Improving basic access control
Valid from Pega Version 8.5
Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.
For more information, see Access Control Checks.
Upgrade impact
After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls by using registration or encryption mechanisms.
What steps are required to update the application to be compatible with this change?
After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.
Discovery features for access control policies
Valid from Pega Version 7.2.2
Access control policies now support discovery features that allow end users to view limited, customizable information about class instances that fail Read policies but satisfy Discover policies. Two types of Discovery gadgets are provided, and when discovery features are enabled, a Discovery gadget is included in the Report Viewer and in search results. Developers can customize these gadgets and include them in other parts of an application user interface.
For more information, see Discovery features for access control policies.
Update and delete actions available in access control policies
Valid from Pega Version 7.2.2
Access control policies support update and delete actions on objects. These actions control which specific instances of a class can be created, updated, or deleted by an end user in a case.
For more information, see Creating an access control policy.
Conditional filter logic supported in access control policy conditions
Valid from Pega Version 7.2.2
In the Access Control Policy Condition rule form, you can now add conditional logic that allows you to apply different access control policy conditions based on different situations, such as different types of users. The policy condition filters that are enforced are based on the results of Access When rules. Conditional filters can be configured to allow certain highly privileged users to bypass access control security in certain situations. This is accomplished by entering an Access When but leaving the conditional logic field blank. When such a filter is applied to a read access policy it also should be applied to the corresponding discover policy.
For more information, see Creating an access control policy condition.
New JWT access token format: Authorized Access Token
Valid from Pega Version 8.5
Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.
The major benefits to using the JWT format are:
- The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
- A single token can be used with multiple applications.
- The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
- As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).
For more information, see Understanding authorized access tokens.
Control group configuration for predictions
Valid from Pega Version 8.5
You can now configure a control group for your predictions in Prediction Studio. Based on the control group, Prediction Studio calculates a lift score for each prediction that you can later use to monitor the success rate of your predictions.
For more information, see Customizing predictions.
Limited access for end user portals
Valid from Pega Version 7.1.1
The following portals are only accessible from supported versions of Internet Explorer in “quirks” mode:
- WorkUser
- WorkManager
Improved access to Cosmos UI settings
Valid from Pega Version 8.5
The Settings tab in the App Studio case designer now includes tools for configuring Cosmos UI. With this enhancement, you can adjust design system settings without the need to specialize individual When rules in Dev Studio, which simplifies UI creation and saves development time.
For more information, see Managing Cosmos UI settings in case designer.
Ability to restrict access to the Import wizard
Valid from Pega Version 8.5
You can now restrict access to the Import wizard so that users implement an automated pipeline to deploy changes between environments such as staging and production. Deployment Manager is one method by which to create pipelines. By using pipelines to propagate changes, users can apply a standardized and automated deployment process for migrating their applications.
For more information, see:
- Ensuring that users migrate applications with a pipeline by restricting the Import wizard
- Understanding model-driven DevOps with Deployment Manager
All tabs are accessible on delegated rule forms
Valid from Pega Version 7.1.1
Delegates can now access all tabs in a delegated rule form.
You can continue to customize the development experience for delegated users, such as line managers, who may not require the full set of rule form options. For example, you can prevent users from adding new nodes on the Decision Tree form or using the expression builder on the Map Value form. All users, including delegated users, can remove these restrictions if they hold a rule-editing privilege.
For more details on this process and a list of commonly delegated rules, see How to delegate a rule.