Limiting the visibility of sensitive data items through attribute-based access control (ABAC)

From PegaWiki
Implementing attribute-based access control (ABAC) / This is the approved revision of this page, as well as being the most recent.
Jump to navigation Jump to search

Limiting the visibility of sensitive data items through attribute-based access control (ABAC)

Description Learn how to limit the visibility of sensitive data items through attribute-based access control (ABAC), based on a set of examples.
Version as of 8.5
Application Pega Government Platform
Capability/Industry Area Public Sector



What is attribute-based access control?[edit]

Attribute-based access control (ABAC) and role-based access control (RBAC) are two ways of controlling the authentication process and authorizing users. The difference between ABAC and RBAC is that ABAC provides access rights based on user, environment, or resource attributes, for example, a data page on the clipboard, while RBAC provides access to resources or information based on user roles, such as an Access Role or Access Role to Object rule. Essentially, RBAC controls broad access across an organization, while ABAC takes a fine-grain approach.

Pega Platform provides rules that you can use to implement access control by using values of attributes that are present on the clipboard:

  • Access Control Policy
  • Access Control Policy Condition
  • Access When

Use case examples[edit]

Use the ABAC security feature in Pega Platform to mask sensitive data, such as personally identifiable information (PII), so that any unauthorized users cannot see it.

In the following examples, the ABAC Access Control Policy rule is used to mask sensitive data that is stored in Tax ID, Security question and Security answer properties of an instance of a Person data entity so that an unauthorized user cannot see the property values:

  • A non-administrative end user can add, view, and update the Person entity instances that they own, but they cannot view sensitive data of instances they do not own.
  • An administrative end user, such as an operator with the manager access role, can add, view, and update all the sensitive data of any Person entity instances.
  • A general case worker can add a new Person entity instances and enter the Tax ID, Security question, and Security answer values, but they cannot view or update the sensitive data properties after adding the entity.
Properties displayed on a form under an ABAC masking policy
ABAC masking policy applied on a form
Properties displayed on a report under an ABAC masking policy
ABAC masking policy on a report

Implementing attribute-based access control[edit]

To implement this example, two Access Control Policy rules were created:

  • PropRead .TaxID
  • PropRead .QuestionAndAnswers

To allow the grant of custom permissions, two Access Control Policy Condition rules were created

  • ViewTaxID
  • ViewQuestionAndAnswers

Access Control Policy: PropRead TaxID[edit]

PropRead TaxID Access Control Policy
TaxID Access Control Policy configuration

Access Control Policy Condition: ViewTaxID[edit]

ViewTaxID Access Control Policy Condition
ViewTaxID Access Control Policy Condition configuration

Access Control Policy: PropRead QuestionAndAnswers[edit]

QuestionAndAnswers Access Control Policy
QuestionAndAnswers Access Control Policy configuration

Access Control Policy: ViewQuestionAndAnswers[edit]

ViewQuestionAndAnswers Access Control Policy Condition
ViewQuestionAndAnswers Access Control Policy Condition configuration