Terminate sessions for operators from outside the Pega 7 Platform
Valid from Pega Version 7.2.2
The newly added Users REST API allows an authorized administrator to terminate sessions for one or more operator IDs from outside the Pega® 7 Platform. A typical use case for this API is to terminate a user’s session when the user's security credentials, which are stored externally, are known to have changed.
Access the Pega API by clicking .
Conditional filter logic supported in access control policy conditions
Valid from Pega Version 7.2.2
In the Access Control Policy Condition rule form, you can now add conditional logic that allows you to apply different access control policy conditions based on different situations, such as different types of users. The policy condition filters that are enforced are based on the results of Access When rules. Conditional filters can be configured to allow certain highly privileged users to bypass access control security in certain situations. This is accomplished by entering an Access When but leaving the conditional logic field blank. When such a filter is applied to a read access policy it also should be applied to the corresponding discover policy.
For more information, see Creating an access control policy condition.
Use Kerberos credentials in a Pega application to authenticate and access external systems
Valid from Pega Version 7.2.2
Authentication services now support Kerberos as an authentication type. When you connect from the Pega 7 Platform to external systems and services that require Kerberos authentication, the Pega 7 Platform stores the user Kerberos credentials and makes them available in Pega 7 Platform connectors.
For more information, see Using Kerberos credentials in a Pega application to authenticate and access external systems.
SAML 2.0 single sign-on authentication in multitenant environments
Valid from Pega Version 7.2.2
Multitenant application environments can now use SAML 2.0 for single sign-on (SSO) and single logout (SLO). Application users can access any authorized SSO multitenant applications without logging in to each application individually. SAML simplifies the login and logout process for users, mitigates security risks, and reduces the implementation costs that are associated with identity management.
For more information about configuring SAML 2.0 for single sign-on, see Web single sign-on (SSO) with SAML 2.0.
New PegaRULES:PegaAPISysAdmin role
Valid from Pega Version 7.2.2
The role PegaRULES:PegaAPISysAdmin has been added to the Pega 7 Platform. This required role gives system administrators access to the Pega API REST User Services and is not required for other services.
For more information, see Securing the Pega API.
Issue with the Sandbox directive on the Content Security Policy rule form has been fixed
Valid from Pega Version 7.2.2
An issue that related to the Sandbox directive not being applied, even after a value in the Content Security Policy rule form was selected, has been fixed. As a result, restrictions that are applied based on the settings in the Sandbox directive are now more closely aligned with the World Wide Web Consortium (W3C) specification than in previous releases. You should test your Content Security Policy to ensure that this change does not cause unexpected behavior in your application, such as making the security policy too restrictive.
Monitor standard and custom security events
Valid from Pega Version 7.3
From the new Security Event Configuration landing page, you can select the standard and custom security events that you want the Pega 7 Platform to log automatically for every user session. The security events are grouped into the following types:
- Authentication
- Data access
- Security administration
- Custom
The API logCustomEvent() is provided so that you can create custom security events that are specific to your applications and that can be monitored by the Pega 7 Platform. For more information, see Security Event Configuration.
SAML configuration supports global resource settings
Valid from Pega Version 7.3
In the SAML Authentication Service form, you can now use global resource settings, which allow greater flexibility for values that change compared to using fixed text values. Apply global resource settings, which are dynamic values, in the Identity Provider (IdP) information section and the Service Provider (SP) settings section of the form.
For more information, see Authentication Service form - Completing the SAML 2.0 tab.
Restrict visibility of scalar property values for certain users
Valid from Pega Version 7.3
You can use the Access Control Policy rule to mask individual scalar property values from specified users. You can restrict visibility for the following property types:
- DateTime
- Integer
- Text
For more information, see Masking property visibility for users.
Disable inactive operators
Valid from Pega Version 7.3
As a system administrator, you can control access to an application by disabling Operator IDs. To disable an Operator ID, you can use one of the following options in Designer Studio:
- Call the Service REST: user.
- Change settings on the Operator Access tab on the System Settings landing page or on the Security tab on the Operator ID form.
- Define the number of inactive days in the security policies before an Operator ID is automatically disabled.
For more information, see System Settings - Operator Access tab, Enabling Security Policies, Security tab on the Operator ID form.