‘Access Control Warning’ after 8.5 upgrade

General
, , , ,
1

After upgraded from 8.3.4 to 8.5.2 (CRM) the following ‘Access Control Warning’ shows in the top header of the external Portal. It does not happen for our developer/Admin role but it shows for all the other roles.

Tried to change the below WHEN rules to false but they are already ‘Withdrawn’ and/or False.

  • WHEN: pySecureFeatures = False
  • WHEN: pyShowSecureFeatureWarnings = False
  • WHEN: pyBlockUnregisteredRequest = False

Also tried to remove privilege ‘crmCanCSUserRunActivity’ from activity: pyOnBeforeWindowClose in ruleset PegaCS-Specialization:08-05-01.

Issue still persist.

How can this be removed or prevented from displaying….

See Attachment

Access Control Warning.docx (33.9 KB)

2

Hi @HenryA80,

The following access control check community link may help. If the issue is on OOTB control please create an incident with Pega support.

https://community.pega.com/knowledgebase/articles/security/85/using-access-control-checks

Please let me know if this help.

Thanks,

Gowrishankar.

3

@GOWRISHANKAR

The article mentioned is about finding the rules and fixing the issues.

For now we would prefer to disable this feature or prevent from displaying in the UI portal.

How can we do this…

4

@GOWRISHANKAR we are facing the same issue (8.5.3). We’ve gone through this article and refactored all rules listed under the Access Control Health Check. Now our health check is clean, but we still see this warning displayed for non-admin users. Please advise.

5

@KevinH26 We were able to resolve the issue by setting this WHEN condition to false. Previously we thought we already tried this but apparently this one was missed. Hope this helps.

  • WHEN: pyShowSecureFeatureWarnings = False
6

@GOWRISHANKAR

We were able to resolve the issue by setting this WHEN condition to false. Previously we thought we already tried this but apparently this one was missed. Hope this helps.

  • WHEN: pyShowSecureFeatureWarnings = False
7

@HenryA80 But, Is this is the suggested fix ?

I believe fix should be probably to make the feature ‘secure’ or register the control to be called from unregistered resources.

8

@ShashankS1832

We are also seeing this issue on multiple versions of Pega 8.6.x post upgrade.

Scenarios where we see error /blocked requestors due to violation of the default security feature

  1. Invocation of an incoming Snapstart or Mashup URL which is not encrypted
  2. A button action on a Section or a Navigation rule invokes a JavaScript function without registration
  3. A custom Control issues a request to call an Activity without registration
  4. A custom Control invokes an URL which is not encrypted

Below documentation provides guidance on how to secure your application and comply with this security feature when you turn on the 3 aforementioned when rules to return TRUE.

https://docs.pega.com/security/86/identifying-custom-controls-configure

For auto generated Sections or Navigation rules, the registration is simple, you can check the “Register OOTB actions used in script for URL tamper proofing” checkbox if you are using “Run Script” option. For non auto generated HTMLs, Custom Controls etc., the above links provide steps to perform for securing them. Additionally, if you use Mashup or Snapstart in your application, you should encrypt those URLs.