Question
Accenture
SG
Last activity: 9 Jan 2025 10:13 EST
Open Assignment action exposing case id in network trace Security Issue
Even when setting these 2 DSS
initialization/Urlencryption - true
and
initialization/SubmitObfuscatedURL - required
from network trace can still see assignment key params exposed when invoking out of box OpenAssignment Action.
Accepted Solution
Updated: 9 Jan 2025 10:13 EST
Pegasystems Inc.
GB
@Aditya Viswanatha
Case IDs themselves are generally not considered sensitive proprietary security details. However, they can be part of a broader context that includes sensitive information. It is important to ensure that any associated data that could be sensitive is properly secured. When invoking actions like OpenAssignment, ensure that the network communication is encrypted (e.g., using HTTPS) to protect the data in transit. Additionally, access controls should be in place to ensure that only authorized users can view or interact with the case data.
Using URL shorteners and configuring anonymous authentication services can help mitigate the risk of exposing sensitive details in network traces
Handling external assignments in Pega
Understanding and complying with Case Management best practices > Providing
@Aditya Viswanatha
Case IDs themselves are generally not considered sensitive proprietary security details. However, they can be part of a broader context that includes sensitive information. It is important to ensure that any associated data that could be sensitive is properly secured. When invoking actions like OpenAssignment, ensure that the network communication is encrypted (e.g., using HTTPS) to protect the data in transit. Additionally, access controls should be in place to ensure that only authorized users can view or interact with the case data.
Using URL shorteners and configuring anonymous authentication services can help mitigate the risk of exposing sensitive details in network traces
Handling external assignments in Pega
Understanding and complying with Case Management best practices > Providing
if you believe the product is showing an undocumented security issue, please log a support issue via the MSP and provide the INC id here so that we can help track it.
Pegasystems Inc.
GB
@Aditya Viswanatha To address the security issue where the case ID is exposed in a network trace when using the Open Assignment action, even after setting the DSS values initialization/Urlencryption to true and initialization/SubmitObfuscatedURL to required, you should ensure that the URL parameters are properly encrypted. This can be done by using a URL mapping rule that accepts just the Assignment key and directly calls the necessary activity with the other parameters defaulted. Additionally, you can encrypt the parameters of the URL within the Pega Platform application using the provided Java code example for encrypting the URL in JavaScript. This ensures that the URL parameters are not exposed in clear text and enhances security.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
References: 🌕 How to create a case link to open in Review mode (SnapStart) [SDR-81] 🌕 Regarding External Assignment Post Processing
Updated: 16 Aug 2024 5:23 EDT
Pegasystems Inc.
GB
@Aditya Viswanatha The issue you're experiencing is due to the fact that even with the DSS settings initialization/Urlencryption set to true and initialization/SubmitObfuscatedURL set to required, the assignment key parameters can still be exposed in the network trace. This is a known limitation. To mitigate this, you should consider using URL mapping rules that accept just the Assignment key and directly call the necessary activity with other parameters defaulted. Additionally, encrypting the parameters of the URL within the Pega Platform application can help enhance security. This can be done by following the Java code example provided in the documentation for encrypting the URL in JavaScript.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.:
How to create a case link to open in Review mode (SnapStart) [SDR-81]
Regarding External Assignment Post Processing
Accenture
SG
@MarijeSchillern I'm using out of box OpenAssignment Action If I need to encrypt then basically I need to write custom javascript with encryption to call the activity and pass parameter as mentioned in link
https://docs-previous.pega.com/security/87/configuring-custom-control-encrypting-url-javascript
So i'm look for out of box solution instead of customising and writing java script for each action where we are passing the parameters
Accepted Solution
Updated: 9 Jan 2025 10:13 EST
Pegasystems Inc.
GB
@Aditya Viswanatha
Case IDs themselves are generally not considered sensitive proprietary security details. However, they can be part of a broader context that includes sensitive information. It is important to ensure that any associated data that could be sensitive is properly secured. When invoking actions like OpenAssignment, ensure that the network communication is encrypted (e.g., using HTTPS) to protect the data in transit. Additionally, access controls should be in place to ensure that only authorized users can view or interact with the case data.
Using URL shorteners and configuring anonymous authentication services can help mitigate the risk of exposing sensitive details in network traces
Handling external assignments in Pega
Understanding and complying with Case Management best practices > Providing
@Aditya Viswanatha
Case IDs themselves are generally not considered sensitive proprietary security details. However, they can be part of a broader context that includes sensitive information. It is important to ensure that any associated data that could be sensitive is properly secured. When invoking actions like OpenAssignment, ensure that the network communication is encrypted (e.g., using HTTPS) to protect the data in transit. Additionally, access controls should be in place to ensure that only authorized users can view or interact with the case data.
Using URL shorteners and configuring anonymous authentication services can help mitigate the risk of exposing sensitive details in network traces
Handling external assignments in Pega
Understanding and complying with Case Management best practices > Providing
if you believe the product is showing an undocumented security issue, please log a support issue via the MSP and provide the INC id here so that we can help track it.