Published Release Notes

Improving basic access control

Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.

For more information, see Access Control Checks.

Upgrade impact

After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls  by using registration or encryption mechanisms.

What steps are required to update the application to be compatible with this change?

After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.

New JWT access token format: Authorized Access Token

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

• The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
• A single token can be used with multiple applications.
• The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
• As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

Requestor Management landing page access privileges

To access the Requestor Management landing page after upgrading to Pega^® Platform 7.3, you need to add the appropriate privileges to the @baseclass and Pega-Landing access classes in the access roles. Apply these privileges to any application in which you want the operator to be able use the requestor management feature.

For more information, see the Requestor Management landing page and the appropriate Deployment Guide.

Tamper-proof Pega Web Mashup loading

To protect your application from hackers, Pega Web Mashup is now loaded in a more secure way. The system generates a channel ID in the mashup code for validation on the server, before passing the mashup request. 

For more information, see Creating a mashup.

Upgrade impact

After an upgrade to Pega Platform 8.5, existing mashups, which do not have the channel ID parameter in their code, cannot load and users see the access control warning.

What steps are required to update the application to be compatible with this change?

If you need to maintain full availability of the mashup during the upgrade of the production environment, perform the steps in Migrating existing mashups.

Existing operator IDs during upgrades and updates

Upgrades and updates are always performed in secured mode to help prevent unauthorized access to your system. In secured mode, the [email protected] operator ID is always overwritten, but other existing standard operator IDs are not modified. New operator IDs are inserted in secured mode. For more information, see the Deployment Guide for your environment.

Failed Robotic Assignments work queue type changed to Standard

The default Failed Robotic Assignments work queue type is now Standard. In previous releases, the default type was Robotic. For usage information, see Configuring a work queue for robotic automation.

Upgrade impact

After upgrading to Pega Platform 8.5 and later, you cannot save case types in which you configure the Queue for robot smart shape to route new assignments to the Failed Robotic Assignments work queue. Existing assignments that you routed to the Failed Robotic Assignments work queue are not affected.

How do I update my application to be compatible with this change?

As a best practice, do not use the Failed Robotic Assignments work queue in your custom implementations. Instead, configure the Queue for robot smart shape to route new assignments to a Robotic work queue. When possible, update existing case types to use the robotic work queues that you created in your application.

New process for Pega Cloud customers to obtain BIX extract files

The process for obtaining Business Intelligence Exchange (BIX) extract and manifest files for Pega^® Cloud customers has changed as a result of data security enhancements for HIPAA compliance. By default, after upgrading to Pega 7.3, you must obtain the BIX extract and manifest files from the Pega SFTP server. From within Designer Studio, you can configure the BIX extract and manifest files to be sent to a remote SFTP server by a file listener. For Pega Cloud customers who have purchased a Pega Cloud SFTP Server subscription, you can configure BIX to send the BIX extract and manifest files to the SFTP server's folders for remote SFTP client download.

For more information about obtaining files from the Pega SFTP server, see Obtaining BIX extract files from the Pega SFTP server.

For more information about having files sent to your SFTP server, see Defining SFTP-related data instances.

Deprecated survey APIs

APIs that were available in the PegaSurvey ruleset have been superseded by Pega® Platform APIs. Although older APIs continue to function in this release, it is recommended that you update your flows and flow actions to use the new APIs because they provide the latest survey capabilities, and deprecated features are not supported.

The following table maps deprecated APIs to their replacement APIs.