Skip to main content

Published Release Notes

Find release notes for the selected Pega Version and Capability

Browse resolved issues for Platform releases.

This documentation is for non-current versions of Pega Platform. For current release notes, go here.

Enabling security policies now requires current password

Valid from Pega Version 7.1.3

As part of Pega’s initiative to protect against malicious attacks, the change password dialog has been enhanced.  When Security Policies have been enabled for your system, new users or those with expired passwords will now be prompted for both their existing password as well as their desired new password.

For more details, review the Designer Studio > System > Settings > Security Policies landing page.

Application Express and the Content Security Policy

Valid from Pega Version 7.1.7

Application Express copies (if defined) the Content Security Policy (CSP) name (pyContentSecurityPolicyName) from the built-on application in a new application. It also sets the CSP mode (pyContentSecurityPolicyMode) to report. The values appear in the Content Security area on the application rule's Integration & Security tab.

When checking an application in the DCO Compatibility tool, a warning appears if the CSP name is missing.

Password hashing using SHA-256/SHA-512

Valid from Pega Version 7.1.7

Password hashing using the SHA-256 and SHA-512 hash functions is available for use during the the Pega 7 authentication process with operator, ruleset, and update lock passwords. The SHA-256/SHA-512 hash functions join the previously available MD5 and SHA-1 hash functions.

Using SHA-256/SHA-512 hashing when creating or upgrading a password hash results in increased complexity of the hash, making it extremely difficult and time-consuming to determine hashed password values stored in a database.

Note that once you have updated your system to Pega 7.1.7 and have applied password hashing using the SHA-256/SHA-512 hash functions, reverting back to a previous version of Pega 7 is not advised as this causes hashed passwords using SHA-256/SHA-512 to fail.

See About password hashing for more information.

Support for encrypted traffic in a cluster

Valid from Pega Version 7.3

The Pega 7 Platform includes the Ignite platform, which supports encryption for intra-cluster communications. You can now configure encryption for intra-cluster traffic for compliance with regulatory or organizational security requirements.

For more information, see Enabling encrypted traffic between nodes.

Monitor standard and custom security events

Valid from Pega Version 7.3

From the new Security Event Configuration landing page, you can select the standard and custom security events that you want the Pega 7 Platform to log automatically for every user session. The security events are grouped into the following types:

  • Authentication
  • Data access
  • Security administration
  • Custom

The API logCustomEvent() is provided so that you can create custom security events that are specific to your applications and that can be monitored by the Pega 7 Platform. For more information, see Security Event Configuration.

SAML configuration supports global resource settings

Valid from Pega Version 7.3

In the SAML Authentication Service form, you can now use global resource settings, which allow greater flexibility for values that change compared to using fixed text values. Apply global resource settings, which are dynamic values, in the Identity Provider (IdP) information section and the Service Provider (SP) settings section of the form.

For more information, see Authentication Service form - Completing the SAML 2.0 tab.

Restrict visibility of scalar property values for certain users

Valid from Pega Version 7.3

You can use the Access Control Policy rule to mask individual scalar property values from specified users. You can restrict visibility for the following property types:

  • DateTime
  • Integer
  • Text

For more information, see Masking property visibility for users.

Disable inactive operators

Valid from Pega Version 7.3

As a system administrator, you can control access to an application by disabling Operator IDs. To disable an Operator ID, you can use one of the following options in Designer Studio:

  • Call the Service REST: user.
  • Change settings on the Operator Access tab on the System Settings landing page or on the Security tab on the Operator ID form.
  • Define the number of inactive days in the security policies before an Operator ID is automatically disabled.

For more information, see System Settings - Operator Access tab, Enabling Security Policies, Security tab on the Operator ID form.

Security landing pages and features require privileges

Valid from Pega Version 7.3

Security-related landing pages and features are no longer visible and accessible to every user. To view and configure the following security features, you must have the appropriate privileges:

  • Attribute-based access control (ABAC) policies require the pzCanManageSecurityPolicies privilege.
  • The Authentication Services landing page requires the pzCanCreateAuthService privilege.

Authenticate users in processes with a JSON Web Token

Valid from Pega Version 7.3

You can generate and process a JSON Web Token (JWT) in Pega® Platform to secure communications in Pega Platform applications. JWTs are intended to securely transmit small amounts of information between two parties. Because the JWT is signed, the integrity of the information is assured. The contents of the JWT can be used to authenticate a user or to exchange information.

For more information, see Token Profile data instance.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us