‘Access Control Warning’ after 8.5 upgrade
After upgraded from 8.3.4 to 8.5.2 (CRM) the following ‘Access Control Warning’ shows in the top header of the external Portal. It does not happen for our developer/Admin role but it shows for all the other roles.
Tried to change the below WHEN rules to false but they are already ‘Withdrawn’ and/or False.
- WHEN: pySecureFeatures = False
- WHEN: pyShowSecureFeatureWarnings = False
- WHEN: pyBlockUnregisteredRequest = False
Also tried to remove privilege ‘crmCanCSUserRunActivity’ from activity: pyOnBeforeWindowClose in ruleset PegaCS-Specialization:08-05-01.
Issue still persist.
How can this be removed or prevented from displaying….
See Attachment
Accepted Solution
Updated: 22 Apr 2021 10:32 EDT
Veteran Careers First
US
@KevinH26 We were able to resolve the issue by setting this WHEN condition to false. Previously we thought we already tried this but apparently this one was missed. Hope this helps.
- WHEN: pyShowSecureFeatureWarnings = False
Citicorp Services India Private Limited
IN
Hi @HenryA80,
The following access control check community link may help. If the issue is on OOTB control please create an incident with Pega support.
https://community.pega.com/knowledgebase/articles/security/85/using-access-control-checks
Please let me know if this help.
Thanks,
Gowrishankar.
Veteran Careers First
US
The article mentioned is about finding the rules and fixing the issues.
For now we would prefer to disable this feature or prevent from displaying in the UI portal.
How can we do this....
National Institutes of Health
US
@GOWRISHANKAR we are facing the same issue (8.5.3). We've gone through this article and refactored all rules listed under the Access Control Health Check. Now our health check is clean, but we still see this warning displayed for non-admin users. Please advise.
Accepted Solution
Updated: 22 Apr 2021 10:32 EDT
Veteran Careers First
US
@KevinH26 We were able to resolve the issue by setting this WHEN condition to false. Previously we thought we already tried this but apparently this one was missed. Hope this helps.
- WHEN: pyShowSecureFeatureWarnings = False
Veteran Careers First
US
We were able to resolve the issue by setting this WHEN condition to false. Previously we thought we already tried this but apparently this one was missed. Hope this helps.
- WHEN: pyShowSecureFeatureWarnings = False
Swedbank AB
SE
@HenryA80 But, Is this is the suggested fix ?
I believe fix should be probably to make the feature 'secure' or register the control to be called from unregistered resources.
TD
CA
We are also seeing this issue on multiple versions of Pega 8.6.x post upgrade.
Scenarios where we see error /blocked requestors due to violation of the default security feature
- Invocation of an incoming Snapstart or Mashup URL which is not encrypted
- A button action on a Section or a Navigation rule invokes a JavaScript function without registration
- A custom Control issues a request to call an Activity without registration
- A custom Control invokes an URL which is not encrypted
Below documentation provides guidance on how to secure your application and comply with this security feature when you turn on the 3 aforementioned when rules to return TRUE.
https://docs-previous.pega.com/security/86/verifying-requests-when-using-custom-controls
https://docs.pega.com/security/86/identifying-custom-controls-configure
For auto generated Sections or Navigation rules, the registration is simple, you can check the "Register OOTB actions used in script for URL tamper proofing" checkbox if you are using "Run Script" option. For non auto generated HTMLs, Custom Controls etc., the above links provide steps to perform for securing them. Additionally, if you use Mashup or Snapstart in your application, you should encrypt those URLs.