ProjectWise - User synchronization in ProjectWise 2023/2024

User synchronization in ProjectWise 2023/2024

This article provides an overview of user synchronization capabilities in ProjectWise 2023.

User synchronization is being continuously improved. This page will be used to post updates improvements to user synchronization capabilities. Subscribe to this page for updates.

ProjectWise datasource User synchronization is used to control user access to ProjectWise based on their membership in organization or project user groups that are defined and managed outside of ProjectWise environments.

In ProjectWise versions before 2023 ProjectWise User Synchronization Service was used for this purpose. It could synchronize users and groups from one or more domains in Active Directory. User Synchronization Service is no longer available in the latest releases of ProjectWise.

Starting with ProjectWise 2023 Bentley IMS became the primary location for defining users and their entitlements for use with Bentley applications. Currently most Bentley applications and all cloud services require IMS authentication. ProjectWise user management is also evolving to adjust to this change.

User synchronization via IMS

Microsoft Entra ID (former Azure AD) user and group synchronization to IMS (SCIM)

Automatic user provisioning from Microsoft Entra ID to Bentley IMS must be configured first. This ensures that all required users and groups are readily available for synchronizing with ProjectWise datasources.

Detailed configuration instructions can be found here: https://bentleysystems.service-now.com/community?id=kb_article&sysparm_article=KB0113212

Limitations:

Synchronization works only with Microsoft Entra ID. Local Active Directory is not supported.
The maximum number of users groups is 500.
Note limitations to group naming

Prepare ProjectWise for synchronization

ProjectWise 2023 (and later) introduces several new settings that control user synchronization.

A screenshot of a computer

Description automatically generated

Datasource properties:

Allow user group membership updated by identity claims - turn it on to assign users to special ProjectWise groups based on their group membership in IMS.

A screenshot of a computer

Description automatically generated

User group property:

Update user membership from Bentley IMS claims - when turned on ProjectWise will automatically add or remove users from this group, if they are (or are not) members of IMS group with the same name.

User membership in IMS groups is checked and updated during each login for users that match Dynamic Creation identity filer criteria.

Dynamic user creation

A screenshot of a computer screen

Description automatically generated

Dynamic creation enables user accounts to be created at the time of login when they meet identity filtering criteria. If group assignment is configured, users will also be assigned to ProjectWise groups, based on their IMS group membership.

Important security consideration:

It is possible to allow Dynamic Creation of users from multiple organizations. In most cases it is not recommended to use such configuration. When both organizations have an IMS group with the same name and such group is defined in ProjectWise, then users from both organizations will be added to this group. This may cause unintended access for users from external organizations.

Limitations:

It is currently not possible to limit synchronization to only users who belong to at least one synchronized group in ProjectWise. Dynamic Creation will add any users matching identity filter to datasource.

User Synchronization Profiles (Active User Synchronization)

ProjectWise 2023 and later is capable of actively synchronizing all IMS users and their group membership. Currently the cloud service required for this feature to work is not publicly available, so it is not yet possible to setup the synchronization using this method.

Notice that Dynamic user creation, combined with user group updates on every login already provides substantial dynamism in ensuring that users can only access what they should without requiring all users to be preloaded into datasource.

What if current user synchronization does not meet your needs?

Current synchronization capabilities are different compared to legacy User Synchronization Service. If you are considering upgrading to the latest generation of ProjectWise and you think that current capabilities do not meet your needs, create a service case for a deep dive into your use case. There may be alternative solutions avalable.

Change History:

2024-12-04 - initial version.