when did pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges?
when did pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges? We just found this during our upgrade and it impacts how we need to setup our access roles and ARO's
Update from 8.2.5 to 8.5.4
Accepted Solution
Updated: 4 Mar 2024 6:19 EST
Pegasystems Inc.
NL
Hi @AndreasHubenthal, some good news on this topic. I've looked into this specific change in more details and agree with you that those privileges are not the best solution. Fortunately this issue has been reconsidered and is now getting addressed in the next patch release. So be on the lookout for a change, so you can revert back any workaround you've used so far.
***Edited by Moderator Marije to add Resolved Issues documentation link ***
See changes documented from 8.5.6 onwards : Pega Platform 8.5.6 Patch Resolved Issues
Issue 665482:
Privileges adjusted for RetrieveReportData
In recent versions of Pega, pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges. However, this can interfere with setting up roles after update. To resolve this, the privilege restrictions have been removed from pxRetrieveReportData as it is already protected by ABAC/RBAC.
****************************************
Pegasystems Inc.
US
@kolow This was done in release 8.5 as part of security changes to secure activities called directly from the client.
Pegasystems Inc.
DE
@chens3 Thank you for the provided insights. Is there documentation documenting the changes in the event of a release upgrade so that the customer can prepare for them in advance? This would save time for you and the team and more important it will increase the customer satisfaction as it prevent negative consequences and complaint from business users.
Pegasystems Inc.
US
Pegasystems Inc.
DE
This is of course helpful.
I just cannot judge whether, as indicated in this example, the change mentioned here is sufficiently described and what impact it has for our clients to apply this new function.
An generell included explanation of why this change was made and what other possible alternative procedures are available will certainly help to avoid misunderstandings and customer inquiries.
Thank You
Georg
Updated: 16 Jul 2021 1:16 EDT
DB Systel GmbH
DE
@chens3 Hey thanks for the response, why wasn't this documented here - https://community.pega.com/knowledgebase/articles/whats-new-pega-platform/security and why did you used the AllFlows and OpenDeveloperForm privilege?
Why not creating a dedicated privilege to this, which is topic focus e.g. OpenReports ?
Accepted Solution
Updated: 4 Mar 2024 6:19 EST
Pegasystems Inc.
NL
Hi @AndreasHubenthal, some good news on this topic. I've looked into this specific change in more details and agree with you that those privileges are not the best solution. Fortunately this issue has been reconsidered and is now getting addressed in the next patch release. So be on the lookout for a change, so you can revert back any workaround you've used so far.
***Edited by Moderator Marije to add Resolved Issues documentation link ***
See changes documented from 8.5.6 onwards : Pega Platform 8.5.6 Patch Resolved Issues
Issue 665482:
Privileges adjusted for RetrieveReportData
In recent versions of Pega, pxRetrieveReportData was secured with @baseclass AllFlows and OpenDeveloperForm privileges. However, this can interfere with setting up roles after update. To resolve this, the privilege restrictions have been removed from pxRetrieveReportData as it is already protected by ABAC/RBAC.
****************************************
Pegasystems Inc.
DE
@Eric Rietveld Thanks a lot for your customer friendly support.
Pegasystems Inc.
PL
@chens3 -
Client is still having some concerns:
1. What is the intent of such change? 2. Is it described in release notes as Pega Consulting has been performing Upgrade Assessment and missed such info 3. Are there similar changes done to other activities in Pega 8.5?
Pegasystems Inc.
NL
@kolowI've seen this happen when roles get cloned from OOTB roles. To prevent potential maintenance issues when Pega updates AROs for these roles, I suggest to start leveraging the role dependency feature.
Pegasystems Inc.
US
If you believe there are gaps/holes/discrepancies within any of our documentation, please click the Contact Us button on the right pane from within the documentation (that will automatically insert the link to that documentation) and then choose "Suggest a content edit". That will send your request to our technical documentation team who will follow up on your request.