Constellation: How to Toggle a Hidden “Balance” Column in a Straight‑Through Case and Log an Audit Entry When User Reveals It

We have a Pega(v24.2) Constellation application with a straight‑through case type where end users do not have perform access. In the case’s Full Page view (Details tab), we display a list of products and their balances.

Requirement:

• The Balance column should be hidden by default.
• When the user clicks a “Show Balance” toggle (button/checkbox/radio), the balance column or its values should become visible.
• When a user reveals the balance, the system must write an audit entry indicating that the user viewed sensitive balance information for that case.

Looking for the recommended Constellation‑best‑practice approach to Conditionally show/hide a table column or mask/unmask cell values.

Any guidance or patterns for implementing this securely, efficiently, and in a guardrail‑compliant way would be appreciated.

Designer.jpg1536×1024 92.1 KB

@Mohan Rao Alladithis is a fantastic question. I know @Kamil Janeczek would say this is a perfect example of uncovering the xy problem.

Security via Obscurity?

Your scenario suggests that there is some sort of security here? You should note that hiding values will not stop them being accessed. You might need to consider masking the values of sensitive properties. Especially considering tables can add additional columns and Insights will allow reporting on all fields in that class.

Outcome in Constellation

The business outcome is the ability to see balances and then you have a secondary outcome of auditing who has viewed these balances.

Let’s start with seeing the balances.

1. Action -
   1. The action to see the balance can be configured using a optional case action, Item 3 in image
   2. The User Experience can be further improved by configuring this as promoted action, to make it more prominent at this stage. Item 1 in image
      1. 

         promoted action.png648×399 27.7 KB
2. Showing balance - from there, you have two options in my mind:
   1. Show the balance in the action that is launched.
   2. Use this action to change case data that can be used as a visibility condition to show a new view with the balances (it will look like column was added to user) and/or unmask sensitive data

Variation using read only case tab

1. There is a way to display complex information on case tabs, however, there is no action here, only copying data into the case. So the out of the box mechanisms for processing pre or post action would not be able to be used here. You might be able to figure out a way to do field level auditing on this field, and get it done that way but I am not confident.

Additional Thought: You will want to test this feature out. Depending how you implemented that list of products, additional columns can be manually added to the list (so you’ll want to turn that off).

A lot of detail, hopefully that helps with your thought process. For the rest of the community, please add your experiences here, what else have you done or how would you approach it?

@Mohan Rao Alladiif this should be “a security” feature worth considering ABAC for the job and its property masking.

This was the first option I considered. However, the issue is that since the case is an STP process, we do not provide users with Perform access. We have many read‑only users who only need to view the balance, and their view actions must be audited in an external system.

Even if we were to grant them Perform access, Pega would still write case audit entries, despite the fact that they are not performing any actual work on the case. They are simply viewing the balance. This would lead to unnecessary audit records being created in the case, which has cost implications. Additionally, the business has explicitly instructed that the “view balance” action should not be recorded in the Pega audit.

Yes, this is primarily a security requirement, and ABAC is an appropriate approach to control the visibility and masking of the balance field. However, in our use case, the access attribute cannot be static. We need to set the attribute dynamically only when the user explicitly chooses to view the balance such as by clicking a button or selecting a checkbox.

When the user triggers this action, we can set an ABAC attribute (for example, ViewBalanceAllowed = true) at the requestor/session level or on a dedicated context page, which temporarily lifts the masking applied by ABAC.

This attribute must then be reset automatically when the user navigates away or returns to the case, ensuring the balance is masked by default on every load.

Additionally, when the user views the balance, we must send an audit event to the external system. This gives us visibility into who viewed the data without writing anything into the Pega case audit—aligning with the business requirement that “view balance” must not appear in Pega’s audit trail.

Hello @Mohan_Rao_Alladi

Interestingly, we encountered a very similar requirement during a recent POC, and after few days of architectural brainstorming we arrived at an approach based on one key design question:

Why should masking/unmasking be handled inside the case context when it can be handled entirely at the UI layer?

This led us to a hybrid pattern combining Access Control Policy for security enforcement and a custom Constellation component for runtime reveal behavior.

However, we are still evaluating other approaches as well in parallel.

Design Approach

1. Security Enforcement via Access Control Policy

First, we identified all fields that must be masked for a given case type and implemented an Access Control Policy that conditionally masks them (fully or partially). This ensures:

• Security is always enforced server-side
• Masking is the default state
• Data remains protected regardless of UI behavior

2. Config-Driven Field Registry

Instead of hardcoding logic, we created a data type that defines which fields participate in masking/unmasking:

This makes the solution fully configurable and future-proof — adding/removing fields requires only data changes, not component updates.

3. Custom Toggle Component (Field → Boolean)

We built a reusable custom field component that renders a toggle button.

Behavior:

When user clicks toggle ON:

• Invoke a parameterized data page with Case ID
• Data page retrieves masking configuration
• Filters only entries where IsMasked = true
• Fetches actual values directly from DB using the case data page

We intentionally fetch from DB because client APIs (like pConn.getValue()) still respect Access Control Policies and return masked values.

4. DOM Replacement Mechanism

The component then:

• Iterates through returned field list
• Locates elements via data-testidin
  elements
• Replaces masked text (***) with actual values

image686×188 28.9 KB

When toggle is turned OFF:

• Values revert to masked state using cached data
• No additional server call required

5. Stateless Security Behavior

On refresh or re-open:

• Access Control Policy automatically re-applies masking
• Toggle defaults to OFF
• No cleanup logic required
• No session flags needed

6. Role-Based Visibility

The toggle component itself is conditionally rendered based on access roles:

• Authorized users → see toggle + can reveal
• Unauthorized users → always see masked values

Why This Works Well

This pattern satisfies all stated requirements:

• No Perform access required
• No case audit entries created
• Masked by default on every load
• Explicit user action required to reveal
• Fully secure and server-enforced
• No unnecessary UI refreshes
• Configurable and scalable

External Audit Logging

For audit requirements:

• Trigger an asynchronous REST call from the toggle action
• Send case ID, operator ID, timestamp
• Log externally (SIEM / audit service)

Since this action never updates case data, it avoids generating Pega audit records while still meeting compliance visibility needs.

Additional Considerations / Recommendations

To make this enterprise-grade and guardrail-friendly:

1. Throttle or debounce toggle calls
Prevent repeated rapid toggles from spamming audit logs.

2. Mask at API level as well
Ensure that APIs returning case data also respect the same Access Control Policy so data cannot be retrieved unmasked through alternate channels.

3. Avoid storing revealed values client-side long-term
Keep values only in component state and clear on unmount.

4. Add optional timeout auto-re-mask
For high-security environments, re-mask after inactivity.

5. Document field registry ownership
So business teams know where masking fields are configured.

Architectural Principle Behind This Pattern

Security enforcement belongs on the server. Visibility behavior belongs on the client.

Area that is slightly Non-Standard (But may be acceptable with justification)

If i look back at the solution below is one point which is not completely aligning with the standard guardrails.

DOM manipulation using data-testid

This is the only part that is not a typical Constellation pattern, because:

• Constellation is metadata-driven
• Direct DOM manipulation is technically outside rule model

However, it can be justified because:

We are not altering structure
We are not injecting logic into layout rules
We are only swapping rendered values
No server state is affected

In architecture review language, this is:

A controlled client-side enhancement layered over standard rendering.

This is acceptable when:

• No OOTB extension point exists
• Security is still server-enforced
• Solution is documented

A short design note on the above implementation documentation:

This solution uses client-side rendering substitution to reveal values that are already authorized and retrieved via governed data pages. No security logic resides in the UI. Access control remains fully enforced server-side.

The above single paragraph can protect this solution during:

• guardrail reviews
• upgrade assessments
• architecture boards
• compliance audits

Below is the Implementation in action.

Appreciate thoughts, feelings and any other alternatives from our community members.

Regards

JC