We are using a WorkLink corr fragment in an email. The users who will receive and open the WorkLink have a pega oper id, so they are able to login. The access group/roles have been trimmed down to minimal access (essentially read only).
In our Dev environment, everything works as it should. When moved to our staging environment, they receive the 403 error. I traced the “user” login in staging (26 events) and saw that that pyBlockUnregitseredRequests resulted to true (See picture). When testing, I overrode that when rule to result to false, and the worklink opened correctly. After I reversed my changes on pyBlockUnregitseredRequests, I traced logging in as my developer oper id, when successfully showed the case instance(7200+ events). The trace showed that the result of pyBlockUnregisteredRequests was still true even though it work.
Anyone have an experience/ insight? Not sure where to go from here. Thanks!
@VikasRaidhan They are OOTB activities but I checked and UpdateOperatorID does not allow for direct invocation. According to the tracer, the TriggerCheckCache activity being used is from the D-A-Operator-ID class. I can open it directly from the tracer, but if try to search for the activity, there is not an instance from that class(3 other ones). However, when opened from the tracer, TriggerCheckCache does allow invocation.
@JasonK9 I checked the support ticket you opened for this investigation.
The ticket was closed January 2022.
The issue was found to be BUG-700195 : due to BAC changes causing WorkLink URL generation to be updated for security
When using a WorkLink in an email, clicking the link and entering credentials on the login screen resulted in a 403 unauthorized error. The faulty WorkLink URL generation issue was caused by the non-encryption of the RedirectAndRun activity call in the URL, and has been resolved in Pega 8.5.6.
Please update to that release or update to 8.6 or the most current Pega releases where the fix is already available.
I will proceed to close this thread based on the final analysis held in the support ticket.
