v11.4 2017-09-11 Enhanced Security through Access Control Functions, etc.

Release Overview

Date Release

• Mon. Sept. 11th, 2017

Changes to be Noted

• We will make the following changes as part of CSRF measures (security enhancement)
  • Abolished permalink of Process Start (/PE/ProcessModel/listView?processModelInfoId=XXX&nodeNumber=XXX
  • Access by GET will be prohibited with respect to APIs of “Submitting the Task output (/API/PE/Workitem/Form/save)” and “Creating a Process Instance (/API/PE/ProcessInstance/start)
• We will delete the following deprecated APIs in “Membership Setting API”
  • /API/UGA/Membership/listByQgroup (Retrieving all Members of an Organization)
  • /API/UGA/Membership/listByQuser (Retrieving all Organizations for a User)
  • Respectively, please use “/API/User/Membership/listByQgroup”, “/API/User/Membership/listByQuser” which have been added since version 10.1
• In Internet Explorer 8 and earlier, you will not be able to use Questetra (will not work)
  • Versions earlier than Internet Explorer 8 are already unsupported. Please use versions listed on System Requirements
• Changed so that Basic authentication using “API password” to be available in an environment where both of “Enabled API access with Basic authentication” and “Disabled password Authentication” has been set.
  • If you want to prohibit “Basic authentication using “API password”, please disable “API access with Basic authentication”
• Customers who are subscribing to a paid IP address Filtering option currently, do not enable the new function, “IP address Filtering”, please consult with our sales representative
• Check out also the plans of changes in future versions[Plans of Future Changes] at the bottom of this page.

---

Details for Version11.4

Changes of Functions for Normal User

• Corresponds not to display the screen before logging in while logged in
• Improved the error message displayed upon trying to log in beyond the number of simultaneous logins

Workflow

• On the process details screen, long “Title” also to be displayed entire lines with line breake, instead of cutting off in the middle
  • On the [Screen for Printing], change from “forcibly feeds line without regarding line breakpoint” to “forcibly feeds line if there was no line breakpoint”
• Improve internal processing of [Start Selected Processes], change to complete Start processing each process
• Added link to Open Chat on Process detail and Task operating screen for Smartphone
• On the smartphone screen, corresponds not to zoom in automatically when the input field is focused
• Provide URL encoding of query string on link in Operateed Task menu, etc.
• Fixed following Bugs:
  • When clicking on a thumbnail of an image file attached to a File type Data Item on the Task Operatinging screen, Process detail screen or the like, an error message in English may be displayed regardless of the language set as Japanese

Process search / Task search

• Accelerate search processing
• Enable to specify multiple conditions that related with “Title”
  • Narrowing down search by multiple words becomes possible
  • Likewise enable API for Process search / Task search
• Enable to Task search specifying other than “Me” in Operator
  • Likewise enable API for Process search / Task search
• Fixed following Bugs:
  • In the screen for selecting Apps, the position of the star in the header part is displayed dislocated
  • Operating “Export to Google Spreadsheet” with Chrome, it may become “Invalid Operation”

Open Chat

• Improve list display on Smartphone screen, change to interface similar to PC screen
  • Corresponds to 4 types of Timeline, “Topic / User / Organization / @Me”
  • Corresponds with “Topic related with Process (#p1234)
• Fixed following Bugs:
  • In the Topic timeline, the title (topic name) may sometimes protrude from the display area without line feed
  • When multiple new posts with the same topic are made at the same time, errors occur in later post

Dashboard / Account setting

• The pages displayed after login, including the error page, in principle corresponds to display according to the language setting of the logged-in user
• Fixed following Bugs:
  • When uploading an image file to change the user icon, a new icon may not be displayed on the setting screen
    • Since the icon image is cached in the browser, all icons are not changed immediately even after this bug is fixed

Changes of Functions for Process Owner (Workflow Administrator)

• none

Changes of Functions for Workflow Designer

• Avoid uploading files to File type Data Items when Form preview
• Permanent link for Process Start (/PE/ProcessModel/listView?processModelInfoId=XXX&nodeNumber=XXX) is abolished
• Fixed following Bugs:
  • When displaying the contents entered by the user in the error message, a long continuous alphabet may sometimes protrude from the display area without line feed
  • When resizing the App list screen, the display size of the list of the filter setting section is dislocated

Data Items

• String type Data Item corresponds to placeholder
• Corresponds not to be able to set initial value when setting arithmetic expression in Numeric type Data Item
• Fixed following Bugs:
  • In the Numeric type Data Item, a value outside the system limit (1,000,000,000,000,000) can be set to the initial value / maximum value / minimum value
  • With Numeric items in Table type Data Item, no error occurs even if the column summary result exceeds the system limit value
  • When “Dependent parent” is set on the Choice setting screen, clicking on the [Reset] button may not return to the original state

Timer Start Event

• Change to Start the Process one by one when the option to Start Multiple Processes is effective
  • Previously, it was either “all succeeded or all failed”, but there is a possibility that a case of “partial success / partial failure” may occur
  • In the case of “partial success / partial failure”, an error notification is given to a user having control authority

Message Start Event (HTTP / Form) / Catching Message intermediate Event (HTTP)

• The preview screen of [Message start event (form)] corresponds to be width variable / responsive as same as the “Released” screen
• Parameter that specifies target App and Event is changed to path parameter method of URL
  • For the procesModelInfoId and nodeNumber (also the key of Form), change from the query of the URL to the path part
  • For example, [Catching Message Intermediate Event (HTTP)] is in the form of “/System/Event/IntermediateMessage/{App ID}/{node number}/receive”
  • Previous format has become deprecated
• When the [IP Address Filtering] option is enabled, corresponds to display the accessible IP address (permitted network) on the Event details screen
  • Display only the rules that applied to the URL of the new format (path parameter method)
  • Nothing is displayed if the [IP Address Filtering] option is not enabled
• In [Message Start / Catching Intermediate Event (HTTP)] corresponds so that the value of key can be arbitrarily set
  • When upgrading to Ver. 11.4, regarding the existing Event, the value of the current key is set as the set value of the Event
  • When importing an App archive for which key is not set, the value (system value) of key at the time of Version 11.3.5 is also imported
  • After now on, the initial value of key is set randomly when newly arranging an Event

Message Start Event (Email)

• Improve the processing of Starting a new Process from received email so that to improve performance, stability and fault tolerance
  • The number of emails that becomes errors for email parsing fails will decreases, and the number of emails processed normally will increase
  • Email that arrived during the time of planned stoppage, such as version upgrade, is processed without losing
  • Corresponds so that multiple processes are not Started from one email
  • Even though the time lag to Process Start increases greatly, such as when massive emails are sent in a short period of time, the SaaS environment will be stably
• Fixed following Bugs:
  • If the body of the received email is long, sending error notification email may fail
    • Make the text to be included in the error notification email up to 10,000 characters

Throwing Message Intermediate Event (HTTP)

• HTTP request to [Message Start Event (HTTP)], etc. on Questetra of the same URL from [Throwing Message Intermediate Event (HTTP)], etc. can be used regardless of setting of IP Address Filtering
• The variable “$ {var [key]}” is now deprecated
  • Since you can now freely set the key in [Message Start / Catching Intermediate Event (HTTP)] to call ,the role of the variable ends
  • Please do not use $ {var [key]} and specify a fixed value

Service Task

• Corresponds so that “application / system variable” can be retrieved in [Service Task (Data Assignment)]
• Migrate utilizing version of Google Drive API from v2 to v3
• Fixed following Bugs:
  • In [Service task (Google Drive)], Error Contents are Not Recorded

Script Task / Service Task (Add-on)

• Corresponds so that “Overview description” and “Help URL” can be defined in the definition file (XML) of [Service Task (Add-on)]
• By Script, corresponds to retrieve the contents (texts) of the file attached to File type Data Item
• Change the methods of Retrieving / Updating values of Data Items by Script
  • Retrieving / Updatingting using Data definition number: engine.findDataByNumber(1), engine.setDataByNumber(1, “foobar”)
  • Retrieving / Updatingting using Data Item name: engine.findDataByName(“name”), engine.setDataByName(“name”, “Smith”)
  • Retrieving / Updatingting using Field name: engine.findDataByVarName(“q_name”), engine.setDataByVarName(“q_name”, “Smith”)
  • No change in method of direct reference to variable with the same name as the field name
  • Method of Retrieving / Updating using “data.get(“1″)”, “retVal.put(“1”, “foobar”)” is now deprecated
• When using “engine.findDataDefinitionByXXX” in the script, corresponds so that become an exception (error) when there is no Data Item
• Fixed following Bugs:
  • When importing an archive containing a Service definition file (Add-on), it may not be possible to [release]

Operator Setting

• Added “Staff members in the SAME organization with”, “Staff members in the PARENT organization of”, “Staff members in the UPPER organization of”, and “The same user as” to relative designation from user on other Swimlane
• Added “Staff members who belong tothis”, “Staff members who belong only sub organization of this” to designation by Organization type data
• Corresponds to be possible to continue to view process details, even if [Team Task] has been processed by other users
  • Up to Ver. 11.3, it was not possible to search or view the Process when other users had completed the processing
  • Apply from [Team Task] which is newly completed processing with on and after Version 11.4. Past records cannot be viewed

Changes of Functions for System Administrator

• Corresponds so that CORS (Cross-Origin Resource Sharing) can be set up (beta-released function)
  • Permitting Ajax requests in Cross-Domain is now available for Message Start Event (HTTP) and published API.
• Chart of “Number of running processes” is added in [System Summary]
• Corresponds to disabling Auto Login
• Corresponds so that it is possible even “Password login is prohibited” when performing Basic Authentication using the API password
• Changed the menu name of [Connected Apps] in [System Setting] to [API Client]

System Log / Process Log

• Process Log corresponds search specifying App
• Corresponds to output new creation / deletion of App to Process Log
• Corresponds to output [CSV download] operation to the process log when the target application is specified
• Changed the log output destination upon processing failure of [Timer Start Event] from System Log to Process Log
  • “Partial success / failure” is also recorded as failure
• “Type” is added to the output item of System Log / Process Log
  • Separating conventional “Details” into “Type” and “Details”
• “Node number” is added to the output item of Process Log
  • For logs recorded on Version 11.4 or later
• “Node Type” is added to the output subject of CSV download of Process Log
• “Task / event” in the title line of Process Log is changed to “Step Name”

IP Address Filtering (labs)

• Added [IP Address Filtering] function so that access restriction by IP address can be set by user setting
  • You can set source IP address (permit network) collectively for the function requiring login
  • It is not possible to set source IP to each function such as function for smartphone
  • The page before login / after logout is not subject to IP address filtering
  • Customers who use the paid “IP address restriction option” currently, please contact sales representatives before using this function
• IP Address Filtering is available for [Message Start Event (HTTP / Form) / Catching Message Intermediate Event (HTTP)]
  • URL after “/System/… ” can be specified, and the source IP address can be set for each URL
  • For example, it is possible to set and specify “type of Event”, “Event type of target App”, “specific Event of target App”, and the like
  • When the request URL matches more than one setting (URL), the longest one (the one set with the finest setting) is applied
  • Since it does not see the query part of the request URL, it can be controlled only at the “Event type” level in the former URL format
  • An HTTP request from [Throwing Message Intermediate Event (HTTP)] on Questetra of the same URL can always be used regardless of IP Address Filtering setting
• Regarding [Message Start Event (HTTP) / Catching Message Intermediate Event (HTTP)], IP Address Filtering is set to be completely prohibited any connection from the outside in the initial state
  • Questetra environments newly built on and after Version 11.4 are the subject
  • To allow external connection, revision of IP Address Filtering setting is required
  • Questetra environments used from Ver. 11.3.5 and earlier will be upgraded in the state the IP Address Filtering is disabled

Changes of Functions for System Engineer

• Deleted the following deprecated APIs in “Membership Setting API”
  • /API/UGA/Membership/listByQgroup (Retrieving all Members of an Organization)
  • /API/UGA/Membership/listByQuser (Retrieving all Organizations for a User)
  • Respectively, please use “/API/User/Membership/listByQgroup”, “/API/User/Membership/listByQuser” which have been added since version 10.1
• Access by GET will be prohibited with respect to APIs of “Creating a Process Instance (/API/PE/ProcessInstance/start) and “Submitting the Task output (/API/PE/Workitem/Form/save)”
• In the option of “Send Task Outcome (/API/PE/Workitem/Form/save)” API, changed not to perform mandatory checks on qgroupId when saveOnly=true
  • In the case of temporary storage, so that it is possible to save even if mandatory items are not set
• In User setting API, correspond to enable to acquire and update user’s “Mainly belonging organization”
  • aquire：/API/User/Quser/self、/API/User/Quser/find
  • Update：/API/UGA/Quser/update
• Removed unnecessary elements from API response of “Acquire input form information (/API/PE/Workitem/Form/viewXml)”
  • quser-id and quser-name in executing-role
• Accessing an invalid URL with “/System/ …”, “Not Found” is displayed

Non-functional Changes and Changes of External tool Functions

• Enabled to log in simultaneously from 3 clients (browser)
• Corresponds so that host name of access URL can be set to desired character string
  • The part of “XXX” in “XXX.questetra.net”
  • Even if you are using in old format URL (s.questetra.net/xxxxxxxx/), you can change it to “XXX.questetra.net”
  • “XXX” part must be “5 to 63 characters”, “Lowercase letters, numbers, hyphens” (hyphen at the top and the end is prohibited)
  • This offer is available only customers of Paid version. If you are interested, please contact our sales representative.
• Upgradet jQuery to 2.2
  • In Internet Explorer 8 and earlier, you will not be able to use Questetra (will not work)
• In “qbpms.config”, set default values such as “qbpms.smtp.auth” [other than SaaS]
• In qbpms.config, corresponds so that Questetra does not start up if you set characters other than single-byte alphanumeric in qbpms.api.key [other than SaaS]

 

Plans of Future Changes

We are planning to alter the following specifications and system platform in the future versions.

Due Version.11.5

• TLS 1.0 will be disabled
  • We are promoting the use of the latest security protocol as an effort to strengthen security so that customers can use it safely.
  • Internet Explorer 9/10, you will not be able to use Questetra
    • IInternet 9/10 are already unsupported. Please use versions listed onSystem Requirements
  • On some terminals with Android 4.4, you will not be able to use Questetra.
    • It is available on Android 4.4.2 and later
  • For accessing the API, you will not be able to connect from a program such as Java 6/7 which is not compatible with TLS 1.1 or later as standard
    • You can use it by using versions that are compatible with TLS 1.1 or later, or updating, etc.
  • Reference / Related information
    • Salesforce disabling TLS 1.0 (Salesforce)

Version to be scheduled

• Accessing to Developer APIs in OAuth 1.0 will be abolished
  • Please change to connection using OAuth 2.0, which is available since version 11.1
• In APIs of “Querying for all Process Instances records” and “Querying for Task records operated by the User”, it will be changed to explicitly designate as display items to include process data items as search results
  • Currently, Process Data Items specified as search criteria are automatically included in search results
  • After the specification change, only the Process Data Items which <view /> element is specified will be included in the search results

 

---