How to create a Property Read and Property Encrypt Access Control Policies in PEGA?
--
In this particular post, we will learn about PEGA Data Encryption under Security Management. It protects sensitive data without affecting the functionality of the application.
Property Read ABAC Policy obfuscate or mask the readability of the sensitive data. The sensitive data like Credit Card Number, BSB, Account Number etc…
Property Encrypt ABAC Policy encrypts the sensitive data using the cipher. This policy encrypts the data in the database, clipboard, logs etc… Will see the usage of the Pega Platform cipher with a Google Cloud KMS Keystore.
Property Read Access Control Policy
Step 1: Create an Access Control Policy with Property Read Action
As below from Records Explorer, create the Access Control Policy.
Provide the Policy Name, Class Context. There are multiple Restriction Methods [Full mask, Mask all but last ’N’ etc…]
For now, select — Mask all but last ’N’.
As part of the gear icon, you can define the masked character and the number of unmasked characters.
Step 2: Create the Access Control Policy Condition
Define the Access Control Policy Condition, when to get the Permit Access for the restricted property.
For example, in the above scenario — I defined some Access Control Policy Condition as below
Note: In this rule form, you can define the policy conditions — based on the Logged in Operator context and also any specific business rules.
Step 3: Test the masked properties in the UI
Note: The value is readable in the clipboard
Property Encrypt Access Control Policy
Step 1: Create a Keystore [Outside PEGA Platform]
Create a Keystore using AWS KMS or Google Cloud KMS service that contains the Keys and Certificate. In this example — We will use Google Cloud KMS. This service allows customers to manage encryption keys and perform cryptographic operations with those keys.Go to the Google Cloud Management console and Under Security — Select the Key Management Service.
Click on “Create Key Ring” link on the Key Management. Provide some name and select the region
Click on “Create” button and provide additional information as below
Click on Create button and see the crypto key.
Step 2: Create the Keystore instance in PEGA
Select the keystore location as “Google Cloud KMS”
Step 3: Create the Google Service Account to access Cloud KMS Service
Login into Google Cloud console and navigate to the IAM service and create the Service account to access the Google Cloud KMS Service.
Click on the “Create Service Account” button.
Select the Service Role to “Cloud KMS CryptoKey Encrypter/Decrypter”
Now you can see the LearningCrypto Service account
Click on the Service account and add key
This step downloads the json file
Step 4: Complete the PEGA Keystore instance configurations
Navigate to PEGA and select the Upload File in the KeyStore instance. Upload the downloaded json file.
Click the Copy Resource Name as below and copy that as the Customer Master Key ID in the KeyStore instance.
Click on the TestConnectivity in the KeyStore instance.
Step 5: Complete the PEGA — Data Encryption configurations
Navigate as below to the Data Encryption Landing Page.
Select the Platform cipher option and provide the created Keystore
Click on Activate
Verify the activated Keystore information as below
Click on Regenerate under “System Data Encryption”
Step-6: Testing the PropertyEncrypt
For example, create an Property Encrypt ABAC policy for the sensitive fields as below. Platform cipher is used to encrypt/decrypt in the platform using the provided Google Cloud KMS Keystore.
Create a case without and with property encrypt policy in place.
For a case without property encrypt policy in place, you can see the value in the clipboard
For a case with property encrypt policy in place, you cannot see the value in the clipboard
Hurray, congratulations :) :) You successfully learned to create a Property Read and Property Encrypt ABAC Policies and also usage of the platform cipher with a Google Cloud KMS Keystore.
