Posted: 25 Sep 2018 13:39 EDT Last activity: 22 Oct 2018 19:59 EDT
Is there way to Apply ABAC on a combination of Data table and Work objects
We have a requirement in which one operator can be associated with multiple financial codes say f001,f002,f003 ....
With current data model, our work objects say W-1 has a page list property say eventList which has an embedded page subEventlist. Each subevent is associated a financial code f001,f002...
There are a few report defination we have created to on Work type level. Customer is expected to see the work objects which contains only financial codes which matches under the work objects referred by event--> subevent--financial code.
You said "only see" so am assuming you want to define a Read Access Policy for the applies-to class associated to "W-" case types.
What you are describing sounds somewhat like assignment skill-matching but the other way around, plus the restriction is that the eventList may not contain a code NOT IN the Operator's financial code list.
When defining an Attribute Policy Condition (APC), yes you must name at least one property associated to the case but you are free to use any property that easily allows you to define a pair of expressions, one always-true, the other always-false. For example:
A = pxObjClass is not null (always true), B = pxObjClass is null (always false)
You then need to solve your problem using the Conditional Access portion of the APC at the top.
Each Conditional Access Condition is an Access When rule. Within the Access When rule you are free to reference Data Pages listed in the Pages&Classes tab.
You have an .EventList where each page has a .SubEventList which more complex. Let's keep it simple for now and assume that each event page contains a financial code.
A Data Page can invoke a Report Definition that joins the applies-to class for W- to a Declare Index defined against the .eventList. A Report Definition can be filtered in multiple ways. One way is to compare a column against a ValueList.
Convert the Operator's set of financial codes to a ValueList named "financialCodes", Then apply the following filter condition:
EVENT.financialCode Is not equal OperatorID.financialCodes
where EVENT is the alias you associated to the Declare Index join for .eventList.
You want the Report Definition to return a COUNT. The Access When rule would return true when COUNT = 0. That Access When rule would be associated to Policy Condition "A" (always true), meaning access should be allowed since the .eventList did not contain a code not in the Operator's financialCodes ValueList.
But in your situation you have a list within a list. Try defining a Declare Index against .eventList().subEventList(). If you have M events, where each event has N subEvents, the Declare Index will generate MxN rows. After aliasing your Declare Index join as "SUBEVENT", your filter condition would be:
SUBEVENT.financialCode Is not equal OperatorID.financialCodes
Attributes are unique security markings, which are assigned to objects and operators. Each attribute has a value associated with it, which means that a user must possess an attribute value to access an object.
Attribute types suggest how to compare the attribute values between the user and the object that the user is requesting access to, and to determine whether to grant access to the object.
These main data types represent an attribute value in the Pega 7 Platform:
Single string value - A simple string equality comparison is made to determine if the subject has access to the object.
A list of string values - A multi-value data type represented by a comma-separated noun string. The subject must have either all of the object's attribute values (All Of) or one of the attribute values (One Of).
Numerical value - This attribute type is internally represented by an integer. A simple numeric comparison is made to determine if the subject has access to the object.
One Of and All Of conditions
The One Of condition and the All Of condition specify how to compare the multi-value attributes between the user and object that the user request, to determine whether to grant access. You can create attributes on cases to determine who is authorized to access the case.
One Of condition - Requires one of the values in the object's property to match the subject's property.
For example, if a case has an attribute value "Red,Green", then the user with the attribute value "Red" or "Red,Yellow" is granted access. If the user has the attribute value "Purple,Brown", then access is denied. the order of the values is irrelevant.
All Of condition - Requires all values in the object's property to match the subject's property. The subject can have more, but not fewer values.
For example, if a case has an attribute value "Red,Green", then the user with the attribute value "Red,Green" or "Red,Green,Yellow" is granted access. If the user has the attribute value "Red,Blue", the access is denied access.