Question
Roche Pharma
IN
Last activity: 18 May 2020 3:23 EDT
ABAC READ Policy
Hello,
I am working on pega 8.3.2 version. I am facing very strange issue with Attribute based control policy rule (ABAC).
I have one parent FW Data config Org-FW-App-Data-Config concrete class where i have defined InstanceID property. Under this config class i have around 25 + child classes for example: Org-FW-App-Data-Config-A , Org-FW-App-Data-Config-B and so on... All data types are delegated to Country specific support user.
InstanceID property (defined in parent config data class) is used by child classes to define their country specific data. And each country can see data specific to their country. for example : if i am from US then Only US related data instance should be visible in this delegated table. if im from UK then UK data instance should be visible and so on.
I am trying to achieve this with ABAC READ policy on Org-Div-App-Data-Config to avoid creating policies on child classes.
Problem:
Policy works fine with SINGLE filter condition in Access control policy condition. But if i have more than condition logic , i would like to grant full access for Super Admin users to see all country data. I created a Access when rule to check access group is Admin or not. but when i REFERRED additional access when rule then ALL Report definition started throwing me below errors
Error:
An error occured on generating the query for the report definition - null
Hello,
I am working on pega 8.3.2 version. I am facing very strange issue with Attribute based control policy rule (ABAC).
I have one parent FW Data config Org-FW-App-Data-Config concrete class where i have defined InstanceID property. Under this config class i have around 25 + child classes for example: Org-FW-App-Data-Config-A , Org-FW-App-Data-Config-B and so on... All data types are delegated to Country specific support user.
InstanceID property (defined in parent config data class) is used by child classes to define their country specific data. And each country can see data specific to their country. for example : if i am from US then Only US related data instance should be visible in this delegated table. if im from UK then UK data instance should be visible and so on.
I am trying to achieve this with ABAC READ policy on Org-Div-App-Data-Config to avoid creating policies on child classes.
Problem:
Policy works fine with SINGLE filter condition in Access control policy condition. But if i have more than condition logic , i would like to grant full access for Super Admin users to see all country data. I created a Access when rule to check access group is Admin or not. but when i REFERRED additional access when rule then ALL Report definition started throwing me below errors
Error:
An error occured on generating the query for the report definition - null
But when i keep only one filter in policy rule then RD works fine but this does not satisfy my requirement to allow full READ access to Super admin for all 25 + Data classes.
I have attached images.
Please share your thoughts ? Is there something i am missing here? Thx.
***Edited by Moderator: Pallavi to change content type from Discussion to Question***
***Edited by Moderator Marissa to update Product and Version; update Platform Capability Tags***
Pegasystems Inc.
IN
Can you share screenshot of the AccessWhen rule configured in the policy condition. Are you seeing this issue only for report definition ? Is opening of instance working fine and evaluating the conditions as expected ?
Roche Pharma
IN
Access when contains one logic ie true = true . simplest one.
I've observed this when ever accesswhen is referred all respective RD of those child data classes started throwing an error. (as i shared an image before)
But nevertheless This looks correct in Delegated DATA Type view. no issue there but since RD of these data classes being used in User forms as well . But unfortunately its throwing an error as show in "ABAC_RD_fails.PNG"
image.