Published Release Notes

Attribute-based access control model

Attribute-based access control (ABAC) is a security authorization model in which access rights are determined through the use of policies and attributes. A policy decision engine in ABAC evaluates digital policies against available data (attributes) to permit or deny access to the requested resource. For example, you can now determine access rights to cases by examining security attribute values assigned to the user and the case.

For more information, see Attribute-based access control.

Access work items directly after login

You can now directly access work items that you receive as email notifications or URLs. The Pega 7 Platform opens the work item after successful user authentication instead of redirecting you to the portal. For a valid user, the type of authentication or number of failed login attempts does not affect this direct access.

For systems that use basic or secure basic authentication, administrators can disable the redirect URL by setting the authentication/basicschemes/redirectToLoginScreen switch to false.

Anypicker control is now available

The new Anypicker control displays a drop-down list of values that you can group into expandable categories for faster browsing. To save time and improve search accuracy, the Anypicker control filters the available values based on the characters that the user enters.

For more information, see Adding an Anypicker control.

Anypicker control in a condition builder

The condition builder now uses the Anypicker control to categorize the entities, such as fields or when conditions, that your application compares at run time. As a result, you can create conditions in a simplified and accelerated way. You can also select fields that are up to four levels deep within field groups.

For more information, see Create conditions faster with an Anypicker control (8.4), Adding an Anypicker control, Defining conditions in the condition builder.

Rules can no longer access Pega internal Java packages

You can no longer create rules that access Java packages that reference internal APIs (syntax com.pega.platform.*.internal*). This change does not affect rules that access Pega public API packages.

If you encounter issues when running existing rules that reference internal Pega APIs, contact Pega Support.

Upgrade impact

After an upgrade to 8.4 and later, clients can no longer save new or modified rules that access Pega internal APIs; existing rules that reference internal APIs can still be run but cannot be modified. 

What steps are required to update the application to be compatible with this change?

Following a software upgrade to 8.4 or later, clients can refactor existing rules into guardrail compliant rules. To find rules to refactor, run the validation tool from designer studio (Application > Tools > Validation) to identify what rules fail validation; failed rules that include the message "Test compilation failed : Illegal internal class reference : com.pega.internal.XYZ" can updated to reference appropriate APIs.

Open access to quiesced servers when using immediate drain

When using the immediate drain method to perform quiesce on a node, any operator can now access a quiesced server for root cause analysis or remediation, regardless of their user role or privileges. For quiesced server access when using the slow drain method, you must still include either the PegaRULES:HighAvailabilityAdministrator or PegaRULES:HighAvailabilityQuiesceInvestigator user role in a user's access group. Administrators using the slow drain method without either of these user roles are exiled from the quiesced node and are redirected to an active node.

For more information, see Immediate drain available for quiesce when using high availability.

Support for the JSON Web Token Bearer grant type for accessing external APIs

You can now access external APIs by using the new OAuth 2.0 JSON Web Token (JWT) Bearer grant type, in an OAuth 2.0 authentication profile. To use the JWT Bearer grant type as a client assertion, source the JWT from an active SSO session, a token profile, or a property reference. You can use JWTs that you obtain during an OpenID Connect SSO in connectors, to achieve user impersonation flows, such as the On-Behalf-Of (OBO) flow. The OAuth 2.0 type authentication profile now also supports authentication of client applications by using Private Key JWTs.

Instances of the OAuth 2.0 provider are now deprecated. As a best practice, use the new, unified authentication profile configuration instead.

For more information, see Configuring an OAuth 2.0 authentication profile.

Upgrade impact

After an upgrade to Pega Platform 8.4 and later, Authentication Profiles can take advantage of the new JWT based OAuth 2.0 grant type and client authentication features. To take advantage of this and other new security features, you must update any existing Authentication Profiles formats must to use those in Pega Platform 8.4 and later.

What steps are required to update the application to be compatible with this change?

Since these features are available only for profiles created in Pega Platform 8.4 and later, clients must open and then save existing 'Authentication Profile' instances to ensure that the configuration is compatible with the latest authentication formats.

Easy access to proposition-related rules when creating change requests in revision management

When selecting propositions for change requests in Decision Strategy Manager, you can view the proposition filter, strategy, and when rules that are associated with the decision data the selected propositions belong to. In addition, you can include those rules in change requests. To view and add any associated rules to a change request, the rules must be part of the application overlay. With the ability to view and select all proposition-related data, you can consistently revise not only propositions themselves but also all associated rules.

For more information, see Proposition-centric revision management functionality.

Improved mobile app user experience

Pega Platform™ can now produce a better mobile experience through performance gains and flexible access settings. Apps now support quick-loading native worklists, smooth scrolling and swiping, and query-based search, which improve productivity for mobile users. In addition, you can make your app available to users without authentication, and enhance usability for products that do not require strict security controls.

For more information, see Securing mobile apps.

Default support for skip links

All Pega Platform™ access groups now support skip links by default. Before, you had to create special access groups for users who require skip links for screen readers. Now, the feature is automatically enabled for every group, which improves the user experience and simplifies development.