Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Pega Customer Service for Communications modified rules for BAC prevention

Updated on January 14, 2022

+

This content applies to On-premises, Client-managed cloud and Pega Cloud environments

In release 8.3, Pega Customer Service for Communications has modified the rules that invoke secured activities in Pega Platform. The query strings and parameters in the calls are registered so they cannot be tampered with by the end users.

If you have overridden any of these rules in your Pega Customer Service for Communications implementation layer, you need to update them to use the changed rules. Run the Pre-Upgrade Checker to identify which of these changed rules are overridden in your implementation layer. For information about the Pre-Upgrade Checker, see the Pega Customer Service for Communications Upgrade Guide on the Pega Customer Service for Communications product page.

For information about the enhancements to prevent Broken Access Control (BAC), and to see a list of rules and activities that were modified for all Pega Customer Service applications, see Pega Customer Service enhancements to prevent Broken Access Control.

The following list shows the modified rules for Pega Customer Service for Communications. If you have overridden any of these rules in your Pega Customer Service for Communications implementation layer, you need to update them with the changed rules.

RuleRule nameClass nameAvailable
Rule-HTML-SectionHIDDENSECTIONPEGACA-WORK-INTERACTIONYes
Rule-HTML-SectionWRAPUPINTERACTIONPEGACA-WORK-INTERACTIONYes

In addition to the changes in the preceding table, several Pega Customer Service for Communications activities that do not need to be started from a client in the form of an AJAX call or any other UI request have also been modified. The Allow direct invocation from the client or service check box is cleared for these activity rules. To see the list of modified activity rules, download the CSC-List-of-Activity-Rules-URL-Tampering.xlsx file.

  • Previous topic Legacy Customer Service for Communications design patterns
  • Next topic Configuring the security deposit property in the Transfer line service case

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us