I need help for this ProjectWise big security glitch

Hi Darko,

There is no security glitch regarding this issue.

Access Control is used to prevent documents from being COPIED OUT or EXPORTED. 

Any document for which a user does not have File Read access cannot be COPIED OUT or EXPORTED.

When trying to do so, the user will receive a pop-up dialog telling them that they do not have the required privileges. 

The following images (10.00.03.434) demonstrate what happens in either scenario.

When they try to COPY OUT the document, they will receive this pop-up:

When trying to EXPORT the document, they will receive this pop-up:

The COPY OUT function is essentially just an unmanaged export to a predetermined location. Any user with the ability to open a file from ProjectWise must first copy/export it from the server to their local working directory. Once copied out, a user can copy or move the local file anywhere if they so choose and disabling the Export>Send To function would only serve to make that task require more effort.

Currently, there is no way to disable the Export>Send To function. Please submit an idea, to add a user setting for disabling this functionality on the ProjectWise Ideas Portal. 

Hi Dave,

The problem is that basic user can export folders, for documents/files that option is working as supposed to, it is greyed out. Did you try to export folder? Thank you

The ability to export a file is, as Dave said, dependent on having the File Read permission on the file. Export menu option maybe enabled, but if you actually try it you get an error for every file you don't have File Read on.

For example, i exported a folder tree where I had read-only on for the folders, and read for the files but NOT file read on any files. When I exported I got the folders but they were all empty and every file generated an error. At the end I got a summary of all the errors:

One gotcha to watch out for: File permissions do not have to match the folder settings. It's possible to break the "inherit permissions" on a file and set the permissions separately from the folder. If this is done to a file and the File Read permission given it will export that one file even if the folder permissions are set so File Read is off.

Along with this, if a user does not have permissions at all on a folder, but does on the files in a folder, they won't be able to browse to the file from the Explorer folder trees, BUT an a search will bypass the folder tree and show any file they have at least the Read permission on. If they also have File Read they will be able to export the file from the search window.

Hi Kevin, Thank you for your quick response! I am talking about general security in ProjectWise and possibility that everyone can export all files in your datasource with only read permissions:

Basic user read/File Read and basic user only read can copy out file to default location(This one is bad as well, basic user with read permission can not open file in PW but can copy out and open in windows explorer?) but OK.

This one is bad, basic user with only read permission:

Export option is greyed out for file but it is not for Folder Export option:

CADD folder exported with all files.

The scariest part is that you can do with root folder and export every single subfolder with all files where *Everyone is assigned regardless read/File Read permissions.

Assigning Groups and Users Lists in ProjectWise have no purpose, right? How about contractors? Everyone can export all files in your datasource with only read permissions? Security?

ProjectWise permissions can be granted to a user, group, user list or the *Everyone special user. Because a user can be in multiple groups/user lists etc... ProjectWise needs to decide what to do when a user is given permissions via different group or user lists or *everyone. ProjectWise uses the same resolution for this that Windows uses: the user will be granted the most permissions* given to the combination of users/groups/etc... they are in.

If you give the *Everyone account read and file read permissions, but have other groups with just Read and NOT file read, it doesn't matter, the *Everyone group gives them File Read and so they will be able to export files.

For example, in my screenshot below the KvHTesting account does NOT have file read permission, but the *Everyone group does. By the rule that the user is granted the most permissions from all the groups they are in, the KvHTesting account will be able export files because they have File Read via the *Everyone permissions.

*There is one exception to the most permissions rule: No Access. If a user is a member of a group that is assigned the No Access permission, then they will not have access no matter what the permissions are on other groups.

Because of the way permissions are applied it's generally a very bad idea to use the *Everyone group for any permissions, you should only list the groups you explicitly want to have permissions.

We only make one exception in our own datasources to this "don't use *Everyone" rule that's for our managed workspace files that are kept separate from general project files for this reason.

If you don't think this is what you're running into you'll probably need to post the actual Access Control Settings (you can black out the names on the left, or replace them with something else if you need to).