Published Release Notes

Improving basic access control

Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.

For more information, see Access Control Checks.

Upgrade impact

After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls  by using registration or encryption mechanisms.

What steps are required to update the application to be compatible with this change?

After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.

Enabling access to upgraded help

After upgrading to Pega Platform ™ 8.1, the default URL to the upgraded help files might be incorrect. To enable access to the latest help files, reset the URL:

1. In the header of Dev Studio, click Configure > System > Settings > URLs.
2. Enter the Online Help URL:

   https://community.pega.com/sites/default/files/help_v81/

3. Click Save.
4. Log out and log back into Pega Platform.

New JWT access token format: Authorized Access Token

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

• The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
• A single token can be used with multiple applications.
• The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
• As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

DCO Compatibility tool is deprecated

The DCO Compatibility tool has been deprecated. Use the Application Guardrails landing page to see the compliance score and any warnings for your application.

For more information, see Application Guardrails landing page.

New roles required for system management features and APIs after upgrade

The pzSystemOperationsObserver and pzSystemOperationsAdministator privileges are no longer used for accessing system management features in Admin Studio and for system management APIs. Pega Platform™ has new privileges for individual system management functions and new roles configured with these privileges. Use the following roles to access system management features and APIs:

• PegaRULES:SysOpsAdministrator – has all administrator and observer privileges
• PegaRULES:SysOpsObserver – has all observer privileges
• PegaRULES:SysAdm4 – has all administrator and observer privileges

After upgrading, you can include one or more of these roles in your access group or create a custom role. For more information about access roles, see Access roles.

Authentication profile for Connect REST might be removed after upgrade

The Use authentication check box has been removed from the Service tab on the Connect REST form. As a result, after an upgrade, the Authentication profile field might be blank even if an authentication profile was previously configured.

• If the Use authentication check box was cleared prior to upgrading and the Authentication profile field was configured with an authentication profile name, the Authentication profile field is blank. If you are using authentication, you must reenter the profile name.
• If the Use authentication check box was selected prior to upgrading and the Authentication profile field was configured with an authentication profile name, the Authentication profile field retains the previous configuration.

Tamper-proof Pega Web Mashup loading

To protect your application from hackers, Pega Web Mashup is now loaded in a more secure way. The system generates a channel ID in the mashup code for validation on the server, before passing the mashup request. 

For more information, see Creating a mashup.

Upgrade impact

After an upgrade to Pega Platform 8.5, existing mashups, which do not have the channel ID parameter in their code, cannot load and users see the access control warning.

What steps are required to update the application to be compatible with this change?

If you need to maintain full availability of the mashup during the upgrade of the production environment, perform the steps in Migrating existing mashups.

Failed Robotic Assignments work queue type changed to Standard

The default Failed Robotic Assignments work queue type is now Standard. In previous releases, the default type was Robotic. For usage information, see Configuring a work queue for robotic automation.

Upgrade impact

After upgrading to Pega Platform 8.5 and later, you cannot save case types in which you configure the Queue for robot smart shape to route new assignments to the Failed Robotic Assignments work queue. Existing assignments that you routed to the Failed Robotic Assignments work queue are not affected.

How do I update my application to be compatible with this change?

As a best practice, do not use the Failed Robotic Assignments work queue in your custom implementations. Instead, configure the Queue for robot smart shape to route new assignments to a Robotic work queue. When possible, update existing case types to use the robotic work queues that you created in your application.

Upgrading to the secure threading mechanism for email bots

In Pega Platform™ version 8.6, Pega Email Bot™ includes a more secure threading mechanism to help track emails from customers and other stakeholders in separate threads for an email triage case.

Upgrade impact

If you upgrade from Pega Platform version 8.5 or earlier, in which you configured an Email channel, perform the following steps to ensure that your system uses the new secure threading mechanism:

• Update the service email rule that the system uses to send an email reply as the initial acknowledgment.
• Update the email reply template in the data transform rule that the system uses when a customer service representative (CSR) sends the reply.

For more information about creating an initial acknowledgment email and email reply template, see Creating outbound email templates. For more information about the secure threading mechanism, see Use a secure threading mechanism in emails.

What steps are required to update the application to be compatible with this change?

For the initial acknowledgment email used by your email bot, update the service method for your email listener rule. On the Response tab for this service email rule, expand the Message contents section. In the Message data section, you specify the rule that defines the structure of the content of the email body. In Pega Platform version 8.6, you use for this purpose the pyEmailAcknowledgement correspondence rule that takes into account the selected built-in template. This template includes the security code tag that the system uses for the secure threading mechanism. If your application uses a different rule in the Message data section, update this definition to match one of the built-in correspondence template rules, for example, EmailAckTemplate_Clear.

The pySetEmailBotReplyTemplate data transform rule sets the name of the email correspondence rule that the system uses as the email reply template. If you do not want to use the default approach using the Classic, Cobalt, or Clear outbound email template themes, override this data transform rule to set the email correspondence rule name for the Param.ReplyTemplate target in the Source column field.

For more information about how to update the service email rule and the data transform rule to ensure that your system uses the secure threading mechanism, see Upgrading to the threading mechanism available in the 8.6 version.