How to create a Property Read and Property Encrypt Access Control Policies in PEGA?

In this particular post, we will learn about PEGA Data Encryption under Security Management. It protects sensitive data without affecting the functionality of the application.

Property Read ABAC Policy obfuscate or mask the readability of the sensitive data. The sensitive data like Credit Card Number, BSB, Account Number etc…

Property Encrypt ABAC Policy encrypts the sensitive data using the cipher. This policy encrypts the data in the database, clipboard, logs etc… Will see the usage of the Pega Platform cipher with a Google Cloud KMS Keystore.

Property Read Access Control Policy

Step 1: Create an Access Control Policy with Property Read Action

As below from Records Explorer, create the Access Control Policy.

Provide the Policy Name, Class Context. There are multiple Restriction Methods [Full mask, Mask all but last ’N’ etc…]

For now, select — Mask all but last ’N’.

As part of the gear icon, you can define the masked character and the number of unmasked characters.

Step 2: Create the Access Control Policy Condition

Define the Access Control Policy Condition, when to get the Permit Access for the restricted property.

For example, in the above scenario — I defined some Access Control Policy Condition as below

Note: In this rule form, you can define the policy conditions — based on the Logged in Operator context and also any specific business rules.

Step 3: Test the masked properties in the UI

Note: The value is readable in the clipboard

Property Encrypt Access Control Policy

Step 1: Create a Keystore [Outside PEGA Platform]

Create a Keystore using AWS KMS or Google Cloud KMS service that contains the Keys and Certificate. In this example — We will use Google Cloud KMS. This service allows customers to manage encryption keys and perform cryptographic operations with those keys.Go to the Google Cloud Management console and Under Security — Select the Key Management Service.

Click on “Create Key Ring” link on the Key Management. Provide some name and select the region

Click on “Create” button and provide additional information as below

Click on Create button and see the crypto key.

Step 2: Create the Keystore instance in PEGA

Select the keystore location as “Google Cloud KMS”

Step 3: Create the Google Service Account to access Cloud KMS Service

Login into Google Cloud console and navigate to the IAM service and create the Service account to access the Google Cloud KMS Service.

Click on the “Create Service Account” button.

Select the Service Role to “Cloud KMS CryptoKey Encrypter/Decrypter”

Now you can see the LearningCrypto Service account

Click on the Service account and add key

This step downloads the json file

Step 4: Complete the PEGA Keystore instance configurations

Navigate to PEGA and select the Upload File in the KeyStore instance. Upload the downloaded json file.

Click the Copy Resource Name as below and copy that as the Customer Master Key ID in the KeyStore instance.

Click on the TestConnectivity in the KeyStore instance.

Step 5: Complete the PEGA — Data Encryption configurations

Navigate as below to the Data Encryption Landing Page.

Select the Platform cipher option and provide the created Keystore

Click on Activate

Verify the activated Keystore information as below

Click on Regenerate under “System Data Encryption”

Step-6: Testing the PropertyEncrypt

For example, create an Property Encrypt ABAC policy for the sensitive fields as below. Platform cipher is used to encrypt/decrypt in the platform using the provided Google Cloud KMS Keystore.

Create a case without and with property encrypt policy in place.

For a case without property encrypt policy in place, you can see the value in the clipboard

For a case with property encrypt policy in place, you cannot see the value in the clipboard

Hurray, congratulations :) :) You successfully learned to create a Property Read and Property Encrypt ABAC Policies and also usage of the platform cipher with a Google Cloud KMS Keystore.