Support for application-specific REST API calls
Valid from Pega Version 8.5
You can now call an authenticated REST API in the context of any application that is listed on an operator record by using the application alias URL. With the application alias URL, you can also develop REST services without changing the access group in the service package. REST services run in the context of the access group that points to the provided application, instead of the access group that is specified in the service package.
For more information, see Invoking a REST service rule.
Tamper-proof Pega Web Mashup loading
Valid from Pega Version 8.5
To protect your application from hackers, Pega Web Mashup is now loaded in a more secure way. The system generates a channel ID in the mashup code for validation on the server, before passing the mashup request.
For more information, see Creating a mashup.
Upgrade impact
After an upgrade to Pega Platform 8.5, existing mashups, which do not have the channel ID parameter in their code, cannot load and users see the access control warning.
What steps are required to update the application to be compatible with this change?
If you need to maintain full availability of the mashup during the upgrade of the production environment, perform the steps in Migrating existing mashups.
Improvements to Visual Business Director (VBD)
Valid from Pega Version 7.2
Business monitoring and reporting no longer depends on the external Visual Business Director service because VBD is now embedded in the Pega 7 Platform. You add a VBD node to the cluster to access VBD for simulations and monitoring. In addition, when you use the Google Chrome browser, VBD launches as a new HTML client that provides the visualization.
For more information, see The Visual Business Director (VBD) HTML client and Accessing Visual Business Director (VBD).
Interact with cases from external applications
Valid from Pega Version 7.2
You can now achieve API case integration by using the Integration case-wide property to generate code that allows you to interact with cases from external applications. The Generate create case microservice code option for microservice APIs automatically generates code that is specific to your case type. This option complements the Generate mashup code option, which generates code that you can use to embed Pega 7 Platform content in another application's web page.
Automatic separation of date input
Valid from Pega Version 8.5
Date fields in Date Time controls now automatically divide strings of input into days, months, and years. In single fields, the system adds slashes (/) as the user types the value. For example, an input string of 10102020 becomes 10/10/2020. In separate day/month/year fields, the system automatically switches from one field to the next as the user types the value. This enhancement improves the user experience by helping to users provide input in a more convenient and time-efficient manner.
For more information, see Configuring a Date Time control.
Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service
Valid from Pega Version 8.5
Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.
Token Introspection service
Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication.
Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT).
Token Introspection service endpoint
The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid:
- Valid tokens have the
“active”:truestatus - Invalid tokens have the
“active” :falsestatus.
The inactive status can also be due to revocation.
Token Denylist service
You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.
Keys endpoint
Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.
For more information, see OAuth 2.0 Management Services.
Search and Reporting does not index large items
Valid from Pega Version 8.5
When using the Search and Reporting (SRS) microservice in Pega Platform™ 8.5, you might encounter problems with indexing large out-of-the-box rules. The issue is not visible in Queue Processors, but you can access logs to verify which items the system does not index.
Processes run by default when a stage is restarted
Valid from Pega Version 7.2
The Run on re-entry check box in Case Designer has been removed. As a result of this change, processes run by default each time that a stage is restarted. Users who previously had this check box cleared can use the Start when option in Case Designer instead to define the criteria for skipping a process.
For more information, see Adding a process to a stage.
User Interface
Valid from Pega Version 7.1.4
This release had a focus around improving support for accessibility for all the PRPC UI Components as well as extending capabilities for responsive design with grids and tabs. A series of cosmetic changes and fixes are included.
- Improvements have been made for action items being opened in a dynamic container.
- Row repeat functionality in sections has been improved to better handle source properties.
- Screen layouts have been optimized for the iPhone platform
- The display on dynamic containers has been enhanced to provide the same behavior for both single-mode and multi-mode.
- The Launch Harness feature has been improved to launch into a pop-up window.
- The operator menu will now display from the Case Manager portal.
- The Primary Page functionality has been enhanced for control-defined Repeating Tab Headers.
- Using local actions defined as modal windows has been enhanced to work in an iPAD using a Safari browser.
- When using a modal dialog to open a flow action in a repeat grid, to add an item to the list, users may now cancel out of this dialog if no changes are needed.
Custom properties can be passed to an Oracle database
Valid from Pega Version 7.2
You can pass a customizable set of property values to an Oracle database when a connection is established so that an SQL statement can be run. This feature provides the ability to implement object-level security for data access from a Pega 7 Platform application by defining Virtual Private Databases (VPDs) on class tables that reference the information passed. For example, you could pass in an operator's branch office into the context of every query run against the Oracle database to ensure that the operator has access only to data that is applicable to the operator's branch.
This feature is available only for Oracle databases and for a Data-Admin-DB-Name instance that is not PegaRULES or PegaDATA, and has the same connection metadata (JNDI, URL) as PegaData.
See Passing custom properties to an Oracle database.