Published Release Notes

Two-factor authentication with one-time passwords

Pega® Platform now supports two-factor authentication in custom authentication services and case flow processing, by sending a one-time password to an operator through email and requiring the operator to provide it back to your application for verification. Use REST API OTP Generation to generate and store one-time passwords, and REST API OTP Verification to verify passwords against user entries. You can also use the pxSendOTP and pxVerifyOTP activities called by these APIs to implement two-factor authentication of users in case flows prior to performing a critical operation (e.g. before completing a critical transaction such as a funds transfer in excess of a certain amount). Settings on the Security Policies landing page control the behavior of the two-factor authentication process.

For more information, see Enabling security policies.

Support for OAuth 2.0 authorization in Pega Platform REST services

Pega^® Platform REST services now support OAuth 2.0 authorization that uses federated authentication with SAML 2.0-compliant identity providers (IDPs). The OAuth 2.0-based authorization can be configured to use the SAML2-bearer grant type with a SAML token profile. This configuration is used when a resource requestor is authenticated by using a SAML2.0-compliant IDP.

For more information, see Security rules and data.

Privilege inheritance support through access roles

Privilege inheritance simplifies the process of defining privileges that are relevant in multiple classes. When determining whether a user should be granted a named privilege that allows a type of access to a class, Pega^® Platform searches for Access of Role to Object (Rule-Access-Role-Obj) rules that are relevant to the target class and to the access roles listed in the user's access group, and considers the privileges granted or denied in those rules. When privilege inheritance is enabled within an access role, the search for relevant Access of Role to Object rules begins with the target class and, if necessary, continues up the class hierarchy until a relevant rule is found.

For more information, see Privilege inheritance for access roles.

No support for Android versions earlier than 4.4 on mobile devices

Pega^® Platform dynamic layouts by default now use Flexbox-based rendering. As a result, mobile devices running on Android versions earlier than 4.4 are not supported in Pega Platform. Such devices cannot render correctly with Flexbox because the Pega Mobile Client includes the default stock browser on the Android operating system.

Cross-origin resource sharing (CORS) policies for APIs and REST services

You can now use cross-origin resource sharing (CORS) policies to control how external systems and websites (origins) are permitted to access resources such as APIs and services within your applications. For example, Pega^® Platform uses CORS policies to restrict which Pega Robotic client applications can connect to your Pega applications, and to limit which mobile apps can call Pega mobile services. Using CORS policies results in reduced cost and implementation times, while providing increased security when other systems or websites interact with your application.

For more information, see Creating a cross-origin resource sharing (CORS) policy and Mapping an endpoint to a cross-origin resource sharing (CORS) policy.

Package caching is not supported in offline-enabled applications built with the UI Kit 7 (09-01-01) portal

When you create an offline-enabled application in Pega^® Platform, by default, it uses a portal with the UI Kit 7 (09-01-01) ruleset. In such a case, the package caching functionality cannot be used. You must either disable caching on the Advanced tab of the Access Group rule form, in the Offline Configuration section, or use an adaptive design instead of rendering different elements for different devices with the UI Kit 7 (09-01-01) ruleset.

For more information, see Access Group form - Completing the Advanced tab.

No video controllers displayed on Android 4.3 and earlier versions

When you preview a video clip within Pega^® Mobile Client on a mobile device that runs Android 4.3 or earlier versions, video controllers are not displayed in full-screen mode.

Addition of Data Access Tab to access control policy condition rules

You can now select associations and declarative index classes when creating access control policy condition rules. The Column source field in the policy condition can now accept properties from available associations and indexes. For ease of reference, the selected associations and indexes are available on the new Data Access tab. 

Using the new tab, you can build complex authorization models in which access restrictions for a class depend on the attributes present in the associated and indexed classes, along with the attributes in the current class. For example, a project management application can now separately maintain project lists for each operator and use that information to restrict read/write access to unique projects.

The information available on the new Data Access tab reflects rule form changes, which are similar to the existing functionality of the Report Definition in the Application Data Model. 

For more information, see Creating an access control policy condition.

Addition of Servlet Management

Pega Platform™ now has Servlet Management in Pega Cloud® Services, which provides a simple and secure way to make changes to Pega Platform servlet definitions.

Servlet Management provides Pega Cloud Service clients with solutions to manage servlet configurations with self-service options. This reduces the cycle time for delivering configuration changes in Pega Cloud Service installations while also improving upgrade reliability. 

For more information, see Servlet management.

Upgrade impact

Clients with no application servlet customizations will not experience an impact. If you upgrade from Pega Platform version 8.5 or earlier and, prior to the upgrade, the Pega Cloud team provided your application servlet customizations, then following the upgrade, you must manually add, remove, or modify your servlet customizations in your upgraded application using this servlet management landing page in Pega Platform.

What steps are required to update the application to be compatible with this change?

To manually move your pre-upgrade servlet customizations as appropriate or add new ones to your upgraded application using the new servlet management landing page, follow the steps in Adding a servlet.

Cosmos React-UI supports custom authentication

Pega Platform™ now supports custom authentication in applications that use Cosmos React-UI. Depending on the needs of your users and the functionality of your application, you might need to write custom authentication schemes to meet specific requirements. 

Clients that use custom authentication in their applications can now take advantage of the Cosmos React-UI.

For more information, see Securing Cosmos React-UI applications.