Skip to main content
This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Pega Customer Service enhancements to prevent Broken Access Control

Broken Access control (BAC) refers to all access control issues in web applications that allow end users to gain unauthorized access to privileged data and functionality. Open Web Application Security Project (OWASP) identifies BAC as one of the top 10 security vulnerabilities. BAC usually occurs when users can bypass access control checks by leveraging vulnerabilities such as uniform resource locator (URL)-based requests that do not verify user privileges.

For more information about the Pega Platform enhancements to prevent Broken Access Control (BAC), see Protecting the application layer.

In the 8.3 release, Pega Customer Service has modified the rules that call secured activities in the Pega Platform. The query strings and parameters in the calls are registered so that they cannot be tampered with by the end users.

The following list shows the modified rules for Pega Customer Service. If you have overridden any of these rules in your Pega Customer Service for Insurance implementation layer, you need to update them with the changed rules. Run the Pre-Upgrade Checker to identify which of these changed rules are overridden in your implementation layer. For information about the Pre-Upgrade Checker, see the Pega Customer Service and Pega Sales Automation Upgrade Guide on the Pega Customer Service product page.

# Rule Rule name Class name Available
1 Rule-HTML-Section ChatToasterPop ChannelServices-Interaction-Chat Yes
2 Rule-HTML-Section CSShowOffers Int-PegaCDH-Container-Offer Yes
3 Rule-HTML-Section CPMAccountDetails PegaCA-Interface-Contact Yes
4 Rule-HTML-Section CSOffer Int-PegaCDH-Container-Offer Yes
5 Rule-HTML-Section CSShowNextBestAction Int-PegaCDH-Container-Action Yes
6 Rule-HTML-Section CustomerAcceptedRequest PegaCA-Work-CobrowsingSession Yes
7 Rule-HTML-Property SlotPicker NA Yes
8 Rule-HTML-Section CPMIPSearchResults CPM-Portal Yes
9 Rule-HTML-Section CPMAutoLauchServiceProcess PegaCA-Work Yes
10 Rule-HTML-Section CPMFavoritesListDisplay CPM-Portal Yes
11 Rule-Navigation CPMSearchResultMenu CPM-Search-Result Yes
12 Rule-Navigation CPMProspectSearchResultMenu PegaCRM-Entity-Contact Yes
13 Rule-HTML-Section CaseLockLostInfo PegaCA-Work-Interaction Yes
14 Rule-HTML-Section CACollectSessionCode_FA PegaCA-Work-CobrowsingSession Yes
15 Rule-HTML-Section CPMConfirmIncludes Work- Yes
18 Rule-HTML-Section AutoClose Work- Yes

    In addition to the above changes, several Pega Customer Service activities that do not need to be started from a client in the form of an AJAX call or any other UI request have also been modified. The Allow direct invocation from the client or service check box is cleared for these activity rules. To see the list of modified activity rules, download the CSH-List-of-Activity-Rules-URL-Tampering.xlsx file.

    Suggest Edit
    Did you find this content helpful?

    100% found this useful

    Have a question? Get answers now.

    Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

    Ready to crush complexity?

    Experience the benefits of Pega Community when you log in.

    We'd prefer it if you saw us at our best.

    Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

    Close Deprecation Notice
    Contact us