property field, press the Down Arrow key and select a persistent property from the applies to class of the rule or one of its ancestor classes, or from a page list or page group within that class.
2. In the External label field, enter a label that is used to resolve personal data requests for this property.
  This label uniquely identifies the data for the purposes of CBAC. For example, if a person's home phone number is stored in class A as pyPhone and the same value is stored in class B as pyHomePhone, you define a CBAC for class A with an external label equal to Home Phone, and another CBAC for class B with the same external label (Home Phone).
3. Optional: In the External description column, click the Pencil icon, enter a description, and click Submit.
  For example, you might enter "Home phone number."
  Note: When two properties have the same external label, only one of the properties is returned in the CBAC response because both properties have the same data value. As a best practice, enter the same external description for both properties.
4. If personal data requests are allowed to change this data, select the Rectify check box.
  You cannot select Rectify if the applies to class inherits from Index-.
5. If personal data requests are allowed to delete this data, select the Erase check box.
  You cannot select Erase if the applies to class inherits from Index-.
Note:
- View access is granted to every data element that you list.
- Examples of rectify and erase for various properties are listed below:
  - To allow a client to change the primary email property but not to delete it, select the Rectify check box and clear the Erase check box.
  - To allow a client to change and delete the secondary email property, select both the Rectify and Erase check boxes.
  - To prevent a client from changing or deleting the account number, clear both check boxes.
Optional: To add more properties to the CBAC rule, click the Add a row icon and repeat step 2.
Optional: To remove a property from the CBAC rule, click the Delete this row icon.
If more than one class contains personal identifiers, on the Pages & Classes tab, identify the classes that contain the identifiers.
On the Identifier mapping tab, list the personal identifiers.
A client making a personal data request will supply one of these identifiers. These identifiers are also used to join multiple classes when needed to find the personal data.
1. In the Identifier field, press the Down Arrow key and select an identifier from the applies to class of the rule or from one of the classes that you have listed on the Pages & Classes tab.
  Each identifier must be optimized and indexed. Identifiers must also be listed as data elements.
2. In the External label field, enter a label that is used to resolve personal data requests for this property.
  A client making a personal data request will supply the external label and the identifier value, for example, Home Phone and 1234567.
3. To define multiclass identifier relationships, in the Association field, press the Down Arrow key and select the class and property that contain a value equal to the value in the Identifier field.
  For example: A person's address is personal data that is stored in class A, and class A instances are unique by home phone, which is the property .HomePhone1. Incoming requests supply a national identifier that is stored on class B, and home phone is stored on class B as .HomePhone2. Class B is unique by .HomePhone2, and is also unique by national identifier.
  - Create a CBAC rule with an applies to class that is equal to A.
    - On the Data elements tab, enter the .Address and .HomePhone1 properties, with the external labels Address and Home Phone.
    - On the Pages & classes tab, define PageB for class B.
    - On the Identifier mapping tab, enter the .HomePhone1 identifier with the association PageB.HomePhone2, and an external label Home Phone.
  - Create a second CBAC rule with an applies to class that is equal to B.
    - On the Data elements tab, enter the .NationalID and .HomePhone2 properties, with the external labels National ID and Home Phone.
    - On the Identifier mapping tab, enter the .NationalID identifier with the external label National ID.
Optional: To add more identifiers to the CBAC rule, click the Add a row icon and repeat step 6.
Optional: To remove an identifier from the CBAC rule, click the Delete this row icon.
Click Save.