Hello,
We are currently adressing BAC issues in our custom code.
However, Post upgrade to PegaPlateform 8.8.4 we can’t see the secu0019 alerts logged into PDC or Security alert logs anymore,
our current BAC configuration is :
pzSecureFeature when rule is true
pyShowSecureFeatreWarnings = false
pyBlockUnregistredRequests = false
I don’t quiet understand the reason behind it. Would you please explain?
@MeriemA16758953 The change in the logging of SECU0019 alerts after upgrading to Pega Platform 8.8.4 is due to the fact that version 8.4.4 suppresses false entries by default. This means that the SECU0019 alerts, which were previously logged, are no longer being recorded as a result of this update. The alerts were identified as false positives triggered by a defect in the Pega code, and the current situation in version 8.4 does not pose any security risks related to SECU0019.
Therefore the absence of these alerts indicates that the system is functioning as intended without logging false positives related to security.
@MarijeSchillern thank you for your response.
It is true that the majority of alerts we had were generated by OOTB rules.
But if I activate the BAC switches (pyBlockUnregistredRequests = true),
I would still have some of the application controls blocked (403 errors ..), and The security alerts are logged into the security
logs.
@MeriemA16758953 think it would be better if you raise a support ticket for this via the MSP. Make sure you raise this as an issue to illustrate that you believe it is not working as documented and have a reproducible scenario you can demonstrate to the support team.
Please provide the INC id here so that we can help track it.
@MarijeSchillern ok thanks. this is the ref of the SR ticket INC-B47252.
@MeriemA16758953 I am following the issue and I can see that our support team passed you on to our Ask the Expert - Basic Access Control with Elisha Tanikonda and Rachit Agarwal SME’s.
I am just updating the post with the latest status, and also to advise you that we are waiting for further SME input based on your recent confirmation that you have followed all the recommended steps but that the issue still remains.
Explanation given by GCS:
Pega Platform™ includes the ability to invoke server functionality through activities, which are JavaScript APIs with wrapper rules. To improve the overall security of the application, only allow authorized access to these activities through JavaScript or AJAX code.
Introduced in Pega Platform version 8.5, BAC is a security feature that protects your application from unauthorized access.
BAC protects your application by verifying requests at the application layer and provides additional request verification when you use autogenerated controls.
pzSecureFeature:
AND
In other words, the access control check is not done when the client is using Dev Studio, App Studio, Admin Studio, or Prediction Studio and the client is mobile or hybrid. The check is done everywhere else.
pyShowSecureFeatreWarnings :
pyBlockUnregistredRequests = false
Note: The default value is False when the production level is < 2. When the production level is changed to 2, the value changes to True.
Note:
Pega Platform version 8.5 introduced this feature. When pyBlockUnregisteredRequests is enabled in development, the application development team can detect and respond to any problems with unauthorized or unregistered requests well ahead of application staging and production deadlines. In Pega Platform versions 8.5.6 and higher, 8.6.3 and higher, and 8.7 and higher, the when rule blocks unauthorized requests by default at production level 2 (Development/Test) or higher. In versions prior to 8.5.6, 8.6.3, and 8.7, the when rule blocks unauthorized requests by default at production level values of 4 (4 is Staging, 5 is Production) or higher. See Verifying requests when using custom controls for registration steps for the user request based on the various scenarios. As a security best practice, ensure that you properly enable pyBlockUnregisteredRequests to return a value of True to block unregistered requests.
More detail:
If pzSecureFeature=true – > : Application level checking is on. When an access violation is found, a security alert is logged that says “Unregistered request encountered”; default behavior. Security alert log
if pyBlockUnregisteredRequests=true → You will be able to catch http responses and able to see output on the dev tool console. Security alert log + console logs and you will be able to see which function/feature not working and it might help to identify easier BAC issues.
You had follow up question because the behavior on application post upgrade is not like GCS explained:
IE “if pzSecureFeature=true – > : Application level checking is on. When an access violation is found, a security alert is logged that says “Unregistered request encountered”; default behavior. Security alert log”
Instead, we have no alert logged, even though the application level checking is on
Answer provided by SME ON 15 November:
So, when pyBlockUnregistredRequests is set to true, Pega would try to check if the request is valid request or not. If not, it will throw a 403 alert(you can check the network request in the Dev tools) and user will be blocked with their work.
When it is set to false, Pega would not throw any 403 alert(in the Dev tools) and users will not be blocked with their work.
However, in both these situations, Pega would throw a Secu0019 ALERT as Secu0019 does not depend on the when rule.
I have not came across scenario where even though a it is a valid BAC scenario, and still this does not gets printed in the logs. Can you can please let us know if this is happening across all environments or if in one specific environment.
Also users are best advised to be latest UI-KIT version. For 8.8.4, it is UI-KIT 15:01.
Ensure that you are testing the scenario by directly logging as an End User.
If you login to Dev Studio and then launch the End User portal, BAC feature will not turn on (based on the logic in pzSecureFeatures when rule).
In case you are on a multi-node environment (whilst testing through as an EndUser), please ensure to check the Alert Security logs in all the nodes. Alternatively, login using the direct node URL and check for the logs for that node.
In case the suggestions do not help, we will continue the investigation via the support ticket, we see that you have an active INC.
As it sounds like the issue is not behaving as instructed by our SME’s I am checking whether you need to continue to work with GCS in the open support ticket INC-B47252
@MarijeSchillern Thanks for your response. So, the issue is happening accross all the environments.
All the testing scenarios are done directly logging as an End User.
The ticket is currently open for investigation through the SR ticket.
Regards,
Meriem
@MeriemA16758953 I can see that INC-B47252 has been closed with the following explanation:
After discussion with our engineers, with the below configs you are able to see alerts for all the operators
pzSecureFeature =true
pyShowSecureFeatreWarnings = true
pyBlockUnregistredRequests = false.
With the above settings users can monitor secu0019 from the alert security logs in dev studio and pdc as well.