Published Release Notes

Add custom HTTP response headers in your application

The Pega 7 Platform supports the addition of custom security HTTP headers that are supported by your browser. For example, you can now create custom X-Frame-Options, X-XSS-Protection, and Strict-Transport-Security headers. These headers improve the security of your application against client-based attacks.

For more information, see Creating a custom application header. 

Attribute-based access control model

Attribute-based access control (ABAC) is a security authorization model in which access rights are determined through the use of policies and attributes. A policy decision engine in ABAC evaluates digital policies against available data (attributes) to permit or deny access to the requested resource. For example, you can now determine access rights to cases by examining security attribute values assigned to the user and the case.

For more information, see Attribute-based access control.

Unit testing support for more rule types

You can now create unit tests for the following additional rule types. You can also create assertions to validate activity status. The expanded rule types for unit testing enable developers to more thoroughly perform regression testing of their application, thereby improving application quality.

• Collection
• Declare expression
• Map value
• Report definition

For more information about unit testing rules, see Pega unit test cases.

Upgrade impact

With the four new rule types, unit test execution and unit test compliance metrics will change. Reports on automated unit testing of the customer application decrease due to the increased pool of supported rules.

What steps are required to update the application to be compatible with this change?

After a successful upgrade, create Pega unit test cases for the newly supported rules to see updated and accurate unit test metrics.

View application quality metrics by data type

You can now view application quality metrics by data type on the Application Quality landing page. The new Data Types tab displays metrics for data types grouped by data objects, which enables you to more quickly understand the overall coverage of the application's integrations and interfaces.

For more information about data type metrics, see Application Quality landing page.

Scenario tests are reusable

Existing scenario tests are now reusable in different business scenarios. Before Pega 8.3, you had to create a new test every time a user interface or process flow changed significantly. Now, scenario tests are editable to help you maintain the test stack more effectively.

For more information, see Updating scenario tests.

Java injection vulnerability check

Pega Platform™ now notifies you of Java injection vulnerabilities in activities, functions, and stream rules at design time and at run time.  You can customize Pega Platform to check for additional vulnerabilities to ensure that your application runs without problems.

For more information, see Configuring the Java injection check.

Usability improvements to Admin Studio

Admin Studio offers a variety of usability enhancements, including:

• New access groups to differentiate between full and read-only access to Admin Studio
• A Java class lookup utility
• A requestor list for the logged-on operator
• The ability to display system node type in the logs

Also, if your environment uses Predictive Diagnostic Cloud (PDC), the Admin Studio overview page now includes a link to PDC.

For more information, see Managing requestors.

Improvements for automated scenario testing

Test automation authors can group related scenario tests into suites. The scenario test suites can be run manually from the Scenario Testing landing page as part of purpose-specific tests such as smoke tests, regression tests, and outcome-based tests. Additionally, automation authors or release managers who monitor tests for an application can disable or quarantine unstable scenario tests so that they do not run.

For more information about creating and managing test suites for scenario testing, see Creating test suites for scenario testing.

Token credentials authentication service

You can create a new type of authentication service for token credentials authentication, which is useful for offline mobile applications. With token credentials authentication, users need to enter their credentials only once in a session. Subsequent access to the server is authenticated with a token. The token can be generated by the Pega Platform™ authorization layer (OAuth 2.0) or issued by an external identity provider.

For more information, see Configuring a token credentials authentication service.

Platform truststore for validating certificates

Pega Platform™ now includes a platform truststore, to which you can import X.509 certificates that are common across platform applications. When a certificate needs to be validated, Pega Platform looks for the certificate at the connector level, then in the platform truststore, and finally in the application server (JVM) truststore. You can add, update, and delete certificates in the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key rotation.

For more information, see Importing an X.509 certificate.