Pega Customer Service for Communications modified rules for BAC prevention
+
This content applies to On-premises, Client-managed cloud and Pega Cloud environments
In release 8.3, Pega Customer Service for Communications has modified the rules that invoke secured activities in Pega Platform. The query strings and parameters in the calls are registered so they cannot be tampered with by the end users.
If you have overridden any of these rules in your Pega Customer Service for Communications implementation layer, you need to update them to use the changed rules. Run the Pre-Upgrade Checker to identify which of these changed rules are overridden in your implementation layer. For information about the Pre-Upgrade Checker, see the Pega Customer Service for Communications Upgrade Guide on the Pega Customer Service for Communications product page.
For information about the enhancements to prevent Broken Access Control (BAC), and to see a list of rules and activities that were modified for all Pega Customer Service applications, see Pega Customer Service enhancements to prevent Broken Access Control.
The following list shows the modified rules for Pega Customer Service for Communications. If you have overridden any of these rules in your Pega Customer Service for Communications implementation layer, you need to update them with the changed rules.
Rule | Rule name | Class name | Available |
---|---|---|---|
Rule-HTML-Section | HIDDENSECTION | PEGACA-WORK-INTERACTION | Yes |
Rule-HTML-Section | WRAPUPINTERACTION | PEGACA-WORK-INTERACTION | Yes |
In addition to the changes in the preceding table, several Pega Customer Service for Communications activities that do not need to be started from a client in the form of an AJAX call or any other UI request have also been modified. The Allow direct invocation from the client or service check box is cleared for these activity rules. To see the list of modified activity rules, download the CSC-List-of-Activity-Rules-URL-Tampering.xlsx file.
Previous topic Legacy Customer Service for Communications design patterns Next topic Configuring the security deposit property in the Transfer line service case