Discussion
Pegasystems Inc.
US
Last activity: 19 Nov 2024 11:25 EST
Ask the Expert - Basic Access Control with Elisha Tanikonda and Rachit Agarwal
Welcome to our first ever Ask the Expert session on Basic Access Control (BSC) with Elisha Tanikonda and Rachit Agarwal.
Make sure to Favorite and Follow for updates via the Notification bell and/or weekly digest!
Session dates: 11 November - 22 November
Session opens to questions on 11 November!
Meet Your Expert Elisha Tanikonda
Greetings! I am Elisha Tanikonda, I am with Pega for the last 15 years, mostly worked in the Global Client Support organization (I recently earned my bobble head :-)).
Meet Your Expert Rachit Agarwal
Greetings, this is Rachit Agarwal. I've worked with clients throughout the years to assist them solve problems all across the world. In addition, I work with cross-functional teams to discuss best practices, improve products, create troubleshooting documentation, and more.
Message From Your Expert Elisha Tanikonda
Supporting our clients, troubleshooting their issues is something near and dear me and this is what keeps me motivated to come to work each day. In the recent years, I had the opportunity to work closely in the BAC (Basic Access Control) security feature of the Pega Platform, I am super excited to work closely with you and help answer any questions, queries you might have and specially in this product area, so, please don't hesitate to post your questions here!
Message from Your Expert Rachit Agarwal
I'm here to share with you the knowledge I've gathered over the years regarding Pega's Basic Access Control functionality. I'm thrilled and anticipating a fascinating discussion!
Ask the Expert Rules
- Follow the Pega Support Center's Rules of Engagement
- This is not a Live Chat - Elisha will reply to your questions over the course of the session
- Questions should be clearly and succinctly expressed
- Questions should be of interest to many others in the audience
- Have fun!
-
Reply
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Updated: 13 Nov 2024 9:10 EST
Pegasystems Inc.
US
We would like you to be aware of some of the basics regarding the BAC feature -
1. The documentation link https://docs.pega.com/bundle/platform/page/platform/security/bac.html 2. When rules and the DSS that govern the BAC feature https://docs.pega.com/bundle/platform/page/platform/security/verify-req…
Please feel free to let us know if you have any questions as you use this feature
Updated: 15 Nov 2024 10:11 EST
Natixis
FR
Hello,
My client is currently adressing BAC issues in our custom code.
MyApplication is based on UIKit 11.01
&
Our current BAC configurations are :
- pzSecureFeature when rule is "true".
- pyShowSecureFeatreWarnings = "false".
- pyBlockUnregistredRequests = "false".
Usually, with the above configurations whenever we run application from an EndUser portal, we get security alerts SECU00019 related to BAC violations, since, we have some UI controles that call unregistred rules.
However, post upgrade to pega plateform 8.8.4, even though the application checking is ON, we don't see anymore the secu00019 alerts in logs.
We can have it catched in logs, only if we change pyBlockUnregistredRequests from false to true.
Can you please clarify why even though application checking is ON the secu00019 alerts are not logged.
Thank you,
Meriem | Pega- Senior System Architect consultant
Pegasystems Inc.
US
@MeriemA16758953 Hello, Thank you for the query.
So, when pyBlockUnregistredRequests is set to true, Pega would try to check if the request is valid request or not. If not, it will throw a 403 alert(you can check the network request in the Dev tools) and user will be blocked with their work.
When it is set to false, Pega would not throw any 403 alert(in the Dev tools) and users will not be blocked with their work.
However, in both these situations, Pega would throw a Secu0019 ALERT as Secu0019 does not depend on the when rule.
I have not came across scenario where even though a it is a valid BAC scenario, and still this does not gets printed in the logs. Can you can please let us know if this is happening across all environments or if in one specific environment.
Also, like I mentioned before users are best advised to be latest UI-KIT version. For 8.8.4, it is UI-KIT 15:01.
Pegasystems Inc.
US
I second Rachit
@MeriemA16758953 please ensure that you are testing the scenario by directly logging as an End User.
If you login to Dev Studio and then launch the End User portal, BAC feature will not turn on (based on the logic in pzSecureFeatures when rule).
Thank you
Natixis
FR
@Elisha Tanikonda Yes as I've mentionned in my first Post. We are testing through as an EndUser.
Thank you,
Meriem | Pega- Senior System Architect consultant
Natixis
FR
@Rachit_Agarwal thanks for your response. Well the issue is happening across all environments from DEV to Prodcution.
Thank you,
Meriem | Pega- Senior System Architect consultant
Pegasystems Inc.
US
Hi Meriem
Sorry that you are still having this issue!
Here are some additional troubleshooting steps, please see if this scenario applies to you!
In case you are on a multi-node environment, please ensure to check the Alert Security logs in all the nodes. Alternatively, login using the direct node URL and check for the logs for that node.
In case the suggestions do not help, we will continue the investigation via the support ticket, we see that you have an active INC.
Thank you
Pegasystems Inc.
US
Pega documentation Basic access control does not tell how Pega engine determines whether a http request invoking an activity is secure or not.
For example, if there is ajax call from frontend that invokes activity "work-.foo", how does Pega engine determines whether this call is secure or not? Does Pega engine looks up a "safe call" whitelist in order determine, or by other way?
Please provide a high-level picture on how BAC is supposed to work.
Updated: 14 Nov 2024 0:15 EST
Pegasystems Inc.
US
Hello Yining
Great question! Please review below my response, hope it helps!
Scenario 1: When rule pyBlockUnregisteredRequests is set to return false
Pega engine will not block the unregistered requests, you will not see HTTP 403 status code in the network trace, however Pega will still log SECU0019 alert code in the AlertSecurity log file ( so, letting you know that you still need to take care of these alerts)
Link below will provide additional information on the rules that govern the BAC feature
Scenario 2: When rule pyBlockUnregisteredRequests is set to return true
Pega Engine will block the unregistered requests, you will see HTTP 403 status code in the network trace and also SECU0019 in the Alert Security log file.
When the Engine receives a call for Work-. Foo, it verifies if Foo is already registered or not. If it is not registered, it will throw SECU0019 with a message that Foo is not registered
You will need to use this registration API to register your activity rule - pega_rules_utilities.pzRegisterActivity(tools, "Work-.Foo");
Hello Yining
Great question! Please review below my response, hope it helps!
Scenario 1: When rule pyBlockUnregisteredRequests is set to return false
Pega engine will not block the unregistered requests, you will not see HTTP 403 status code in the network trace, however Pega will still log SECU0019 alert code in the AlertSecurity log file ( so, letting you know that you still need to take care of these alerts)
Link below will provide additional information on the rules that govern the BAC feature
Scenario 2: When rule pyBlockUnregisteredRequests is set to return true
Pega Engine will block the unregistered requests, you will see HTTP 403 status code in the network trace and also SECU0019 in the Alert Security log file.
When the Engine receives a call for Work-. Foo, it verifies if Foo is already registered or not. If it is not registered, it will throw SECU0019 with a message that Foo is not registered
You will need to use this registration API to register your activity rule - pega_rules_utilities.pzRegisterActivity(tools, "Work-.Foo");
Further, this page will help to understand other registration APIs https://docs.pega.com/bundle/platform-88/page/platform/security/action-category-other.html
Please feel free to let us know if you have further questions.
Thank you
Pegasystems Inc.
US
Hello all
Today we would like to present the topic "Recognizing BAC issues"
- Using the OOTB wizard you can easily identify the custom rules/code that are causing the BAC errors in your application.
- Simply run the tool "Access Control Check" from your Dev Studio
Follow the steps here on how to use this tool
https://docs.pega.com/bundle/platform-88/page/platform/security/use-access-control-checks.html
Please feel free to let us know if you are facing any issues using this tool OR have any questions in general about the BAC feature, we are here to help you!
Thank you
Pegasystems Inc.
US
Hi Team,
Today we are sharing some best practices to avoid SECU0019 / HTTP 403 errors
- Refrain from using deprecated layouts(eg: Tab Group Layout), deprecated controls.
- Be on the lastest UI-KIT, Theme-Cosmos version applicable to the Pega Platform version.
- If the environment has been recently upgraded, check for harness, the old harness (in 7.x versions) uses Client runtime version 05-04, upgrade the client runtime version to 06-02. This change is irreversible, and once it is done, the Client runtime version field will not be visible.
Hi Team,
Today we are sharing some best practices to avoid SECU0019 / HTTP 403 errors
- Refrain from using deprecated layouts(eg: Tab Group Layout), deprecated controls.
- Be on the lastest UI-KIT, Theme-Cosmos version applicable to the Pega Platform version.
- If the environment has been recently upgraded, check for harness, the old harness (in 7.x versions) uses Client runtime version 05-04, upgrade the client runtime version to 06-02. This change is irreversible, and once it is done, the Client runtime version field will not be visible.
- Check custom controls, HTML/JSP code, and check if the use case can be re-designed to use OOTB configurations.
Pegasystems Inc.
US
@Rachit_Agarwal Is upgrade the client runtime version as simple as pick version 06-02 and save the harness rule? Any follow up action needed after that, such as regression test etc.? May this change bring other issue or unwanted effects?
Pegasystems Inc.
US
@lu__y Yes, exactly we just change to pick the version 06-02 and save the harness rule. It is a recommened change, and should not require any regression testing. And ideally it should not bring any unwanted change.
Updated: 15 Nov 2024 13:04 EST
Pegasystems Inc.
US
Hi Team, I would want to explain how to view the Secu0019 ALERT. This is how a common security alert Secu0019 appears.
2024-11-08 15:32:14,763 GMT*8*SECU0019*0*0*pega-web-nodeid-*NA*NA*H_browserrequestor*operatorid*classname*null*015c53c7a61e02096594544082ff74b2*N*1178*H_browserrequestor*6585*http--exec-65*TABTHREAD3*BACValidator*env| Proprietary information hidden*Activity=removeThead*Rule-Obj-Activity:removeThead*@BASECLASS REMOVETHEAD #20180713T131559.565 GMT Step: 4 Circum: 0*0*false*NA**NA*NA*NA*NA*NA*NA*NA*NA*Unauthorized request detected : Unregistered request encountered with params pyActivity:pyDeleteDocumentPg eventSrcSection:Link-Attachment.DownloadDocument*
So, we should always read from - "Unauthorized request detected......." and whatever is coming before that should be ignored as that is not related to Secu0019 Alert.
So, in this case we should read this is as Unauthorized request detected : Unregistered request encountered with params pyActivity:pyDeleteDocumentPg eventSrcSection:Link-Attachment.DownloadDocument*
DXC
AU
@Rachit_Agarwal We are using the script shared at the following article: https://support.pega.com/discussion/how-auto-logoff-window-cases-open-n… and we are getting Security-Broken Access Control warning for this.
Issues 1. Registration/Encryption of PUBLIC API's used in the script to avoid BAC issues
2. Dynamic generation of URLs which don't use encoding APIs should be flagged to avoid injection attacks, unauthorized data exposure and cross-site scripting attacks. Can you share insights on this how we are fix the following.
Pegasystems Inc.
US
Hello Gaurav
Please review below my response for Issue: 1
In pega_desktop_AppControllerLite JS rule (Pega-Desktop:08-08-01) you will notice that encryption API is used
e.g. pega.u.d.convertToRunActivityAction(oSafeURL);
So this should help to avoid triggering SECU0019. Similar APIs are used on other parts of the code.
Can you please review and see if this helps your scenario? Feel free to reach us back for any additional questions.
Regarding Issue: 2 that you mentioned can you please provide some additional context / clarification? Some screenshots of your configuration might help.
Thank you
Updated: 18 Nov 2024 18:15 EST
DXC
AU
@Elisha Tanikonda, yes and for that Access Control Health Check is giving the error. document attached for error screenshot.
Pegasystems Inc.
US
Hi @gasharma,
Seems like the py-cosmos-custom text file is customized here. The code highlighted would trigger a Secu0019 ALERT here.
We may need to make sure that the request are in encrypted format so that these are considered secure and does not trigger any Secu0019 ALERT.
Please refer to "Submitting the action request content in encrypted form" section in https://docs.pega.com/bundle/platform/page/platform/security/configure-…, where it is been asked to use Rule utility function pega_rules_utilities.pzEncryptURLActionString
in such scenarios.
I have also created a sample and attached a document "Launching a URL - BAC scenario..docx" where I also used the same function.
Regards,
Rachit
Updated: 18 Nov 2024 19:25 EST
Pegasystems Inc.
US
Hi Team,
Today we are sharing few examples, on how a BAC error looks like, artefacts that need to capture and then how to fix it.
1: Launch local action giving 403 error.
2. Open URL in a new tab is giving an error(similar use case as - launching pega portal from third party application is throwing 403/Secu0019 error, open pega portal/work object from email is throwing error).
Please take a look and let us know for any questions.
Pegasystems Inc.
IN
Hi @Elisha Tanikonda , @Rachit_Agarwal ,
Thank you for initiating this discussion.
Could you please help me understand when BAC issue comes how to identify whether its a invalid configuration or its registrations have to be added explicitly?
Thank you.