INC-137709 · Issue 584297
New security role added to restrict access to development-specific classes
Resolved in Pega Version 8.5.1
A new security role and related RAROs have been implemented to allow better security for end users on non-BAC systems. This restricts access to Rules and execution of activities on classes that are development-specific.
INC-128811 · Issue 587213
Operator created with save-as has correct application access
Resolved in Pega Version 8.5.1
Creating an operator using Save As retained access to the applications of the original operator even if they were removed in the creation process. This was due to the saveAs operation of the Operator not retaining consistency between the records in the ValueList pyAccessGroupsAdditional and the page list pyaccessgroups_opid. To resolve this, the PreSaveAs of the Operator ID has been updated to maintain consistency in the records.
INC-132517 · Issue 578985
Correct manager name retained for skill-based routing updates
Resolved in Pega Version 8.5.1
In App Studio, having a manager update a team member's skills changed that team member's reporting Manager name (.pyReportTo) upon save. This was a use case where multiple operator IDs were required for the same person (name and email), so that using the report definition parameter 'BestOperatorValue' for the pzUpdateOperatorInfo activity caused an incorrect manager name to be set to the team member's operator ID. This has been resolved.
INC-127392 · Issue 574286
Delegated Decision table rule grid loads in iFrame with SSO
Resolved in Pega Version 8.5.1
The delegated decision table rule grid and checkout options were not displayed when launched from iFrame using SSO sign in. Without SSO, the delegated decision table grids were loading properly for the same Access group. The heart of this issue was that decision tables were using an older style of Designer Studio javascript which was not designed to be embedded in an iFrame due to issues related to Cross-Origin Resource Sharing (CORS). In order to support the usecase of the Pega end user portal/application being integrated to an external domain application using an iFrame, enhancements have been made to the necessary delegated rule function definitions.
INC-135095 · Issue 581849
Tracer toolbar shows correctly in IE
Resolved in Pega Version 8.5.1
After upgrade, the developer toolbar for the tracer pop up was not visible in Internet Explorer. Investigation showed that Microsoft Internet Explorer was loading the correct elements, but they were not displaying due to recent updates made to prevent Cross-site scripting vulnerabilities for the tracer. This has been resolved.
INC-129275 · Issue 577016
Resolved errors when refreshing test case
Resolved in Pega Version 8.5.1
On refreshing any test case for decision tables, a "rule no longer exists" error appeared on screen and a pzRuleNotFound exception was generated for all testcases in tracer. This was traced to Rule-Utility-Function lookup parameter handling in the pzGetFreshLabelForRUT decision table: because the Rule-Utility-Function was not able to fetch the label and the caller step in an activity, it was ending with a fail status and generating the errors. This has been resolved by correcting the Rule-Utility-Function calls in the decision table pzGetFreshLabelForRUT to ensure it has the correct parameters.
INC-135266 · Issue 584590
Cross-site scripting protections updated
Resolved in Pega Version 8.5.1
Cross-site scripting filtering has been added to IDs related to login.
INC-135849 · Issue 582939
Encrypted SOAP response token generation updated
Resolved in Pega Version 8.5.1
After configuring a SOAP service that used signature and encryption on the response, the response being created was incorrect and could not be decrypted by the receiver. Investigation showed that the API used to generate the SOAP headers was not setting the wsse11:TokenType element, causing receivers which enforce BSP compliance to fail. This has been resolved by modifying the custom webservices-rt-pega2 jar to set the token type in the case of a response encryption policy.
INC-138354 · Issue 584722
Handling added for samesite cookies with httpOnly
Resolved in Pega Version 8.5.1
After enabling samesite cookies on Google Chrome to support Mashup login, intermittent issues were seen with a non-mashup login where entering the OperatorID and password only resulted in a refresh of the login screen. This was traced to a scenario where an httponly cookie attribute was present along with samesite cookie attributes, and has been resolved by adding handling for a condition where samesite is set and httpOnly is enabled.
INC-130145 · Issue 582855
Null checks added for the presence of roles and dependent roles
Resolved in Pega Version 8.5.1
Frequent Null Pointer errors were being generated relating to SecurityAnalysisForSecurityAdministratorsTask.getCurrentSecurityTaskDetails(). Investigation showed that the Origin and Stack trace tabs were empty, leading to the obj-open of the role failing when the role was not available in the system being utilized. This has been resolved by adding a series of null checks for role existence and dependent roles existence.