Pega Customer Service for Financial Services modified rules for BAC prevention
+
This content applies to On-premises, Client-managed cloud and Pega Cloud environments
In release 8.3, Pega Customer Service for Financial Services has modified the rules that invoke secured activities in Pega Platform. The query strings and parameters in the calls are registered so they cannot be tampered with by the end users.
If you have overridden any of these rules in your Pega Customer Service for Financial Services implementation layer, you need to update them with the changed rules. Run the Pre-Upgrade Checker to identify which of these changed rules are overridden in your implementation layer. For information about the Pre-Upgrade Checker, see the Pega Customer Service for Financial Services and Pega Sales Automation for Financial Services Upgrade Guide on the Pega Customer Service for Financial Services product page.
For information about the enhancements to prevent Broken Access Control (BAC), and to see a list of rules and activities that were modified for all Pega Customer Service applications, see Pega Customer Service enhancements to prevent Broken Access Control.
The following list shows the modified rules for Pega Customer Service for Financial Services. If you have overridden any of these rules in your Pega Customer Service for Financial Services implementation layer, you need to update them with the changed rules.
| Rule | Rule name | Class name | Available |
|---|---|---|---|
| Rule-HTML-Section | ChatToasterPop | ChannelServices-Interaction-Chat | Yes |
| Rule-HTML-Section | CSShowOffers | Int-PegaCDH-Container-Offer | Yes |
| Rule-HTML-Section | CPMAccountDetails | PegaCA-Interface-Contact | Yes |
| Rule-HTML-Section | CSOffer | Int-PegaCDH-Container-Offer | Yes |
| Rule-HTML-Section | CSShowNextBestAction | Int-PegaCDH-Container-Action | Yes |
| Rule-HTML-Section | CustomerAcceptedRequest | PegaCA-Work-CobrowsingSession | Yes |
| Rule-HTML-Property | SlotPicker | NA | Yes |
| Rule-HTML-Section | CPMIPSearchResults | CPM-Portal | Yes |
| Rule-HTML-Section | CPMAutoLauchServiceProcess | PegaCA-Work | Yes |
| Rule-HTML-Section | CPMFavoritesListDisplay | CPM-Portal | Yes |
| Rule-Navigation | CPMSearchResultMenu | CPM-Search-Result | Yes |
| Rule-Navigation | CPMProspectSearchResultMenu | PegaCRM-Entity-Contact | Yes |
| Rule-HTML-Section | CaseLockLostInfo | PegaCA-Work-Interaction | Yes |
| Rule-HTML-Section | CACollectSessionCode_FA | PegaCA-Work-CobrowsingSession | Yes |
| Rule-HTML-Section | CPMConfirmIncludes | Work- | Yes |
| Rule-HTML-Section | CPMINTERACTIONPORTALHEADER | CPM-PORTAL | Yes |
| RULE-HTML-FRAGMENT | SCREENPOPINTERACTIONSTARTER | NA | Yes |
| Rule-HTML-Section | AutoClose | Work- | Yes |
| Rule-HTML-Section | CPMInteractionPortalHeader | CPM-Portal | Yes |
| Rule-HTML-Section | GenerateChatPrompts | Work- | Final |
In addition to the changes in the preceding table, several Pega Customer Service for Financial Services activities that do not need to be started from a client in the form of an AJAX call or any other UI request have also been modified. The Allow direct invocation from the client or service check box is cleared for these activity rules. To see the list of modified activity rules, download the CSFS-List-of-Activity-Rules-URL-Tampering.xlsx file.
Previous topic Payment Inquiry Microjourney for Commercial Banking Next topic Repossession and Collateral Management Microjourney