2024-04-14 Ver 16.0 Enhanced Security Concerning Logging In

Release Overview

Updating Date

• Workflow platform for Rapid Update:
  • Ver. 16.0.0: April 14th, 2024 (Sun)
  • Ver. 16.0.1: [TBD] May 12th, 2024 (Sun) or 19th
• Workflow platform for Scheduled Update and Trial mode
  • Ver. 16.0.0: Not updated
    • Updated to Ver. 15.2.2 on April 14th, 2024 (Sun)
  • Ver. 16.0.1: [TBD] May 12th, 2024 (Sun) or 19th

Changes to be Noted

• In [Script Task], the script engine GraalJS (Nashorn Compatible Mode)) is discontinued
• APIs (Java classes/methods) marked as “Deprecated: 2024-04” are discontinued for scripts in the [Script Task] [Service Task (Add-on)]
• In the API for starting a Process, the format using the activityId parameter is deprecated
• In [Google Drive: Search Folder], the specification of authentication settings is changed (Ver. 16.0.1)
• Check out the plans for changes in future versions [Plans of Future Changes] at the bottom of this page

---

Details for Version 16.0.0

($.: appended 2024-04-12, $$. : appended 2024-04-23)

Changes of Functions for All Users

Login

• The password reset function now supports changing the display language depending on the language setting of the target user (#9783)
  • Since the target user is not known until the screen for entering the email address, it is displayed in the language setting of the workflow platform
  • The email that guides the User to the password reset URL and the form screen that is displayed when the User accesses the URL will be displayed in the target user’s language settings

Account Settings

Password

• Password strength is now checked and displayed when setting a new password (#9712)
  • Regardless of the password strength check result, a new password will be set if the password policy is met
• A new password can now be set even if you do not know the current password (#9853)
  • The process is similar to [Forgot password?]
• Improved the display of the [Password] settings screen so that the password policy is always displayed (#9731)

Workflow

• Unify the internal processing (Content-Disposition header) when downloading files from the workflow platform with supported browsers (#9119)
• App Version can now be specified in the display column on the Process/Task list (search results screen) (#9716)

Open Chat

• An error message is now displayed if the topic name is too long when posting a message/comment (#9076)
  • Posting fails if the topic name exceeds the maximum length (128 characters)
• Fixed the following Bugs
  • If the username is long and contains only single-byte characters, it will be displayed outside the following/follower display area (#9613)
  • If the User name or Organization name displayed in the right column or notification area is long, it will be displayed outside the specified display area (#9639)

Changes of Functions for Workflow Designer

New App

• ‘Email does not include the data values’ option is now enabled by default in the App properties (#9641)
• The details screen of the target App will now be displayed after the creation of a new App is completed using [New App from Archive] (#9529)
• App archives (qar files) exported using workflow platform Ver. 12.3 (March 2021) or earlier will no longer be able to be imported (#9620)

SpEL expressions in Update Data/Split Conditions and Script Task

• Added a method to AddableDate/AddableTimestamp that returns the start of the week (Monday) (#9668)
  • AddableDate#getFirstDateInWeek(), AddableTimestamp#getFirstTimeInWeek()
  • Returns Monday (00:00) of the week

Message Start Event (form)

• Fixed the following Bugs
  • If you access Questetra using a browser that is logged in, it will be affected by the language/time zone settings of the logged in user
    • It is correct for Public Forms to follow the language/time zone settings of the workflow platform

Automatic Processing Steps that Cooperate with other Cloud Services/Processing Data

• Added the following automated processing steps (Service Task)
  • Google
    • Google Drive
      • $. Google Drive: Download File (#9897)
        • Downloads specified file from Google Drive
        • Service Account on Google Cloud is used for Authentication
    • Google Sheets
      • Google Sheets: Update & Get Cells (#9774)
        • Get cell value after updating cell value
        • It is possible to perform processes such as executing a function and obtaining the result
    • Google Vertex AI
      • Google Vertex AI: Gemini: Chat (#9867)
        • Send a message to the Large Language Model “Gemini” and get an answer
  • Microsoft 365
    • Microsoft Lists: Search List Items (#9825)
      • Search for list items in a specified list in Microsoft Lists
    • Microsoft Lists: Get List Item (#9826)
      • Get one list item in the specified list of Microsoft Lists
  • WordPress.com
    • WordPress.com: Create Draft Post (#9654)
      • Create a draft article
      • Title/body/excerpt/slug/eye-catching image/category/tags can be specified
    • WordPress.com: Get Categories (#9746)
      • Get the category ID by specifying the category name
      • If the category name is not specified, get the names and IDs of all categories
    • WordPress.com: Get Tags (#9747)
      • Get tag ID by specifying tag name
      • If the tag name is not specified, get the names and IDs of all tags
    • WordPress.com: Upload Media (#9809)
      • Upload files to the Media Library
• Changed specifications, etc. in the following automated processing Steps (Service Tasks)
  • Google
    • Google Sheets
      • Google Sheets: Update Row (#9773)
        • RAW/USER_ENTERED mode can now be selected as the interpreting method for the updating value
  • Amazon Web Services
    • $. Amazon Bedrock: Anthropic Claude: Chat (#9898)
      • Added Claude 3 to model options
      • Images can now be input
      • Temperature/stop sequence can now be specified
      • Enhanced log output
  • Microsoft 365
    • Excel for Business
      • Microsoft 365 Excel for Business: Insert New Row (#9636)
        • Changed the name (added “for Business”)
  • OpenAI
    • $. OpenAI ChatGPT: Chat (#9899)
      • Added gpt-4-turbo-preview and gpt-4-vision-preview to model options
      • Temperature/stop sequence can now be specified
      • Enhanced log output
  • Slack
    • Slack: Post Chat (Bots) (#9891)
      • (Advanced notice) The deprecated setting item “C1-deprecated: OAuth2 settings” will be discontinued in Ver. 16.1 (August 2024)
        • Please configure OAuth2 settings in “C1: OAuth2 settings”
        • “C1-deprecated: OAuth2 settings” is not displayed in processes where the relevant setting item is not used
• Changed the internal implementations of the following automated processing Steps (Service Tasks)
  • Google
    • Google Drive
      • Google Drive: Create Folder (#9820)
      • Google Drive: Delete File / Folder (#9821)
      • Google Drive: Search Folder (#9822)
      • Google Drive: Create Shared Link (#9823)
      • Google Drive: Delete Shared Link (#9824)
    • Google Calendar
      • Google Calendar: Insert Event (#9840)
      • Google Calendar: Move Event to another Calendar (#9841)
      • Google Calendar: Delete Event (#9842)
      • Start: Google Calendar: Event Started (#9843)
    • Google Sheets
      • Google Sheets: Create File (#9768)
      • Google Sheets: Add New Sheet (#9769)
      • Google Sheet: Copy Sheet (#9770)
      • Google Sheet: Delete Sheet (#9771)
      • Google Sheets: Get Row (#9767)
      • Google Sheets: Append New Rows (Table type data) (#9865)
    • Google BigQuery
      • Google BigQuery: Insert New Data (#9866)
  • Microsoft 365
    • OneDrive for Business
      • Microsoft 365 OneDrive for Business: Delete File / Folder (#9624)
      • Microsoft 365 OneDrive for Business: Upload File (#9632)
      • Microsoft 365 OneDrive for Business: Create Folder (#9633)
  • Box
    • Box: Create Folder (#9651)
    • Box: Delete Folder (#9726)
    • Box: Search Folder (#9727)
    • Box: Create Shared Link to Folder (#9672)
    • Box: Delete Shared Link of Folder (#9673)
    • Box: Apply Watermark to Folder (#9728)
    • Box: Upload File (#9723)
    • Box: Add Metadata to File (#9671)
    • Box: Copy File (#9718)
    • Box: Move File (#9721)
    • Box: Create Shared Link to File (#9653)
    • Box: Delete Shared Link of File (#9720)
    • Box: Download File (#9719)
    • Box: Download File as PDF/Text/Image (#9722)
    • Box: Apply Watermark to File (#9724)
    • Box: Add Collaboration (#9649)
    • Box: Delete Collaboration (#9650)
    • Box Sign: Monitor Sign Request (#9729)

Script Task/Service Task (Add-on)

• For [Script Task], the Script engine GraalJS (Nashorn Compatible Mode) has been discontinued (#9105)
  • At the update to Version 16.0, it will be forcibly transitioned to GraalJS (Standard Mode)
  • The discontinuance in the [Service Task (Add-on)] has been postponed (scheduled for Ver. 16.1)
  • Details Correspondence for Script Engine GraalJS (Nashorn Compatible Mode) Abolition (April 2024)
• getGoogleOAuth2Token(QuserView, String) method in HttpClientWrapper is discontinued (#9106)
• Classes such as ListArray, ListArray.ListRow and methods such as setRows() that manipulate Table-type data are discontinued (#8613)
  • Please use methods of the ScriptListArray, ScriptListRow class instead
• Aborted the discontinuation of basic(String, String) method in the HttpRequestWrapper class (#9674)
  • It was scheduled to be discontinued in 2024-04, but will be left in place
  • If you want to perform Basic authentication by specifying a fixed user name/password when sending HTTP, use the authSetting(AuthSettingWrapper) method referring to the authentication information registered in HTTP Authentication Settings
• OAuth2 JWT Bearer Flow can now be implemented (#9269)
  • You can now independently implement authentication settings that support 2-legged OAuth using JWT (Json Web Token)
• Base64 encoding to URL-safe string format from binary is now available (#9630)
  • Added the encodeToUrlSafeString(ByteArrayWrapper) method to Base64UtilsWrapper
• $$. Added a method to the ItemDaoWrapper class that can retrieve choices from Select-type sub-data items of Table-type Data Items (#9290)
  • List<ItemView> findAll(SubDataDefinitionView)
  • ItemView findByValue(SubDataDefinitionView, String)
• $$. The value of Numeric/Date/Select-type sub-data items of Table-type Data Items can now be specified using BigDecimal / AddableDate / ItemView (#9291)
  • Added the following method to the ScriptListRow class
    • void setObject(String field_name, Object value)
    • void setObject(int index, Object value)
• Fixed the following Bugs
  • In the [Service Task (Add-on)] definition file, if the dependency of the depends-on attribute crosses over the <tab> element, the config items are not displayed correctly (#9610)

Throwing Message Intermediate Event (HTTP)/Script Task HttpClient

• Added the following headers to the allowed list in [Custom HTTP Headers]
  • $. Workbook-Session-Id (#9621)
    • Unique headers for the Microsoft 365 Excel API

Changes of Functions for System Administrator

• Fixed the following Bugs
  • $. In the [Basic Edition], the display is distorted in the Security section of the side menu (#9851)

System Summary

• Added the chart of ‘Number of logged-in users’ (#9158)
  • Aggregation will be performed after updating to Version 16.0

User

• User’s Latest Login Time can now be checked (#9367)
  • Recording starts after updating to Version 16.0
  • Login method (password/automatic/Google account/SAML) is not distinguished
    • “Auto (Login)” is a login function that uses information stored in cookies
• Expanded the user name input field in [New User] etc. (#9599)
• Setting to prevent emails from being sent to specific users from the workflow platform is now available (#9739)
  • Enable this setting when the user’s email address is not available for reception
• Moved the Download All function to the [Import users] screen from the Users/Organizations/Roles list screen (#9816)
  • So that it will be easier to perform bulk registration (update) by downloading the existing settings and importing them after editing the CSV
• Fixed the following Bugs
  • On the [User List] screen, if there is an error display related to licenses, the display is corrupted (#9667)
  • A system error may occur if some user update processing fails when using [Import CSV List] in [Import User] (#9816)

Password Login

• Strengthened the Password Policy setting rules (#8013)
  • Specification of two or more types of characters from uppercase letters/lowercase letters/numbers/symbols is now required
    • If no character type or only one character type has been specified, “lowercase alphabet letters” and “numbers” will be forcibly added in that order when updating Version 16.0
  • Increased the minimum number of characters from 8 characters
    • If two character types are specified: the minimum number of characters is 15
    • If three or four character types are specified: the minimum number of characters is 12
  • When building a new workflow platform, the default character types are Uppercase letters, Lowercase letters, and Numbers
• ‘Disable initial password’ is now the default when creating a New User (#9743)
• In [Import Users], if a password is not specified in CSV, the initial password will be invalidated (#9742)
  • Up to Version 15.2, the initial password was automatically generated
• Requesting users to change their passwords is now possible (#9741)
  • Added the [Need to change password at the next login] option in the [Password Reset] function
  • Users who are requested to change their password will not be able to use other functions until they complete the password change
  • $. The “Need to change password at the next login” option can now be specified when creating a New User (#9859)
• On the User Details screen, it is now possible to check whether the user is authorized to use password login. (#9754)
  • Even if the workflow platform has password login prohibited, Users with [System administration privileges] can log in with their password
  • The [Password Reset] button is now displayed only for users who are permitted to Password Login
• [Automatic login] function is now disabled by default (#9755)
  • Users who can use password login can use [Auto Login] on workflow platforms where this function is enabled
  • [Disable Auto login] is the default setting for newly built workflow platforms after Version 16.0.
    • For workflow platforms already used in Version 15.2, the settings will not change
• User’s Last password change time can now be checked (#9793, #9858)
  • Recording of the time starts after updating to Version 16.0
• $$. The Password Change function can now be used from a smartphone screen (#9778)

Position

• On the Position details screen, [Apps referring to the position] can now be checked (#9564)

SSO（SAML）

• When login fails due to a SAML-specific error, the error details are now recorded in the System Log (#9328)
• To improve security, migrated the library used and changed the internal implementation significantly (#9329)

REST API > Basic Authentication

• Allowing/disabling API access using Basic authentication can now be set/managed on a per User basis rather than per workflow platform basis (#9839)
  • [API Client] >[API Access with Basic Authentication] menu has been discontinued
  • API access using Basic authentication setting can now be changed on the User details screen
  • When updating to Version 16.0, settings will be migrated based on the following rules:
    • Workflow platforms where API access using Basic authentication was prohibited in Version 15.2: It is prohibited for all Users
    • Workflow platforms where API access using Basic authentication is allowed in Version 15.2: For users who have a record of Basic authentication in the [System Log], it is Allowed, and Users where there is no record of Basic authentication are Prohibited

REST API > OAuth2 Client

• To improve security, migrated the library used and changed the internal implementation significantly (#9597)
• Fixed the following Bugs
  • On the OAuth2 client details screen, if the redirect URL has multiple lines, the line break symbol is displayed as <br /> (#9745)

System Log

• The Password change log is now recorded in a different log type from User changes (#9780)
• User’s email address is now excluded from records in the log when login is successful (#9781)
  • E-mail address is now recorded in the User change log.
• Added item (column) to record target user ID/target User name (#9781)
  • Target users such as User change
• Changes to the main organization are now excluded from the user change log and are not recorded in the [System Log] (#9790)
• If a process is performed that does not actually change the content, such as a user name or organization name, logs such as “user change” and “organization change” will not be output (#9791)
• API access using Basic authentication is now not recorded in [System Log] (#9838)
• Horizontal scrolling of the System Log list display layout is now available (#9815)
  • The layout will be similar to the Process/Task list
• $$. Added a toggle button to control text wrapping in the System log list (#9785)
• Fixed the following Bugs
  • When the password is reset from the login page, the User ID/User name of the operating User is not recorded (#9779)
  • In the System Log list, the Details column may not be displayed when all columns to be displayed (#9814)
  • After setting filter conditions, adding/deleting/changing display columns causes the conditions to be reset (#9819)

DKIM

• $. DKIM is now supported (#9603)
  • The private key of the sender domain can now be registered in the workflow platform
  • Eligible in Advanced/Professional Edition

Changes of Functions for Questetra REST API Developer

• The format using the parameter activityId is discontinued in the API for starting a Process (/API/PE/ProcessInstance/start) (#9150)
• Added API to add/update/delete Positions (#9606)
  • /API/UGA/Qtitle/add, /API/UGA/Qtitle/update, /API/UGA/Qtitle/delete
• Added API to get System log list (#9794)
  • In addition to searching by specifying date/time/log ID (same as Web UI), it is now also possible to search by specifying Log type
• Changed the following specifications in the user addition API (/API/UGA/Quser/add)
  • The password parameter is no longer required (#9744)
    • If a password is omitted, a new User will be created with the initial password disabled
  • Added primaryQgroupId parameter (#9766)
    • When adding a User, it is now possible to specify the Main organization to which it belongs
    • Unlike the Web UI, it is not required
• $. Added the following parameters/properties to the APIs for User Addition (/API/UGA/Quser/add)/User Update (/API/UGA/Quser/update) (#9852, #9852, #9860)
  • emailReceivable (default: true): Whether capable of receiving emails
  • basicAuthenticationEnabled (default: false): Whether API access via Basic authentication is allowed
  • passwordResetRequired (default: false): Whether to require a password change the next time log in
• Added the following properties to the response of API (/API/User/Quser/list, /API/User/Quser/self, /API/User/Quser/find) that returns (a list of) Users (#9828, #9850, #9874)
  • latestLoginTime: Last login date and time
  • passwordLastUpdated: Last password change date and time
  • $. emailReceivable: Whether capable of receiving emails
  • $. basicAuthenticationEnabled: Whether API access via Basic authentication is allowed
  • $. passwordResetRequired: Whether to require a password change the next time log in
  • These are included only if the API is accessed by a User with User Manager Authorization
    • If an unauthorized user accesses the API, these properties will not be responded to
• In the response of the API (/API/Admin/ProcessModel/list) that retrieves the list of apps, Summary (processModelInfoShortExplanation) is now included (#9717)
• API reference ([REST API Reference]) is now automatically generated from source code (#9776, #9777)

---

Details for Version 16.0.1

(appended 2024-05-02)

Changes of Functions for Workflow Designer

Automatic Processing Steps that Cooperate with other Cloud Services/Processing Data

• Changed specifications in the following automated processing Steps (Service Tasks)
  • Google
    • Google Drive: Search Folder (#9943)
      • Authentication settings are changed to use “Service Account”
      • Existing authentication settings are discontinued (application definition error in Ver. 16.0.1), so it is necessary to change the settings

Changes of Functions for System Administrators

• Added a link to the help page in [DKIM] (#9968)
• Fixed the following bugs
  • On the [Edit OAuth2 Client] screen in [API Client], the scope option labels did not follow the language settings (#9963)

Non-functional Changes and Changes of External tool Functions

• Security enhancements to the workflow infrastructure (#9708)

---

Plans for Future Changes

We are planning to alter the following specifications and system platform in future versions.

Schedule for Version 16.1 (August 2024)

• The script engine GraalJS (new name: GraalJS (Nashorn Compatible Mode)) will be discontinued in scripts of Service Tasks (Add-on) (Postponed from April 2024)
  • It will be forced to transition to GraalJS (Standard Mode)
  • Script Engine GraalJS (Nashorn Compatible Mode) Discontinued (April 2024)

Schedule for Version 17.0 (April 2025)

• Old format URL in Message Start Event (Form) will be discontinued
  • Old format URL: /System/Event/MessageStartForm/view
  • Until discontinuation, it will be redirected to the current format URL
• In [Bulk User Registration] by CSV input, the format of “!Organization name” will be discontinued
• The APIs for searching Organization/Role affiliation without pagination will be discontinued
  • /API/User/Membership/listByQuser, listByQgroup
  • /API/User/RoleMembership/listByQuser, listByQrole
  • Please use the following API with pagination function
    • /API/User/Membership/list, /API/User/RoleMembership/list
• In the Questetra REST API, the API to obtain processing form screen information (/API/PE/Workitem/Form/viewXml) will be discontinued

Schedule for Version 18.0 (April 2026)

• The following methods related to HTTP authentication settings in Script Task/Service Tasks (Add-on) scripts will be discontinued
  • A warning message will be output to the Process Log when a deprecated API is executed
  • You can check the target App or Process by searching for “Only logs with warnings” in [Process Log]
  • Subject
    • httpClient.getOAuth2Token(String settingName)
    • httpClient.begin().authSetting(String settingName)
• In [Message Start Event]/[Catching Message Start Event (HTTP)], old-style reception parameters including data definition numbers (data[XX].input, etc.) will be discontinued
  • A warning message is now output to the Process log when old format reception parameters are used
  • Please change the HTTP sender to specify parameters using field names
• In the Membership API of Questetra REST API, the request parameter role and the role property included in the response will be discontinued
• In the Questetra REST API, the API for Task processing (/API/PE/Workitem/Form/save) will be discontinued
  • Please use the new Task processing API (/API/PE/Workitem/{workitemId}/Form/save) added in Version 15.2