ProjectWise Explorer WRE Security Update 2

Overview

This Workflow Rules Engine (WRE) Security Update 2 improves on a security patch that was released October 2019 to address an issue related to super user/ rollback user membership in the ProjectWise Administrator group. The previous WRE security solution fully addressed the security problem, but in some cases unpatched ProjectWise Explorer clients would terminate a workflow action in the middle of processing, which would leave documents in an incomplete state.

This improved solution ensures that a user using ProjectWise Explorer clients without the security update will not be able to execute commands that may fail. Also, it will clearly inform users about the need to install the new update.

This security update is for all ProjectWise Explorer CONNECT edition client versions up to and including CONNECT Update 3.3. It is required for clients that are connecting to the ProjectWise Design Integration server Update 3.2 or later and that use the Rules Engine with Super User configuration.  It is recommended to upgrade all ProjectWise Explorer client versions even if they are not currently connecting to 3.2 or later datasources.

Please note, however, that if the datasource server is configured for WRE server-side execution, then ProjectWise Explorer versions starting from Update 3.2 and later will work even if the security update is not installed. Also note that users can use ProjectWise Web Connections to run rules when they are configured for server-side.

Solution details

Once the solution is applied, users who connect with an incompatible version of ProjectWise Explorer will not show the usual rules engine commands. Instead, there will be  a warning message advising users to update their client. This will ensure that only secure clients can attempt executing rules and will prevent data loss.

To implement the solution:

• Update ProjectWise Explorer clients in advance
• Update ProejctWise server or datasouce

 No changes are required to the existing Workflow Rules Engine configuration spreadsheets to apply this solution.

Updating ProjectWise Explorer clients

It is important to update ProjectWise Explorer clients first, because once the solution is applied on server,  clients that are not updated will not be able to execute rules engine workflows.

To update ProjectWise upgrade to ProjectWise Explorer CONNECT Edition Update 3.4 (version 10.00.03.434) or later version. These versions already include this security update. For ProjectWise Explorer CONNECT edition versions before and including Update 3.2 (10.00.03.280) and CONNECT Update 3.3 (10.00.03.3XX versions) install Workflow Rules Engine Update 2.

To download the update:

• either go to Bentley software downloads and pick ProjectWise Explorer or follow this link https://softwaredownloads.bentley.com/en/ProductDetails/2546. Next, choose Version 10.00.03.627 and click Apply to locate ProjectWise Explorer WRE Security Update 2,
• or get a copy of the module from this communities site files area.

Updating ProjectWise Datasources

ProjectWise Datasources with Workflow Rules Engine need to be updated to complete the installation of the security update. To update the datasources, administrators need to either run a WRE version guard SQL script on the database or update ProjectWise Design Integration server to CONNECT Update 3.2 Fourth Release (this version of the server is exected to be released soon) or later.

The script or the new server will analyze current WRE configuration and, if the configuration is using super user, it will apply changes that will guard workflow commands from being executed by incompatible clients. These protection will be automatically added to the configuration whenever any new changes will be made in the future.

The WRE version guard functionality will be part of all future releases of Design Integration server. It will not be possible to turn it off, so it is important to install WRE Security Update 2 updates to older ProjectWise Explorer versions or install latest Explorer versions.

The wre_add_version guards.sql script is available to ProjectWise administrators by request. The script is for Microsoft SQL server only.

User Experience

This section explains what users will see when:

• Using ProjectWise Explorer without WRE Security Update 2
• Using WRE ion server-side mode
• Using ProjectWise Explorer with WRE Security Update 2

When using ProjectWise Explorer without WRE Security Update 2 and executing rules client-side on datasources that have version guards installed with super user rules, users will see a special warning menu item instead of workflows:

 The menu item displays a standard message box that has a link to a simple page explaining what steps to take:

When using a ProjectWise Explorer that will execute rules on server side, the users will see the usual workflow commands with the warning menu item disabled:

The workflow commands will work as usual. The disabled menu item will be visible regardless if the Explorer client is patched or not and will be removed with future Design Integration server releases.

Note that workflow rules will be executed on server if both DI server and ProjectWise Explorer versions are equal or greater than 10.00.03.280, and if rule execution on server was turned on in the datasource configuration by ProjectWise administrator.

Using ProjectWise Explorer with WRE Security Update 2 or executing rules server-side with future Design Integration server versions will show the usual workflows menu:

PW Administrator Experience

ProjectWise Administrators working with Workflow Rules configuration may see the version guard configuration added to Rule Engine Configuration when they export the rules into an Excel spreadsheet after the guard script is applied. This will include:

• A new operation WRE_VERSION_WARNING in Operations Types sheet
• Multiple Rules for the WRE_VERSION_WARNING operation.

These configuration elements are managed automatically and will be re-calculated each time modified rules configurations are imported. Administrators can safely remove them from spreadsheet before import.

These configuration elements will note be invisible in future ProjectWise Design Integration server releases.

Administrators have the ability to change the warning menu item appearance and message. It is advised to keep the standard version warning messages to make it easier for support teams to identify what is happening, should users contact support after seeing these messages.

Customizing standard messages

There are three new settings for the Rules Engine to change the standard warning message. These settings are automatically added as part of the guard configuration.

• WRE_VERSION_WARNING_NAME – menu item name.
• WRE_VERSION_WARNING_PROMPT – menu item prompt
• WRE_VERSION_WARNING_MESSAGE – the message that is displayed in message box, 255 symbols max.

Bring Your Own Visa (BYOV) Usage Tracking

ProjectWise user organizations who enable Bring Your Own Visa (BYOV) for external project participants where workflow rules engine is in use, must take the following steps to ensure accurate usage tracking of PWDI Visas for these external project participants. 

Steps for ProjectWise sponsoring organization

• Upgrade ProjectWise Design Integration server to 10.00.03.280+
• Upgrade all ProjectWise Explorer clients including external project participants
• Ensure all users are configured for IMS authentication
• Enable server side processing of Work Rules Engine (WRE)