You can restrict access to values of one or more properties by using a property-level access control policy. By using various masking options in the access control policy, you can display partial information about a value to users who are not allowed to see the full value.
Before you begin:
- You must configure your system to support attribute-based access control (ABAC). For more
information, see Enabling attribute-based access control.
- You must have the pzCanManageSecurityPolicies privilege, which is
included in the PegaRULES:SecurityAdministrator role.
Property-level policies can be enforced only on optimized
properties. Also, the policies cannot be enforced in some Pega Platform
features. For example, polices cannot be enforced in features that retrieve data for potential
sharing across multiple users whose credentials are not available at the time of retrieval,
and whose credentials might vary and might change following retrieval, such as node-scoped and
cluster-scoped data pages and scheduled reports. These same limitations also apply to
row-level policies.
-
In the navigation panel, click , and then click Create.
-
In the Label field, enter the policy name.
-
In the Action list, click
PropertyRead.
-
In the Context section in the Apply to
field, enter a class.
-
In the Add to ruleset field, select a ruleset.
-
Click Create and open.
-
On the Definition tab, select the Disallow creation
of a policy with the same name at a descendant class check box to prevent
overriding the policy in a descendant class.
-
In the Permit access if field, enter the condition rule name
under which the access is permitted.
-
Click Add property.
-
In the Property field, select the property to mask.
You can mask DateTime, Integer, and Text property types.
-
In the Restriction Method field, select one of the following
masking options for the property.
DateTime
- Mask entire Date – All the date information is
replaced.
- Mask Year – Only the year information is replaced.
- Mask Day and Month – Only the day and month information is
replaced.
Integer
- Mask with N digits – The whole value is replaced with a
defined number of characters.
Text
- Full Mask – The whole text is replaced with one
character.
- Mask all but last 'N' – The whole value is replaced, except
for the last N characters.
- Mask all but first 'N' – The whole value is replaced,
except for the first N characters.
-
Click the Gear icon.
-
In the Masking and Formatting Options form, fill out the
required fields.
Note: When the value for a restricted property is NULL for a case, the value looks as
though it is not set.
DateTime property type
- Depending on the selected masking option, in the Masking
values section, in the Month,
Day, or Year field, select or enter
the value to replace.
- Click Submit.
Integer property type
- In the Masking digit field, enter a digit, letter, or symbol
to replace the property value.
- In the Number of digits field, enter the number that is the
number of times the digit, letter, or symbol appears in the property values.
- Click Submit.
Text – Full Mask
- In the Masking character field, enter a digit, letter or
symbol that should be used to replace the property value.
- Select the Display length is fixed check box or
Display length matches value check box, to specify the length
of the replaced property.
- If you selected Display length is fixed check box, enter a
digit in the Display characters length field to specify the
length of the replaced property.
- Click Submit.
Text – Mask all but last 'N' and Mask all but first 'N'
- In the Masking character field, enter a digit, letter, or
symbol to replace the property value.
- In the Number of unmasked character field, enter a digit to
specify the length of the characters that are not replaced in a property.
- Select the Display length is fixed check box or the
Display length matches value check box to specify the length
of the replaced property.
- Click Submit.
-
Click Save.