Published Release Notes

Improving basic access control

Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.

For more information, see Access Control Checks.

Upgrade impact

After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls  by using registration or encryption mechanisms.

What steps are required to update the application to be compatible with this change?

After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.

Enabling access to upgraded help

After upgrading to Pega Platform ™ 8.1, the default URL to the upgraded help files might be incorrect. To enable access to the latest help files, reset the URL:

1. In the header of Dev Studio, click Configure > System > Settings > URLs.
2. Enter the Online Help URL:

   https://community.pega.com/sites/default/files/help_v81/

3. Click Save.
4. Log out and log back into Pega Platform.

New JWT access token format: Authorized Access Token

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

• The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
• A single token can be used with multiple applications.
• The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
• As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

New privilege required to access the Search landing page

After upgrading to Pega^® Platform 7.4, users who do not have the pxAccessSearchLP privilege cannot access the Search landing page. The pxAccessSearchLP privilege is automatically assigned to the SysAdm4 role. If you have other roles that require access to the Search landing page, you must add the pxAccessSearchLP privilege to those roles.

For more information about assigning privileges to roles, see User privilege authorization. (Link to: basics/v6portal/landingpages/accessmanager/customizeprivilegestab.htm)

Set a time zone for the DateTime control

The DateTime control now supports the selection of a specific time zone. Apart from the default local time zone, you can choose a Java-supported time zone or enter a property. For example, you can make it easier for a manager working in New York to schedule a task for a worker in London by configuring a calendar picker on user forms to show a date and time for Europe/London.

Beginning with this release, the calendar picker defaults to the current time in the time zone that is defined in the operator record. Previously, it defaulted to the local time zone of the system.

For more information, see Specifying a time zone for a DateTime control.

Upgrade impact

After a successful upgrade, the DateTime gadget displays the time in the current operator's locale, which is defined on the operator rule form or in the browser.  

What steps are required to update the application to be compatible with this change?

If you need to display the system time from which the user has logged in, and if this is not the same as the time in the user's locale (based on the browser setting), set the Locale field in the operator ID to be blank so that the browser-based setting and the displayed time are the same as the system time.

Improved control of case locking and retry mechanisms

The Delay factor, Initial delay in minutes, and Max retry attempts fields have been added to queue processors, and the Timeout to acquire lock field has been added to the Queue-For-Processing method. Using these fields, you can quickly configure background processes that require you to lock cases or retry case processing.

For more information, see Creating a Queue Processor rule.

Upgrade impact

After a successful upgrade, the new fields contain their default values.

What steps are required to update the application to be compatible with this change?

To customize the functionality of this feature (and the new fields), open the Queue-For-Processing definition and modify the values for the new properties or fields.

All tabs are accessible on delegated rule forms

Delegates can now access all tabs in a delegated rule form.

You can continue to customize the development experience for delegated users, such as line managers, who may not require the full set of rule form options. For example, you can prevent users from adding new nodes on the Decision Tree form or using the expression builder on the Map Value form. All users, including delegated users, can remove these restrictions if they hold a rule-editing privilege.

For more details on this process and a list of commonly delegated rules, see How to delegate a rule.

Requestor Management landing page access privileges

To access the Requestor Management landing page after upgrading to Pega^® Platform 7.3, you need to add the appropriate privileges to the @baseclass and Pega-Landing access classes in the access roles. Apply these privileges to any application in which you want the operator to be able use the requestor management feature.

For more information, see the Requestor Management landing page and the appropriate Deployment Guide.

Rules can no longer access Pega internal Java packages

You can no longer create rules that access Java packages that reference internal APIs (syntax com.pega.platform.*.internal*). This change does not affect rules that access Pega public API packages.

If you encounter issues when running existing rules that reference internal Pega APIs, contact Pega Support.

Upgrade impact

After an upgrade to 8.4 and later, clients can no longer save new or modified rules that access Pega internal APIs; existing rules that reference internal APIs can still be run but cannot be modified. 

What steps are required to update the application to be compatible with this change?

Following a software upgrade to 8.4 or later, clients can refactor existing rules into guardrail compliant rules. To find rules to refactor, run the validation tool from designer studio (Application > Tools > Validation) to identify what rules fail validation; failed rules that include the message "Test compilation failed : Illegal internal class reference : com.pega.internal.XYZ" can updated to reference appropriate APIs.

Improved rich user interface controls in IVA for Web Chatbot

In Pega Intelligent Virtual Assistant™ (IVA) for Web Chatbot, you can use additional rich user interface controls, such as the time and date picker or a simple form, to help users accomplish tasks more quickly and to limit errors. IVA for Web Chat can now also display a welcome message in the chat window, for example, to inform the user about the person with whom they are chatting.

For more information, see Streamline conversations in IVA for Web Chatbot with rich user interface controls.

Upgrade impact

The new Ul controls for Web Chatbot are enabled by default upon upgrade. If you do not want the controls enabled, you must disable them.

Also, if you have changed the styles for the welcome message, you may need to make changes to the welcome message to incorporate the new areas in the bot conversation area (such as quick replies).

What steps are required to update the application to be compatible with this change?

Existing channels will behave as they did previously, so you should determine whether you want to use the new UI controls. If you want to use the new Ul controls, configure the new design-time options.

If you have changed the default styles for the welcome message, review the new settings to ensure that the welcome message is configured properly.