Implementing attribute-based access control (ABAC)
|Description||Learn how to limit the visibility of sensitive data items through attribute-based access control (ABAC), based on a set of examples.|
|Version as of||8.5|
|Application||Pega Government Platform|
|Capability/Industry Area||Public Sector|
What is attribute-based access control?
Attribute-based access control (ABAC) and role-based access control (RBAC) are two ways of controlling the authentication process and authorizing users. The difference between ABAC and RBAC is that ABAC provides access rights based on user, environment, or resource attributes, for example, a data page on the clipboard, while RBAC provides access to resources or information based on user roles, such as an Access Role or Access Role to Object rule. Essentially, RBAC controls broad access across an organization, while ABAC takes a fine-grain approach.
Pega Platform provides rules that you can use to implement access control by using values of attributes that are present on the clipboard:
- Access Control Policy
- Access Control Policy Condition
- Access When
Use case examples
Use the ABAC security feature in Pega Platform to mask sensitive data, such as personally identifiable information (PII), so that any unauthorized users cannot see it.
In the following examples, the ABAC Access Control Policy rule is used to mask sensitive data that is stored in
Security question and
Security answer properties of an instance of a
Person data entity so that an unauthorized user cannot see the property values:
- A non-administrative end user can add, view, and update the
Personentity instances that they own, but they cannot view sensitive data of instances they do not own.
- An administrative end user, such as an operator with the manager access role, can add, view, and update all the sensitive data of any
- A general case worker can add a new
Personentity instances and enter the
Security question, and
Security answervalues, but they cannot view or update the sensitive data properties after adding the entity.
Implementing attribute-based access control
To implement this example, two Access Control Policy rules were created:
To allow the grant of custom permissions, two Access Control Policy Condition rules were created