How to create a Property Read and Property Encrypt Access Control Policies in PEGA?

In this particular post, we will learn about PEGA Data Encryption under Security Management. It protects sensitive data without affecting the functionality of the application.

ABAC Policy obfuscate or mask the readability of the sensitive data. The sensitive data like Credit Card Number, BSB, Account Number etc…

ABAC Policy encrypts the sensitive data using the cipher. This policy encrypts the data in the database, clipboard, logs etc… Will see the usage of the Pega Platform cipher with a Google Cloud KMS Keystore.

Property Read Access Control Policy

Step 1: Create an Access Control Policy with Property Read Action

As below from Records Explorer, create the Access Control Policy.

Provide the Policy Name, Class Context. There are multiple Restriction Methods [Full mask, Mask all but last ’N’ etc…]

For now, select — Mask all but last ’N’.

As part of the gear icon, you can define the masked character and the number of unmasked characters.

Step 2: Create the Access Control Policy Condition

Define the Access Control Policy Condition, when to get the Permit Access for the restricted property.

For example, in the above scenario — I defined some Access Control Policy Condition as below

Step 3: Test the masked properties in the UI

Property Encrypt Access Control Policy

Step 1: Create a Keystore [Outside PEGA Platform]

Create a Keystore using AWS KMS or Google Cloud KMS service that contains the Keys and Certificate. Go to the Google Cloud Management console and Under Security — Select the Key Management Service.

Click on “Create Key Ring” link on the Key Management. Provide some name and select the region

Click on “Create” button and provide additional information as below

Click on Create button and see the crypto key.

Step 2: Create the Keystore instance in PEGA

Select the keystore location as “Google Cloud KMS”

Step 3: Create the Google Service Account to access Cloud KMS Service

Login into Google Cloud console and navigate to the IAM service and create the Service account to access the Google Cloud KMS Service.

Click on the “Create Service Account” button.

Select the Service Role to “

Now you can see the LearningCrypto Service account

Click on the Service account and add key

This step downloads the json file

Step 4: Complete the PEGA Keystore instance configurations

Navigate to PEGA and select the Upload File in the KeyStore instance. Upload the downloaded json file.

Click the Copy Resource Name as below and copy that as the Customer Master Key ID in the KeyStore instance.

Click on the TestConnectivity in the KeyStore instance.

Step 5: Complete the PEGA — Data Encryption configurations

Navigate as below to the Data Encryption Landing Page.

Select the Platform cipher option and provide the created Keystore

Click on Activate

Verify the activated Keystore information as below

Click on Regenerate under “System Data Encryption”

Step-6: Testing the PropertyEncrypt

For example, create an Property Encrypt ABAC policy for the sensitive fields as below. Platform cipher is used to encrypt/decrypt in the platform using the provided Google Cloud KMS Keystore.

Create a case without and with property encrypt policy in place.



Digital Transformation Leader | Pega Lead Solution Architect | Pega Certified Data Scientist | Pega Customer Service | Pega Sales Automation | AWS Cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sandeep Pamidamarri

Digital Transformation Leader | Pega Lead Solution Architect | Pega Certified Data Scientist | Pega Customer Service | Pega Sales Automation | AWS Cloud