Question about best practice on basic access control

Shipeng_Tian · June 14, 2024, 3:50am

We plan to upgrade CustomerServiceForFS 8.2.8 to CustomerServiceForFS 8.23.1 or later.

Currently we facing the issue 403 which result by the new feature basic access control.

Our plan is to update our code to mitigate the 403 issue. However there are some security event SECU0019 were found in the security event log which result by the Pega OOTB rules.

For example:

Issue 1: which was resulted by the rule webwb • Pega_interaction_commonUtil • js. And this rule is a final version created by Pega.

Pega - Sign In

*Unauthorized request detected : Unregistered request encountered with params pyActivity:pzRunActionWrapper pySubAction:runAct pzActivity:PegaCA-Work-Interaction.PopulateHarnessPage e*

Issue 2: similar as issue 1 which was captured the error when use the scenario test record. This issue also result by the OOTB rule and that is a final rule.

Pega - Sign In

_Unregistered request encountered with params pyActivity:pzRunActionWrapper pySubAction:runAct pzActivity:pxCreateFunctionalTestCaseStep eventSrcSection:Rule-Test-Functional-Case.pxAutomationRecorderFooter* _

If we want to enable the new BAC feature, what we should do to resolve the issue caused by the Pega OOTB rule.

Thanks,

Priyanka_Boga · June 18, 2024, 6:36pm

@Shipeng_Tian

For issue 1: In customer service framework all registration codes will be added in CPMInteractionHeader in a hidden text input actions tab. As part of the registration OOTB rule includes registration for “PopulateHarnessPage”. If not present can explicitly added registration in the same way.

Thank you.

Priyanka_Boga · June 18, 2024, 6:39pm

@Shipeng_Tian For issue 2:

There is a run script present in navigation rule pyAutomationRecorderNav . When we expand Case type label we have second run script action calling “pega.ui.automation.recorder.stepbuilder.createCaseStep” function. This is causing the BAC error/.To overcome the issue enable checkbox “Register OOTB actions used in script for URL tamper proofing” below run script and add action"Run activity".Provide the activity and parameter values dynamically to register the activity.

Thank you.

Shipeng_Tian · June 19, 2024, 5:47am

@Priyanka Boga

Thanks for your reply and suggestion.

Very helpful information

Conversation		Replies	Views
I getting forbidden 403 error for some users .how to resolve this issue General data-integration , updates , pega-cloud , 8-7-5	1	1058	July 15, 2024
Basic Access Control (BAC) Resources General security , 8-5	0	4507	July 23, 2021
getting ‘Access Control Warning’ after 8.8 upgrade User Experience user-experience , security , 8-8-4	2	295	May 25, 2024
‘Access Control Warning’ after 8.5 upgrade General system-architect , security , updates , government , 8-5	7	3398	June 7, 2022
Security alerts SECU0019 disappeared post upgrade to Pega 8.8.4 General pega-platform , senior-system-architect , security , installation-and-deployment , insurance , 8-8-4	7	208	April 22, 2025

Question about best practice on basic access control

Related topics