Defining client-based access control rules

Client-based access control (CBAC) rules define where personal data is stored and how it can be accessed. These CBAC rules are used by the application server that receives and processes the requests.

CBAC rules are only one part of the overall processing of client-based access requests. For information about the overall process, see the Pega Community article Supporting EU GDPR data privacy rights in Pega Infinity with client-based access control.

Follow these general steps to define CBAC rules for client-based data requests:

  1. List the applications – Identify the applications that store personal data. By listing the applications, you can determine the rulesets that contain the rules needed for personal data requests. If all your applications are built on the same parent application, you can use the parent application for this purpose. Otherwise, define CBAC rules separately for each application.
  2. List the data elements – Identify the data elements that contain protected information that could be used to identify an actual person. For example, personal data might include genetic data, health data, Internet cookies, fingerprints, names, addresses, ages, national identification numbers, and personally identifiable data gathered over the Internet. In Pega Platform, identify the class names and property names where this data is stored.
  3. List the identifiers – Establish how your application identifies the person who is described by the personal data. Your application identifies the person with one or more unique properties such as, for example, a national identification number or, if your application equates an email address with a person, an email address. You must optimize and index these client identifiers on all the classes that contain them.
  4. Create the CBAC rules – Create the CBAC rules that describe the personal data and identifiers:
    • The applies to class of the CBAC instance is the class where the personal data is stored or where an identifier is referenced. The applies to class can be an abstract class if the data is stored on different concrete classes within the same abstract class. The instances are of Work-, Data-, or Index-.
    • The ruleset of the CBAC instance belongs to the application that controls the personal data. You can create CBAC instances in a ruleset that is shared by multiple applications, or in separate rulesets by application.

For detailed steps on creating the CBAC rules, see the steps listed below.