SR-B66996 · Issue 315524
Access control policy logic added for non-work/data/assign classes
Resolved in Pega Version 7.3.1
As part of ABAC (Attribute-based access control) restrictions, if a class property was of type PageList, security had to be created in the PageList property class type. However, if the pagelist was of type "Embed-" class then it was not possible to create security policy due to the inability to apply property masking for page list properties of that class. To resolve this, property masking implementation logic has been added to support page list properties of non-work/data/assign classes for access control policies.
SR-B55119 · Issue 312817
Handling added for absent property in Access When
Resolved in Pega Version 7.3.1
Configuring Access Control Policy to automatically restrict access to certain records by including an Access When rule to compare a custom property (.Consultant) on the OperatorID (Data-Admin-Operator-ID) page generated an exception if that property did not actually exist on the current operator. This has been resolved by revising the security policy engine to handle the exception.
SR-B71077 · Issue 323027
IDP Encrypted connections working on SAML
Resolved in Pega Version 7.3.1
IDP initiated SAML 2.0 was not working, and generated the error "Unable to process the SAML WebSSO request : Missing Relaystate information in IDP Response". Authentication worked fine with unencrypted SAML token. This schema validation failure happened because encrypted attributes were previously being ignored by Pega due to an issue in the underlying openSAML library. To resolve this, a custom PegaSAMLValidator has been inserted to validate the assertion and honor encrypted attributes.
SR-B56328 · Issue 312168
RARO rules more secure against deletion
Resolved in Pega Version 7.3.1
In order to make RARO rules more secure, the system has been updated such that Class Permissions can't be deleted from the role unless the operator has permission and is operating in a valid context (unlocked ruleset). This has been done by revising the Role rule form to disable the delete button when RARO/RADO is in a locked ruleset.
SR-B57046 · Issue 314358
Parameters removed from on-screen error messages to protect sensitive data
Resolved in Pega Version 7.3.1
It was discovered that sensitive information such as account numbers used as parameters were being displayed in exception error messages displayed on the screen. Including the parameters as part of the error is intended to aid in debugging the problem, but these parameters do not need to be displayed in the UI. In order to protect potentially sensitive data, parameter values have been removed from the exception message. When the DeclarativePageDirectoryImpl logger is enabled, the parameters will be entered into the Pega log files and not shown on screen.
SR-B67143 · Issue 316168
Proxy configurations made available to OAuth2 and other clients
Resolved in Pega Version 7.3.1
Setting up Proxy for the REST Connector was not working when using OAuth2. When using OAuth2 authorization for Connector features including REST Connectors, the com.pega.pegarules.integration.engine.internal.client.oauth2.OAuth2ClientImpl class is used for connections to the OAuth2 Provider for interactions such as fetching authorization tokens. However, OAuth2ClientImpl does not have the required code for "picking up" the JVM-level proxy settings and applying them to the HTTP Client it uses, so the HTTP calls to the OAuth2 provider were always bypassing the configured HTTP proxy. In order to resolve this and enhance future use, the code in the RESTConnector module that allows REST Connectors to use HTTP Proxies has been extracted out into the "HTTPClientUtils" module so that it can be used by any consumer to apply the system's Proxy configuration to any instance of PegaRESTClient. OAuth2ClientImpl has been updated to call this during HTTP client setup, prior to making the request for data from OAuth2 Providers, and RESTConnnector has been updated to call this new implementation to replace the universal Proxy code that was refactored out of it.
SR-B51844 · Issue 312363
Carriage return characters escaped in automated JSON data
Resolved in Pega Version 7.3.1
Automated JSON data received from the system containing carriage return characters such as \n, \r, \t caused parsing issues. To resolve this, changes have been made in the webwb-pzPega_ui_roboticAutomation-js file such that all carriage return characters such as \n,\r,\t will be handled using an escape sequence.
SR-B37374 · Issue 309750
null-pointer exception fixed for missing rule class
Resolved in Pega Version 7.3.1
After upgrade, a null-pointer exception was generated when the class on which a rule was defined no longer existed and there was a withdrawn rule in the hierarchy. This has been fixed.
SR-B44095 · Issue 318443
Re-indexing modified with check for FTS reinitialization
Resolved in Pega Version 7.3.1
Using the Designer Studio 'Search Landing Page' to initiate a re-index of approximately 12 million work items never seemed to complete. This was traced to an unnecessary reinitialization call; the API used to reconfigure the Search node (initialized from the FullTextIndexer command line utility) uses the configure node API to remove the index directory information on the index node. This API has logic to reinitializeFTS because it is the expected behavior in normal scenarios. However, in cases using the full text indexer command line utility, we do not need to reinitalize the FTS instance as the node is a standalone node. This has been updated.
SR-B48161 · Issue 311806
Pega0001 alert honors parameter page inclusion setting
Resolved in Pega Version 7.3.1
The setting was not being properly honored, causing sensitive information to be available in the ALERT logs. This has been revised so the system will honor the above setting and if it is set to false, the parameter page will be disabled in the alert lines.