Roles and Permission Groups based security - AN4006 - OpenLM Software License Management
Israel +972 4 6308447         USA +1 866 806 2068        JAPAN +81 3 45208991 担当:萩原

Roles and Permission Groups based security – AN4006


This document describes the OpenLM Roles and Permission Groups feature, and serves as a reference guide to system administrators who seek intricate grouping and permission granting over their OpenLM managed licensing control system.


The OpenLM Server supports a role-based security feature that enables system administrators to implement customized access to OpenLM tools by setting access roles. This feature facilitates the implementation of OpenLM tools for diverse groups; like help desk, system administrators, managers and developers. The role based security system secures nearly all the resources of the OpenLM system’s entities, such as listed servers, fields and action buttons.

Permissions and Roles

Permitting a Resource is the act of granting a certain accessibility level to that resource. Each permission is attached to a specific Resource, granting it a permission attribute. Permission attributes may hold either one of the following values:

  • Allow: The resource is accessible for a user or a user group.
  • Disable: The resource is visible but not accessible for a user or a user group.
  • Deny: The resource is neither visible nor accessible to a user or a user group.

A set of such Resource permissions is referred to as a role. Roles are attributed to certain groups of function holders in a company, each group having different accessibility options to OpenLM’s resources.

Roles’ implementation may be set on, enabling the differentiation of users and groups according to permission levels, or turned off altogether, thus granting all users and user groups full accessibility to all the system’s resources.

Handling of roles and permissions is easily done by system administrators on the EasyAdmin administrative interface of the OpenLM system. The intuitive EasyAdmin control panel incorporates all the options required to configure the roles and permission groups according to administration requirements.

Role Inheritance

Permission groups possess an inheritance property. This property facilitates the application of similar permission schemes to different groups. By doing so, different groups may be easily created with only slight differences between their permission schemes.


The characteristics of the roles and permissions feature have evolved over time, through constant feedback from OpenLM’s dependable customers, and are continuing to evolve according to common requests. For this reason OpenLM encourages its customers to send back their feedback and specific required features.

Creating a new role

In order to create a new role, go through the following steps:

1. Roles need to be created using OpenLM Administrator privileges. On the OpenLM Server configuration tool, click Advanced, and then check the Require login credentials box. The Set Administrator window opens. Type in the Administrator Name and Password to create an OpenLM Administrator user.

2. Select OK , and Apply

3. Open the EasyAdmin web application, and log in with the Administrator’s name and password.

4. Click the Start button on the EasyAdmin control panel. Select Administration → Roles tab. The Administration-Roles window appears, with some predefined default roles and their description.

5. Click the Add icon, to add a role. The Role Details dialog window appears.

6. Type in the role name and description (e.g. “HelpDesk” and “Help Desk Team” as they appear respectively in the image above). Click Save. Note that the new role name would be saved in lower-case format (i.e. “helpdesk”).

Adding resources to a role

Adding resources to the newly created role may be done in either one of two methods. The 1st is by manually selecting Resources and attaching them to the new role:

1. In the Roles window, Select the required role, e.g.: “helpdesk”. Click the “Edit” icon. The “Role Details for helpdesk” window appears (Similar to the “Role Details” dialog window depicted above). Note that the default predefined roles may not be edited.

2. Select the Resources tab, and click the Add button. The “Resources Search” dialog box appears. Note that each line in this table contains a Resource name and description, easing the linkage between a registry in the table and its actual function in the OpenLM system.

3. Select a resource (e.g. the add_project as marked above), and click the Select button. The “Role Details” window’s Resources tab now appears with the newly attached “add_project” resource.

4. Select the Resources tab and click on any line while under the Permission heading. The drop-down functionality is engaged and the user may now select a permission attribute for a resource per user.


Adding resource permissions via the inheritance property

1. In the “Role Details for helpdesk” dialog window, select the “Parent Roles” tab and click the Add icon. The Roles search dialog window appears.

2. Select the role that would serve as the parent of the newly created “helpdesk” role, e.g. “admin_role” in the image above, and click the Select button. Note that the “admin_role” is the default basic role, and is always apparent for serving as a parent role. The new “helpdesk” role now possesses all the permission attributes of the parent “admin_role”.

OpenLM users

In order to assign roles to users, we should first make sure such users exist in the OpenLM database. The list of users is shown in the EasyAdmin ‘Start’ → “Users & Permissions” → “Users” tab.

Users can be added to the OpenLM database in a number of ways:

1. By synchronizing the OpenLM database with the organization’s Active Directory (LDAP). See these Application notes for more information:

LDAP (Active Directory) Synchronization: Basic Guide

LDAP (Active Directory) Synchronization: Comprehensive Guide

2. Through monitoring of license usage.

3. By reading the FlexLM License file

OpenLM v2.0: Broker Comprehensive Installation Guide

4. By reading the FlexLM Options file: Managing Options Files Using OpenLM EasyAdmin

5. Manually created, as described below.

Important note:

Only users who have been introduced into the OpenLM Database via the last option (Manually created) are assigned an EasyAdmin login password in the process. Other users need to be assigned login passwords in order to access EasyAdmin. In order to do so:

  • Login as an administrator,
  • In the EasyAdmin Start → Users and Permissions → Users window, select the user name, and click “Change password”
  • Assign a login password to the user.

Manually creating a new user entry

In order to manually create a new user entry in EasyAdmin, go through the following steps:

1. Follow this path, EasyAdmin Start→ Users & Groups →Users tab. The Users window appears.

2. Click the Add User button. The User details form appears. Fill in the appropriate information items, check the Enabled box and click Save as depicted below.

Note that the new user, Mr. Winston Churchill, has been assigned an EasyAdmin login password in the process of introduction. The new user’s information is presented attached to the Username on the Users window:

Manually adding a user to a group

Users can be made members of a group by either:

1. Synchronizing the OpenLM database with the organization’s Active Directory (LDAP). See these Application notes for more information:

LDAP (Active Directory) Synchronization: Basic Guide

LDAP (Active Directory) Synchronization: Comprehensive Guide

2. Manually, as described below:

a. Follow this path: EasyAdmin Start→ Users & Groups → Groups. The Groups window appears.

b. Select a group from the Group window (e.g. “GroupName”), and click the Members icon in order to view the members of the selected group. The Users in Group Name window appears.

c. Click the Add icon, in order to add further users to Group Name’s list of users.

Assigning roles to a user or group of users

After establishing a new role of permissions and introducing a new user or group of users, it is now possible to attach this role to the users, in order to assign the role’s permission set to these users.

In order to do so, Please:

1. Follow this path: EasyAdmin Start→ Administration → Roles.

2. Select the new role (e.g. “helpdesk”), The Role details for help desk” dialog window appears.

3. Click the Users or Groups buttons on the bottom of the window. The appropriate window (i.e. the Users in helpdesk or Groups in help desk) appears.

4. Click the Add icon. The appropriate window (User search or Groups) appears. Select the required instance of user or group, and click the Select icon. The added user or Group instance has been added to the role, and may be seen there in the Users in help desk or Groups in help desk window.

Changing a Resource’s permission attribute

In order to change a Resource’s permission attribute, e.g. to disable accessibility to this Resource by a certain role, follow this procedure:

1. Follow this path: EasyAdmin Start –> Users and Groups –> Workstations. In this example – this would be the affected Resource.

2. Follow this path: EasyAdmin Start –> Administration –> “Roles” tab.

3. Select a specific role, e.g. “helpdesk”. Click the Edit button. The Role details for helpdesk dialog window appears.

4. Select the Resources tab and click the Add icon.

5. Select a resource, e.g. “control_panel_menu_workstations” as depicted, and click Select. The control_panel_menu_workstations resource is added to the Role details for helpdesk dialog window

6. Stand and click on the Permission attribute of that Resource. a drop-down list appears. Click the drop down list, and select the required permission attribute value, e.g.: Disable.

7. Click the Save icon, close and reopen the OpenLM EasyAdmin UI.

8. Click the Start button on the EasyAdmin control panel. Select the Users & Groups tab. Notice that Workstation is no longer visible. It has been removed from the admin_role view.

License Server Resource visibility

If the permission of a Resource entry which name starts with the word “server_*” is disabled or denied, the respective user groups would become unable to view items on that server. Moreover, that server would become omitted from the OpenLM Agent’s “License usage information” window.

The following is an administrator Frequently Asked Question: “Why is all license usage information on the Agent blocked whenever an admin account is created in the OpenLM Server Configuration window?“ The answer is that when permissions are enabled, users need to be assigned a set of permissions that would allow them to view license servers’ details. In order to achieve this, please follow this action list:

1. Uncheck, and then recheck the Require Login Credentials checkbox. Follow the Creating a new role section above.

2. Assign resources to the new role: After you save the new role, the Resources tab will become enabled. Navigate to that tab. Note that it is assigned with one default resource. Now you need to add all resources that have this name pattern “server_servername” e.g. server_srv1 (where srv1 is the name of the server that you will grant access to). In order to do so, Follow the description in section Adding resources to a role above.

3. Assign the new role to the admin user: In order to do so, Follow the description in section Assigning roles to a user or group of users above.

Permission arbitration

Using the permissions tool, it is possible to grant resource permissions to single users independently. Also, as stated above, permissions may be inherited from parent roles. If one method grants permission and the other denies is, a mismatch condition may be present. In this case – an arbitration procedure is executed; The closest entity to a single user, i.e. a permission attribute granted to an individual user, or to the “youngest child” of an inherited attribute is the most “powerful”. If two contradicting attributes of the same strength are applied: an unknown condition may occur.

For example, picture the following circumstance:

  • Admin role is parent to two roles: Role1 and Role2.
  • Admin denies permission to a resource.
  • Role1 does not explicitly refer to that resource, hence – it denies it implicitly.
  • Role2 explicitly allows the resource permission.

User attributes:

  • If User is attached to any one single role, its permission attributes will be the same as that of the role.
  • If User is attached to roles Admin and Role1 the permission will be denied.
  • If User is attached to Role1 & Role2, the permission would be allowed, since Role2 is the “youngest child” to infer to that resource.
  • If User is attached to roles Admin and Role2, an unknown condition occurs.

Please see the example below:

Guest user

A ‘Guest’ user role may also be defined. This user will not require a password in order to login, and will normally be granted limited permissions.

In order to do so:

  • Click the ‘Start’ –> Administration button, and select the ‘Roles’ icon
  • Check the “Enable guest account” box.
  • Assign resources to the “Guest_role” role.

On the next EasyAdmin login the user will be handed the option to log in as a guest, without the need to type in a password.

List of resources

The following is a list resources that are available on the OpenLM version 3.0.0.*

  • add_group: Permission to add a new group
  • add_group_members: Permission to add group members
  • add_parent_role: Permission to add a parent role
  • add_project: Permission to add a project
  • add_project_groups: Permission to add project groups
  • add_project_members: Permission to add members to a project
  • add_project_members_groups: Permission to add members groups to a project
  • add_role: Permission to add a new role
  • add_role_group: Permission to add a group to a role
  • add_role_resource: Permission to add a resource to a role
  • add_role_user: Permission to associate a user with a role
  • add_user: Permission to add a new user
  • admin_panel_roles: Administrative Panel – Show “Roles”
  • configuration_form_read: Permission to open “OpenLM Server Configuration” tool
  • configuration_form_update: Permission to make updates in the “OpenLM Server Configuration” tool
  • control_panel_menu_administration: Permission to configure administration actions
  • control_panel_menu_alerts: Control Panel – Show “Alert” (under “Widgets” menu)
  • control_panel_menu_all_features: Control Panel – Show “All Features” (under “Option Files” menu)
  • control_panel_menu_audit_report: Control Panel – Show “Audit Report” (under “Management” menu)
  • control_panel_menu_change_password: Control Panel – Show “Change Password” in “Start” menu
  • control_panel_menu_currently_consumed_licenses: Control Panel – Show “Currently Consumed Licenses” (under “Operational” menu)
  • control_panel_menu_denials: Control Panel – Show “Denials” (under “Reports” menu)
  • control_panel_menu_feature_usage_status: Control Panel – Show “Feature Usage Status” (under “Widgets” menu)
  • control_panel_menu_features: Control Panel – Show “Features”  (under “Option Files” menu)
  • control_panel_menu_general_statistics: Control Panel – Show “General Statistics” (under “Widgets” menu)
  • control_panel_menu_group_usage: Control Panel – Show “Group Usage” (under “Reports” menu)
  • control_panel_menu_groups: Control Panel – Show “Groups” (under “User & Groups” menu)
  • control_panel_menu_host_availability: Control Panel – Show “Host Availability” (under “Widgets” menu)
  • control_panel_menu_host_groups: Control Panel – Show “Host Groups” (under “Option Files” menu)
  • control_panel_menu_ips: Control Panel – Show “IPs” (under “Option Files” menu)
  • control_panel_menu_license_activity: Control Panel – Show “License Activity”  (under “Reports” menu)
  • control_panel_menu_license_not_in_use: Control Panel – Show “License not in use” (under “Management” menu)
  • control_panel_menu_license_procurement: Control Panel – Show “License Procurement” (under “management” menu)
  • control_panel_menu_license_servers: Control Panel – Show “License Servers” (under “Widgets” menu)
  • control_panel_menu_license_usage: Control Panel – Show “License Usage” (under “Reports” menu)
  • control_panel_menu_license_usage_heatmap: Control Panel – Show “License Usage Heatmap”
  • control_panel_menu_license_utilization : Control Panel – Show “License Utilization” (under “Management” menu)
  • control_panel_menu_licenses: Control Panel – Show “Licenses” (under “Management” menu)
  • control_panel_menu_logout: Control Panel – Show “Logout” in “Start” menu
  • control_panel_menu_management: Control Panel – Show “management” (include: “Licenses”, “Licenses Not In Use”, “License Utilization”, “License Procurement”, “Audit Report” and “Unique Users Report”)
  • control_panel_menu_operational: Control Panel – Show “Operational” (include: “currently consumed licenses”, “Released licenses”)
  • control_panel_menu_opt_file_admin: Control Panel – Show “Opt. File Admin” (under “Option Files” menu)
  • control_panel_menu_option_files: Control Panel – Show “Option File”  (include: “Policy”, “Features”, “All Features”, “IPs”, “Host Groups”, “Opt. File Admin”)
  • control_panel_menu_policy: Control Panel – Show “Policy” (under “Option Files” menu)
  • control_panel_menu_project_list: Control Panel – Show “Project List” (under “User & Groups” menu)
  • control_panel_menu_project_usage: Control Panel – Show “Project Usage” (under “Reports” menu)
  • control_panel_menu_recent_feature_denials: Control Panel – Show “Recent Feature Denials” (under “Widgets” menu)
  • control_panel_menu_released_licenses: Control Panel – Show “Released Licenses”  (under “Operational” menu)
  • control_panel_menu_reports: Control Panel – Show “Reports” (include: “Project Usage”, “Group Usage”, “License Usage”, “License Activity”, “Denials”)
  • control_panel_menu_selected_feature_statistics: Control Panel – Show “Selected Feature Statistics”  (under “Widgets” menu)
  • control_panel_menu_unique_users_report: Control Panel – Show “Unique Users Report” (under “Management” menu)
  • control_panel_menu_user_settings: Control Panel – Show “User Settings” in “Start” menu
  • control_panel_menu_users: Control Panel – Show “Users” (under “User & Groups” menu)
  • control_panel_menu_users_permissions: Control Panel – Show “Users & Groups” in “Start” menu (include: “Users”, “Groups”, “Roles”, “Project List”, “WorkStation”)
  • control_panel_menu_widgets: Control Panel – Show “Widgets” (include: “License Servers”, “License Usage Heat Map”, “Host Availability”, “General Statistics”, “Alerts”, “Recent Features Denials”, “Features Usage Status”, “Selected Feature Statistics”)
  • control_panel_menu_workstations: Control Panel – Show “WorkStatisions”  (under “User & Groups” menu)
  • control_panel_tab: Basic permission to open “EasyAdmin”
  • control_panel_user_settings: Control Panel – Show “User Settings” in “Start” menu
  • currently_consumed_licenses_column_borrowed: Currently Consumed Licenses Panel – Show Borrowed column
  • currently_consumed_licenses_column_close_application: Currently Consumed Licenses Panel – Permission to close applications
  • currently_consumed_licenses_column_duration: Currently Consumed Licenses Panel – Show Duration column
  • currently_consumed_licenses_column_email: Currently Consumed Licenses Panel – Show Email column
  • currently_consumed_licenses_column_first_name: Currently Consumed Licenses Panel – Show First Name column
  • currently_consumed_licenses_column_host_id: Currently Consumed Licenses Panel – Show Host Id column
  • currently_consumed_licenses_column_idle_times: Currently Consumed Licenses Panel – Show Idle Times column
  • currently_consumed_licenses_column_ip: Currently Consumed Licenses Panel – Show IP column
  • currently_consumed_licenses_column_last_name: Currently Consumed Licenses Panel – Show Last Name column
  • currently_consumed_licenses_column_linger_due: Currently Consumed Licenses Panel – Show Linger Due column
  • currently_consumed_licenses_column_linger_time: Currently Consumed Licenses Panel – Show Linger Time column
  • currently_consumed_licenses_column_phone_number: Currently Consumed Licenses Panel – Show Phone Number column
  • currently_consumed_licenses_column_recent_application_idle_period: Currently Consumed Licenses Panel – Show Recent Application Idle Period column
  • currently_consumed_licenses_column_remove_license: Currently Consumed Licenses Panel – Permission to remove licenses
  • currently_consumed_licenses_column_start_time: Currently Consumed Licenses Panel – Show Start Time column
  • currently_consumed_licenses_column_username: Currently Consumed Licenses Panel – Show User Name column
  • currently_consumed_licenses_column_workstation: Currently Consumed Licenses Panel – Show Workstation column
  • currently_consumed_licenses_column_workstation_idle_time: Currently Consumed Licenses Panel – Show Workstation Idle Time column
  • delete_group: Permission to delete an existing group
  • delete_history: Permission to delete historical data
  • delete_parent_role: Permission to delete a parent role
  • delete_project: Permission to delete a project
  • delete_role: Permission to delete a n existing role
  • delete_role_resource: Permission to delete a resource from a role
  • denials_column_first_name: Denials Panel – Show First Name column
  • denials_column_last_name: Denials Panel – Show Last Name column
  • denials_column_user_name: Denials Panel – Show User Name column
  • denials_column_workstation: Denials Panel – Show Workstation column
  • denials_filter_user: Permission To Run Filter On Denials By User
  • denials_filter_workstation: Permission To Run Filter On Denials By Workstation
  • disable_project: Permission to disable project
  • duplicate_role: Permission to duplicate an existing role
  • edit_group: Permission to edit an existing group
  • edit_project: Permission to edit a project
  • edit_role: Permission to edit an existing role
  • edit_unmanaged_processes: Permission to edit unmanaged processes
  • edit_user: Permission to edit an existing user
  • enable_or_disable_groups: Permission to enable or disable groups
  • enable_or_disable_users: Permission to enable or disable users
  • enable_project: Permission to enable projects
  • license_activity_column_first_name: License Activity Panel – Show First Name column
  • license_activity_column_email: License Activity Panel – Show Email column
  • license_activity_column_first_name: license_activity_column_first_name
  • license_activity_column_host_ids: License Activity Panel – Show Host IDs column
  • license_activity_column_ip: License Activity Panel – Show IP column
  • license_activity_column_last_name: License Activity Panel – Show Last Name column
  • license_activity_column_username: License Activity Panel – Show User Name column
  • license_activity_column_workstation: License Activity Panel – Show Workstation column
  • license_activity_filter_user: Permission To Run Filter On License Activity By User
  • license_activity_filter_workstation: Permission To Run Filter On License Activity By Workstation
  • license_usage_filter_user: Permission to run filter on License Usage by Users
  • remove_group_members: Permission to remove group members
  • remove_project_groups: Permission to remove project groups
  • remove_project_members: Permission to remove members from a project
  • remove_project_members_groups: Permission to remove members groups to a project
  • remove_role_group: Permission to remove a group from a role
  • remove_role_user: Permission to remove a user from a role
  • remove_workstation: Permission to remove workstations
  • user_change_password: Permission to change other users password
  • view_dashboard: Permission to view the Dashboard
  • view_group_members: Permission to view group members
  • view_system_messages:Permission to view system messages
  • view_unmanaged_processes: Permission to view unmanaged processes (under “Administration” menu)