Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Srinivas Saddi (SrinivasS1572)
Capgemini
Tech Lead
Capgemini
US
SrinivasS1572 Member since 2014 7 posts
Capgemini
Posted: Nov 30, 2019
Last activity: Dec 2, 2019
Posted: 30 Nov 2019 23:56 EST
Last activity: 2 Dec 2019 15:20 EST
Closed
Solved

Clarification on Case Create security restriction using ABAC

Hello PDN Team, I have following use case, Please review and and your comments.

Use case : How to provide Case create access for only set of users using ABAC (Attribute based access control).

To implement this, I Created a Access When (Ex. To check AcessGroupA) , Access control Policy condition and Access Control policy (Selected Action = Update as there is no action for create).

When a user doesn't belongs to AccessGroupA and try to create the case an error message getting displayed something like below.

Access Control Policy denied access for class ABC-Work-Task and action Modify.
You are not authorized to create, modify, or lock instance ABC-Work-Task T-13

Here case is already getting created but user unable to move forward. I would expect object itself not created.

We can implement this requirement using RBAC by adding privilege on pyStartCase however i am interested to know if we can implement the same using ABAC without creating case itself.

I am not sure if i am doing some misconfiguration.

Thanks

To see attachments, please log in.
Security

Accepted Solution

Posted: 5 years ago
Updated: 5 years ago
Posted: 2 Dec 2019 15:11 EST
Updated: 2 Dec 2019 15:12 EST
Srinivas Saddi (SrinivasS1572)
Capgemini
Tech Lead
Capgemini
US

Hi Brad,

thanks for your time in reviewing and providing comments. I agree For Case creation scenario RBAC make sense. 

Pega Help documentation while creating Access Control policy,  has below statement for Action selection, which is confusing. For create case scenario, ABAC won't work.

Action :

Update - The user can create a case that meets the policy conditions or update data for such a case.

Help link :

https://community.pega.com/sites/default/files/help_v73/procomhelpmain.htm#security/ABAC/sec-create-ACP-tsk.htm%3FTocPath%3DSecurity%7CAttribute-based%2520access%2520control%7C_____9

thanks,Srini

To see attachments, please log in.
Posted: 5 years ago
Posted: 2 Dec 2019 14:29 EST
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US


Hi Srinivas,

It seems the role based access control fits better in this scenario with using a privilege to prevent creation of the work object.  If you wanted to prevent access to the works objects based on some attribute in the work / data, this might be better suited with ABAC.  See https://community.pega.com/knowledgebase/articles/security/authorization-models-pega-platform for more info.

To see attachments, please log in.

Accepted Solution

Posted: 5 years ago
Updated: 5 years ago
Posted: 2 Dec 2019 15:11 EST
Updated: 2 Dec 2019 15:12 EST
Srinivas Saddi (SrinivasS1572)
Capgemini
Tech Lead
Capgemini
US

Hi Brad,

thanks for your time in reviewing and providing comments. I agree For Case creation scenario RBAC make sense. 

Pega Help documentation while creating Access Control policy,  has below statement for Action selection, which is confusing. For create case scenario, ABAC won't work.

Action :

Update - The user can create a case that meets the policy conditions or update data for such a case.

Help link :

https://community.pega.com/sites/default/files/help_v73/procomhelpmain.htm#security/ABAC/sec-create-ACP-tsk.htm%3FTocPath%3DSecurity%7CAttribute-based%2520access%2520control%7C_____9

thanks,Srini

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice