Question

Clarification on Case Create security restriction using ABAC

Hello PDN Team, I have following use case, Please review and and your comments.

Use case : How to provide Case create access for only set of users using ABAC (Attribute based access control).

To implement this, I Created a Access When (Ex. To check AcessGroupA) , Access control Policy condition and Access Control policy (Selected Action = Update as there is no action for create).

When a user doesn't belongs to AccessGroupA and try to create the case an error message getting displayed something like below.

Access Control Policy denied access for class ABC-Work-Task and action Modify.
You are not authorized to create, modify, or lock instance ABC-Work-Task T-13

Here case is already getting created but user unable to move forward. I would expect object itself not created.

We can implement this requirement using RBAC by adding privilege on pyStartCase however i am interested to know if we can implement the same using ABAC without creating case itself.

I am not sure if i am doing some misconfiguration.

Thanks

Correct Answer
December 2, 2019 - 3:11pm

Hi Brad,

thanks for your time in reviewing and providing comments. I agree For Case creation scenario RBAC make sense. 

Pega Help documentation while creating Access Control policy,  has below statement for Action selection, which is confusing. For create case scenario, ABAC won't work.

Action :

Update - The user can create a case that meets the policy conditions or update data for such a case.

Help link :

https://community.pega.com/sites/default/files/help_v73/procomhelpmain.htm#security/ABAC/sec-create-ACP-tsk.htm%3FTocPath%3DSecurity%7CAttribute-based%2520access%2520control%7C_____9

thanks,Srini

Comments

Keep up to date on this post and subscribe to comments

December 2, 2019 - 2:29pm

Hi Srinivas,

It seems the role based access control fits better in this scenario with using a privilege to prevent creation of the work object.  If you wanted to prevent access to the works objects based on some attribute in the work / data, this might be better suited with ABAC.  See https://community.pega.com/knowledgebase/articles/security/authorization-models-pega-platform for more info.

December 2, 2019 - 3:11pm

Hi Brad,

thanks for your time in reviewing and providing comments. I agree For Case creation scenario RBAC make sense. 

Pega Help documentation while creating Access Control policy,  has below statement for Action selection, which is confusing. For create case scenario, ABAC won't work.

Action :

Update - The user can create a case that meets the policy conditions or update data for such a case.

Help link :

https://community.pega.com/sites/default/files/help_v73/procomhelpmain.htm#security/ABAC/sec-create-ACP-tsk.htm%3FTocPath%3DSecurity%7CAttribute-based%2520access%2520control%7C_____9

thanks,Srini