The most effective and standard Pega solution is to use Role-Based Access Control (RBAC). This involves creating an Access Role (HRApp:SalaryReview) that contains the specific permission to open the SalaryReview case type (an Access of Role to Object rule). This role is then assigned to the access groups for the intended users (HRApp:HRStaff and HRApp:Managers). This approach directly maps the business requirement of granting access based on user function to Pega's core security model, ensuring a clear, maintainable, and secure design.

B: Client-based access control (CBAC) is a specialized feature for managing data privacy based on customer consent, not for controlling application access based on an employee's role.

C: Attribute-based access control (ABAC) is for more complex, dynamic authorization. For a static requirement based on user roles, RBAC (Option A) is the simpler and more direct solution.

D: Using an Access Deny policy is not a best practice. Pega security follows a "default deny" principle, where access should be explicitly granted rather than explicitly denied.

1. For Correct Answer (A): Pegasystems. (2023). Security checklist for Pega Platform. Pega Documentation. "Configure authorization by using role-based access control (RBAC) to define the actions that users can perform... An access group references one or more access roles." This confirms that combining access groups and roles is the standard RBAC method.

2. For Correct Answer (A): Pegasystems. (2023). Creating an access role. Pega Documentation. "You create access roles to define the access capabilities that are granted to a user." This supports the creation of a specific role for SalaryReview permissions.

3. For Incorrect Option (C): Pegasystems. (2023). Comparing role-based and attribute-based access control. Pega Documentation. "RBAC is easier to implement and is sufficient for applications with a limited number of roles... ABAC is better suited for more complex security requirements." This justifies choosing RBAC (A) over ABAC (C) for this straightforward scenario.

4. For Incorrect Option (D): Pegasystems. (2023). Access Deny rules. Pega Documentation. "As a best practice

use Access Deny rules only when an Access of Role to Object or Access Deny setting cannot produce the desired security outcome." This establishes that Access Deny is a secondary mechanism

not the primary solution.

5. For Incorrect Option (B): Pegasystems. (2023). Implementing Client-Based Access Control. Pega Documentation. "Client-based access control (CBAC) allows you to track and process requests that are related to personal customer data." This confirms CBAC's specific purpose is data privacy

not general case type access.