Maybe I should rephrase it, CLR is only enabled/disabled. What I am referring to is the "SQL Server Host Policy Level Permission Sets":
"SQL Server supplies a host-level security policy level to the CLR while hosting it; this policy is an additional policy level below the two policy levels that are always in effect. This policy is set for every application domain that is created by SQL Server. This policy is not meant for the default application domain that would be in effect when SQL Server creates an instance of the CLR."
This has 3 settings as follows:
Only internal computation and local data access are allowed. SAFE is the most restrictive permission set. Code executed by an assembly with SAFE permissions cannot access external system resources such as files, the network, environment variables, or the registry.
EXTERNAL_ACCESS assemblies have the same permissions as SAFE assemblies, with the additional ability to access external system resources such as files, networks, environmental variables, and the registry.
UNSAFE allows assemblies unrestricted access to resources, both within and outside SQL Server. Code executing from within an UNSAFE assembly can also call unmanaged code.
As far as I understand, since the Pega UDFs are used to read and retrieve property values directly from Binary Large Objects (BLOBs) in the database, there is really no need for it to have EXTERNAL_ACCESS or UNSAFE permission set.
However, can support confirm this that the SAFE permission set is enough for Pega to run properly?