when did pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges?

General
, , , ,
1

when did pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges?
We just found this during our upgrade and it impacts how we need to setup our access roles and ARO’s

Update from 8.2.5 to 8.5.4

2

@kolow This was done in release 8.5 as part of security changes to secure activities called directly from the client.

3

@chens3 Thank you for the provided insights. Is there documentation documenting the changes in the event of a release upgrade so that the customer can prepare for them in advance? This would save time for you and the team and more important it will increase the customer satisfaction as it prevent negative consequences and complaint from business users.

4

Hi @stumg,

Here is a link to all of our Release Notes on Pega Community.

Does that help?

5

@chens3 Hey thanks for the response, why wasn’t this documented here - Pegasystems Documentation and why did you used the AllFlows and OpenDeveloperForm privilege?

Why not creating a dedicated privilege to this, which is topic focus e.g. OpenReports ?

6

@kolow I’ve seen this happen when roles get cloned from OOTB roles. To prevent potential maintenance issues when Pega updates AROs for these roles, I suggest to start leveraging the role dependency feature.

7

If you believe there are gaps/holes/discrepancies within any of our documentation, please click the Contact Us button on the right pane from within the documentation (that will automatically insert the link to that documentation) and then choose “Suggest a content edit”. That will send your request to our technical documentation team who will follow up on your request.

8

@chens3 -

Client is still having some concerns:

  1. What is the intent of such change?
  2. Is it described in release notes as Pega Consulting has been performing Upgrade Assessment and missed such info
  3. Are there similar changes done to other activities in Pega 8.5?
9

@Eric Rietveld Thanks a lot for your customer friendly support.

10

Hi @MarissaRogers

This is of course helpful.

I just cannot judge whether, as indicated in this example, the change mentioned here is sufficiently described and what impact it has for our clients to apply this new function.

An generell included explanation of why this change was made and what other possible alternative procedures are available will certainly help to avoid misunderstandings and customer inquiries.

Thank You

Georg

11

Hi @AndreasHubenthal, some good news on this topic. I’ve looked into this specific change in more details and agree with you that those privileges are not the best solution. Fortunately this issue has been reconsidered and is now getting addressed in the next patch release. So be on the lookout for a change, so you can revert back any workaround you’ve used so far.

***Edited by Moderator Marije to add Resolved Issues documentation link ***

See changes documented from 8.5.6 onwards : Pega Platform 8.5.6 Patch Resolved Issues

Issue 665482:

Privileges adjusted for RetrieveReportData

In recent versions of Pega, pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges. However, this can interfere with setting up roles after update. To resolve this, the privilege restrictions have been removed from pxRetrieveReportData as it is already protected by ABAC/RBAC.