Mask data using Attribute-Based Access Control (ABAC)

User Experience Knowledge Share
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
1

This article shows step-by-step of how to mask sensitive data such as PII (Personal Identifiable Information) in Pega application using Attribute-Based Access Control (ABAC) security model in Pega Platform. (For how to encrypt data using ABAC, read this article.)

===

Configurations

Step 1 - Optimize SSN property in the work class; i.e. expose the column in the DB table.

Step 2 - Create an Access Control Policy rule in the work class with Action=PropertyRead.

1.png
1.png901×645 39.2 KB

Step 3 - Create Access Control Policy Condition rule.

2.png
2.png936×459 67.5 KB

Step 4 - Create Access When rule.

a. Only [email protected] Operator ID can see the SSN value, which will be masked for other Operator IDs.

3.png
3.png904×242 17 KB

Step 5 - Run and verify the result.

a. Result 1 (UI)

When [email protected] opens the case, it’s masked.

4.png
4.png936×186 34.6 KB

Only [email protected] is permitted to see as configured in the access when rule.

5.png
5.png936×307 58.1 KB

b. Result 2 (data type table)

View from [email protected] (masked):

6.png
6.png610×441 75.4 KB

View from will.cho@pega (unmasked):

7.png
7.png618×460 61.2 KB

c. Result 3 (report definition)

View from [email protected] (masked):

8.png
8.png937×310 45.6 KB

View from [email protected] (unmasked):

9.png
9.png936×309 46.8 KB

= = =

In addition, the access control policy (Action=PropertyRead) works for an embedded property.

The following Table layout is sourced from pyWorkPage.MyList() pagelist property.

10.png
10.png936×428 60.1 KB

Here is the pagelist property definition.

11.png
11.png936×522 157 KB

The following access control policy rule is created in the data class used as a definition of the pagelist. We added .Name property for masking.

12.png
12.png771×545 31.6 KB

Please leave any question or feedback.

===

Other reference - How to “encrypt” sensitive data using Attribute-Based Access Control (ABAC) in Pega

2

@Will Cho This article you’ve published is really helpful, thanks for that. Is there a way to mask the info using a custom Restriction Method for text rather than the three options Pega gives us (full maks, first ‘N’, last ‘N’)? For example, something like this:

NNNNNN******NNNN

3

@david.guzmana@cognizant Thanks for your question. That is an interesting requirement. I don’t think I have seen that in my past projects. To my knowledge, in OOTB, Pega can only do one of the three options available.

4

@Will ChoThanks for the article.

Below scenarios did not work well with masking, with the above set up:

  1. When a Dpage source is used as look up for the data class on which the ACP is configured
  2. When a Dpage source is a load activity which in turn invokes a Data set to fetch the results from the data class
  3. When a data set which is configured on the same data class is run stand-alone

Would be interested to know if you have faced these situations and how you have handled it. Thank you

5

@sangs1 i haven’t tried the pattern using Dpage.