Creating an access control policy

In the Access Control Policy rule form, you define a policy that grants access to an object by evaluating selected conditions. For each rule, you can set one level of access, such as read, update, or delete, and the condition that defines whether the access is granted.

  • You must configure your system to support attribute-based access control (ABAC). For more information, see Enabling attribute-based access control.
  • You must have the pzCanManageSecurityPolicies privilege.
Note: You can create access control policies only for Work-, Data-, and Assign- classes.
  1. Click Records > Security > Access Control Policy, and then click +Create.
  2. In the Label field, enter the policy name.
  3. In the Action list, select the action.
    • Read – The user can open a case that meets the policy conditions or view data for the case in lists, reports, searches, and so on.
    • Update – The user can create a case that meets the policy conditions or update data for such a case.
    • Discover – The user can see limited information (defined by a developer) about a case that does not meet Read policy conditions, but does satisfy the Discover policy conditions.
    • Delete – The user can delete a case that meets the policy conditions.
    • PropertyRead – The user has restricted visibility to property values, including property values with read and update access.
    • PropertyEncrypt – The property is encrypted in the database, clipboard, logs, and search indexes. If no PropertyRead policy obfuscates the property, then the decrypted property value is visible to the user in a UI control. In report definitions, the property can be displayed in report results and can also be referenced on the left side of filter conditions that use the Is equal and Is not equal operators. It cannot otherwise be referenced in report definitions (for example, to sort, rank, or group results in SQL functions, and so forth).
      Note: Properties specified in this type of policy are encrypted unconditionally. Access control policy conditions are not used for PropertyEncrypt.
  4. In the Context section in the Apply to field, enter a class.
  5. In the Add to ruleset field, select a ruleset.
  6. Click Create and open.
  7. On the Definition tab, select the Disallow creation of a policy with the same name as a descendant class check box to prevent overriding the policy in a descendant class.
  8. If the action is not PropertyEncrypt, in the Permit access if field, enter the access control policy condition rule name.
  9. If the action is PropertyRead or PropertyEncrypt, do the following steps.
    • Click Add property and select a property name that exists on the case type target.
    • If the action is PropertyRead, specify the masking method (Full Mask, Mask all but last 'N', or Mask all but first 'N').
  10. Click Save.