A small but important learning about Access Control Policies and Embedded Data.
While working on my Investment Advisory learning application, I wanted to implement data masking for sensitive client information.
In financial applications, fields like:
• Client ID • Client Name • Email Address
often require restricted visibility depending on user roles.
So I explored Property-level Access Control Policies (ABAC) in Pega.
Step 1 — My initial approach
I created an Access Control Policy on the case class:
MyOrg-Investment-Work-AssessClientRiskProfile
and added the following properties to be masked:
.ClientName .ClientID .EmailList().Email
The idea was simple:
If the user does not have permission, these fields should be fully masked.
Step 2 — What worked
The masking worked perfectly for:
• Client Name • Client ID
Both fields were masked as expected in the UI.
Step 3 — The interesting issue
However, the Email field was not getting masked.
Even though I added:
.EmailList().Email
in the same Access Control Policy, the UI was still showing the actual email value.
This made me dig deeper into how ABAC works with embedded data.
Step 4 — Root cause
The Email field was stored inside an embedded data object:
Which means the property actually belongs to the embedded data class:
MyOrg-Investment-Data-ClientProfile
And not directly to the work class.
Step 5 — The solution
Instead of controlling everything from a single Access Control Policy, I had to create two separate policies:
Policy 1 – Work Class
Class:
MyOrg-Investment-Work-AssessClientRiskProfile
Properties masked:
.ClientName .ClientID
Policy 2 – Embedded Data Class
Class:
MyOrg-Investment-Data-ClientProfile
Property masked:
.Email
Step 6 — Final Result
After separating the policies based on class ownership, the email field was successfully masked.
My Learning:
When dealing with embedded data structures in Pega, Access Control Policies must be applied at the class where the property actually belongs.
You cannot always control embedded properties from the parent work class policy.
Instead:
• Work class → mask work properties • Data class → mask embedded data properties
Every small experiment like this adds one more piece to the puzzle of understanding how Pega really works.
Sharing the learning from my experiment. Hope it helps 