Roles & Permissions Group-based security

Scope #

This document describes the OpenLM Roles & Permissions Groups feature, and serves as a reference guide to system administrators who seek intricate grouping and permission granting over their OpenLM managed licensing control system.

General #

The OpenLM Server supports a role-based security feature that enables system administrators to implement customized access to OpenLM tools by setting access roles. This feature facilitates the implementation of OpenLM tools for diverse groups; like help desk, system administrators, managers and developers. The role based security system secures nearly all the resources of the OpenLM system’s entities, such as listed servers, fields and action buttons.

Identity Service #

 The OpenLM Identity Service is a multi-layered identity and access management attribute of our license monitoring and management solution. 

If your license file doesn’t have Role&Permission feature, Identity Service still has basic Roles to assign users,  and you can edit it only (No Adding, Deleting, Duplicating).

But if your license file has Role&Permission, it can give you full range and functionality of Roles like the below.

Consult with our Sales at sales@openlm.comfor finding out about the full spectrum  functionalities.

The first default account is Admin in Identity Service. But if you want to create a new user, follow the below steps.

Creating a new User 

  1. Create a User account in Easyadmin User Interface.

  2. Assign a desired role(s) to the created user.

  3. Create the same user in Identity Service with Password.

Note:  If you want the user to be able to edit Identity Service settings, enable the System Administrator toggle button.

  1. Login to EasyAdmin  with the user account.

Right now, we have to manually add the same user in each EasyAdmin and Identity Service UI. Especially passwords, only the system administrator of Identity Service UI can change it. 

Permissions and Roles #

Permitting a Resource is the act of granting a certain accessibility level to a certain resource. Each permission is attached to a specific Resource, granting it a permission attribute. Permission attributes may hold either one of the following values:

  • Allow: The resource is accessible for a user or a user group.
  • Disable: The resource is visible but not accessible for a user or a user group.
  • Deny: The resource is neither visible nor accessible to a user or a user group.

A set of such Resource permissions is referred to as a role. Roles are attributed to certain groups of function holders in a company, each group having different accessibility options to OpenLM’s resources.

Roles’ implementation may be set on, enabling the differentiation of users and groups according to permission levels, or turned off altogether, thus granting all users and user groups full accessibility to all the system’s resources.

Handling of Roles & Permissions is easily done by system administrators on the EasyAdmin administrative interface of the OpenLM system. The intuitive EasyAdmin control panel incorporates all the options required to configure the Roles & Permissions groups according to administration requirements.

Role Inheritance #

Permission groups possess an inheritance property. This property facilitates the application of similar permission schemes to different groups. By doing so, different groups may be easily created with only slight differences between their permission schemes.

Creating a new role #

In order to create a new role, go through the following steps:

1.  Open the EasyAdmin User Interface, and log in with the Administrator’s name and password.

2. First, your organization’s SMTP server has to be configured. Simply open up the OpenLM User Interface → Click Start Select Administration Click on Email/SMS –> Fill in your organization’s SMTP Sever details –> Send Test Email –> Save.

2. The Roles need to be created using OpenLM Administrator privileges, and duplicated in the Identity Service.

4. Click the Start button on the EasyAdmin control panel. Select Administration → Roles tab. The Administration-Roles window appears, with some predefined default roles and their description.

5. Click the Add icon, to add a role. The Role Details dialog window appears.  Type in the role name and description (e.g. “HelpDesk” and “Help Desk Team” as they appear respectively in the image above). Click Save. Note that the new role name would be saved in lower-case format (i.e. “helpdesk”).

 Type in the role name and description (e.g. “HelpDesk” and “Help Desk Team” as they appear respectively in the image above). Click Save. Note that the new role name would be saved in lower-case format (i.e. “helpdesk”).

Adding resources to a role #

Adding resources to the newly created role may be done in either one of two methods. The 1st is by manually selecting Resources and attaching them to the new role:

1. In the Roles window, Select the required role, e.g.: “helpdesk”. Click the “Edit” icon. The “Role Details for helpdesk” window appears (Similar to the “Role Details” dialog window depicted above). Note that the default predefined roles may not be edited.

2. Select the Resources tab, and click the Add button. The “Resources Search” dialog box appears. Note that each line in this table contains a Resource name and description, easing the linkage between a registry in the table and its actual function in the OpenLM system.

3. Select a resource (e.g. the add_project), and click the Select button. The “Role Details” window’s Resources tab now appears with the newly attached “add_project” resource.

4. Select the Resources tab and click on any line while under the Permission heading. The drop-down functionality is engaged and the user may now select a permission attribute for a resource per user.

Adding resource permissions via the inheritance property #

1. In the “Role Details for helpdesk” dialog window, select the “Parent Roles” tab and click the Add icon. The Roles search dialog window appears.

2. Select the role that would serve as the parent of the newly created “helpdesk” role, e.g. “admin_role” in the image above, and click the Select button. Note that the “admin_role” is the default basic role, and is always apparent for serving as a parent role. The new “helpdesk” role now possesses all the permission attributes of the parent “admin_role”.

OpenLM users #

In order to assign roles to users, we should first make sure such users exist in the OpenLM database. The list of users is shown in the EasyAdmin ‘Start’ → “Users & Groups” → “Users” tab.

Users can be added to the OpenLM database in a number of ways:

1. By synchronizing the OpenLM database with the organization’s Active Directory, by using the OpenLM Directory Sync.

2. Through monitoring of license usage.

3. By reading the FlexLM License file 

4. By reading the FlexLM Options file

5. Manually created, as described below.

Manually creating a new user entry

In order to manually create a new user entry in EasyAdmin, go through the following steps:

1. Follow this path, EasyAdmin Start→ Users & Groups → Users tab. The Users window appears.

2. Click the Add User button. The User details form appears. Fill in the appropriate information items, check the Enabled box and click Save as depicted below.

Manually adding a user to a group

Users can be made members of a group by either:

1. Synchronizing the OpenLM database with the organization’s Active Directory. See Directory Sync documentation for more information.

2. Manually, as described below:

a. Follow this path: EasyAdmin Start→ Users & Groups → Groups. The Groups window appears.

b. Select a group from the Group window (e.g. “GroupName”), and click the Members icon in order to view the members of the selected group. The Users in Group Name window appears.

c. Click the Add icon, in order to add further users to Group Name’s list of users.

Assigning roles to a user or group of users #

After establishing a new role of permissions and introducing a new user or group of users, it is now possible to attach this role to the users, in order to assign the role’s permission set to these users.

In order to do so, Please:

1. Follow this path: EasyAdmin Start→ Administration → Roles.

2. Select the new role (e.g. “helpdesk”), The Role details for help desk” dialog window appears.

3. Click the Users or Groups buttons on the bottom of the window. The appropriate window (i.e. the Users in helpdesk or Groups in help desk) appears.

4. Click the Add icon. The appropriate window (User search or Groups) appears. Select the required instance of user or group, and click the Select icon. The added user or Group instance has been added to the role, and may be seen there in the Users in help desk or Groups in help desk window.

Changing a Resource’s permission attribute #

In order to change a Resource’s permission attribute, e.g. to disable accessibility to this Resource by a certain role, follow this procedure:

1. Follow this path: EasyAdmin Start→ Users and Groups→ Workstations. In this example – this would be the affected Resource.

2. Follow this path: EasyAdmin Start –> Administration→ “Roles” tab.

3. Select a specific role, e.g. “helpdesk”. Click the Edit button. The Role details for helpdesk dialog window appears.

4. Select the Resources tab and click the Add icon.

5. Select a resource, e.g. “control_panel_menu_workstations” as depicted, and click Select. The control_panel_menu_workstations resource is added to the Role details for helpdesk dialog window

6. Stand and click on the Permission attribute of that Resource. a drop-down list appears. Click the drop down list, and select the required permission attribute value, e.g.: Disable.

7. Click the Save icon, close and reopen the OpenLM EasyAdmin UI.

8. Click the Start button on the EasyAdmin control panel. Select the Users & Groups tab. Notice that Workstation is no longer visible. It has been removed from the admin_role view.

License Server Resource visibility #

If the permission of a Resource entry which name starts with the word “server_*” is disabled or denied, the respective user groups would become unable to view items on that server. Moreover, that server would become omitted from the Workstation Agent (Old Name->OpenLM Agent)’s “License usage information” window.

The following is an administrator Frequently Asked Question: “Why is all license usage information on the Agent blocked whenever an admin account is created in the OpenLM Server Configuration window?“ The answer is that when permissions are enabled, users need to be assigned a set of permissions that would allow them to view license servers’ details. In order to achieve this, please follow this action list:

1. Uncheck, and then recheck the Require Login Credentials checkbox. Follow the Creating a new role section above.

2. Assign resources to the new role: After you save the new role, the Resources tab will become enabled. Navigate to that tab. Note that it is assigned with one default resource. Now you need to add all resources that have this name pattern “server_servername” e.g. server_srv1 (where srv1 is the name of the server that you will grant access to). In order to do so, Follow the description in section Adding resources to a role above.

3. Assign the new role to the admin user: In order to do so, Follow the description in section Assigning roles to a user or group of users above.

Permission arbitration #

Using the permissions tool, it is possible to grant resource permissions to single users independently. Also, as stated above, permissions may be inherited from parent roles. If one method grants permission and the other denies is, a mismatch condition may be present. In this case – an arbitration procedure is executed; The closest entity to a single user, i.e. a permission attribute granted to an individual user, or to the “youngest child” of an inherited attribute is the most “powerful”. If two contradicting attributes of the same strength are applied: an unknown condition may occur.

For example, picture the following circumstance:

  • Admin role is parent to two roles: Role1 and Role2.
  • Admin denies permission to a resource.
  • Role1 does not explicitly refer to that resource, hence – it denies it implicitly.
  • Role2 explicitly allows the resource permission.

User attributes:

  • If User is attached to any one single role, its permission attributes will be the same as that of the role.
  • If User is attached to roles Admin and Role1 the permission will be denied.
  • If User is attached to Role1 & Role2, the permission would be allowed, since Role2 is the “youngest child” to infer to that resource.
  • If User is attached to roles Admin and Role2, an unknown condition occurs.

List of resources #

The following is a list resources that are available 

NAMEDESCRIPTION
currently_consumed_licenses_column_close_applicationCurrently Consumed Licenses Panel – Permission to close applications
currently_consumed_licenses_column_remove_licenseCurrently Consumed Licenses Panel – Permission to remove licenses
currently_consumed_licenses_column_usernameCurrently Consumed Licenses Panel – Show User Name column
configuration_form_readPermission to open OpenLM Server Configuration” tool”
configuration_form_updatePermission to make updates in the OpenLM Server Configuration” tool”
control_panel_menu_currently_consumed_licensesControl Panel – Show Currently Consumed Licenses” (under “Operational” menu)”
control_panel_menu_change_passwordControl Panel – Show Change Password” in “Start” menu”
control_panel_menu_denialsControl Panel – Show Denials” (under “Reports” menu)”
control_panel_menu_featuresControl Panel – Show Features”  (under “Option Files” menu)”
control_panel_menu_group_usageControl Panel – Show Group Usage” (under “Reports” menu)”
control_panel_menu_groupsControl Panel – Show Groups” (under “Users & Groups” menu)”
control_panel_menu_host_groupsControl Panel – Show Host Groups” (under “Option Files” menu)”
control_panel_menu_ipsControl Panel – Show IPs” (under “Option Files” menu)”
control_panel_menu_license_activityControl Panel – Show License Activity”  (under “Reports” menu)”
control_panel_menu_license_usageControl Panel – Show License Usage” (under “Reports” menu)”
control_panel_menu_licensesControl Panel – Show Licenses” (under “Management” menu)”
control_panel_menu_logoutControl Panel – Show Logout” in “Start” menu”
control_panel_menu_managementControl Panel – Show Management” (include: “Licenses”, “Licenses Not In Use”, “License Utilization”, “License Procurement”, “Audit Report” and “Active Users Report”)”
control_panel_menu_option_filesControl Panel – Show Options Files”  (include:  “IPs”, “Host Groups” and “Options Files Management”)”
control_panel_menu_policyControl Panel – Show Policy” (under “Option Files” menu)”
control_panel_menu_project_usageControl Panel – Show Project Usage” (under “Reports” menu)”
control_panel_menu_released_licensesControl Panel – Show Released Licenses”  (under “Operational” menu)”
control_panel_menu_reportsControl Panel – Show Reports” (include: “Project Usage”, “Group Usage”, “License Usage”, “License Activity”, “Denials”)”
admin_panel_rolesAdministration Panel – Show Roles””
control_panel_menu_usersControl Panel – Show Users” (under “Users & Groups” menu)”
control_panel_menu_users_permissionsControl Panel – Show Users & Groups” in “Start” menu (include: “Users”, “Groups”, “Workstations”)”
control_panel_menu_workstationsControl Panel – Show Workstations” (under “Users & Groups” menu)”
control_panel_tabBasic permission to open OpenLM User Interface””
user_change_passwordPermission to change other user’s password
control_panel_menu_administrationPermission to configure administration actions
add_userPermission to add a new user
edit_userPermission to edit an existing user
add_groupPermission to add a new group
edit_groupPermission to edit an existing group
delete_groupPermission to delete an existing group
view_group_membersPermission to view group members
add_group_membersPermission to add group members
remove_group_membersPermission to remove group members
add_rolePermission to add a new role
edit_rolePermission to edit an existing role
delete_rolePermission to delete an existing role
duplicate_rolePermission to duplicate an existing role
add_parent_rolePermission to add a parent role
delete_parent_rolePermission to delete a parent role
add_role_resourcePermission to add a resource to a role
delete_role_resourcePermission to delete a resource from a role
add_role_userPermission to associate a user with a role
remove_role_userPermission to remove a user from a role
add_role_groupPermission to add a group to a role
remove_role_groupPermission to remove a group from a role
control_panel_menu_project_listControl Panel – Show Projects List” (under “Management” menu)”
add_projectPermission to add a project
delete_projectPermission to delete a project
edit_projectPermission to edit a project
add_project_membersPermission to add project members
add_project_groupsPermission to add project groups
enable_projectPermission to enable projects
disable_projectPermission to disable projects
remove_project_membersPermission to remove project members
remove_workstationPermission to remove workstations
remove_project_groupsPermission to remove project groups
control_panel_menu_general_statisticsControl Panel – Show General Statistics” (under “Widgets” menu)”
control_panel_menu_license_serversControl Panel – Show License Servers” (under “Widgets” menu)”
control_panel_menu_alertsControl Panel – Show Alert” (under “Widgets” menu)”
control_panel_menu_feature_usage_statusControl Panel – Show Feature Usage Status” (under “Widgets” menu)”
control_panel_menu_license_procurementControl Panel – Show License Procurement” (under “Management” menu)”
license_servers_administer_hostPermission to start, stop, reread servers, and reset the Broker
control_panel_menu_license_not_in_useControl Panel – Show License not in use” (under “Management” menu)”
enable_or_disable_usersPermission to enable or disable users
delete_historyPermission to delete historical data
control_panel_menu_all_featuresControl Panel – Show All Features” (under “Option Files” menu)”
control_panel_menu_recent_feature_denialsControl Panel – Show Recent Feature Denials” (under “Widgets” menu)”
control_panel_menu_license_utilizationControl Panel – Show License Utilization” (under “Management” menu)”
control_panel_menu_license_usage_heatmapControl Panel – Show License Usage Heatmap””
enable_or_disable_groupsPermission to enable or disable groups
currently_consumed_licenses_column_workstationCurrently Consumed Licenses Panel – Show Worksation column
license_activity_column_workstationLicense Activity Panel – Show Workstation column
license_activity_column_usernameLicense Activity Panel – Show User Name column
control_panel_menu_operationalControl Panel – Show Operational” (include: “currently consumed licenses”, “Released licenses”)”
control_panel_menu_widgetsControl Panel – Show Widgets” (includes: “License Servers”, “License Usage Heat Map”, “Host Availability”, “General Statistics”, “Alerts”, “Recent Features Denials”, “Features Usage Status”, “Selected Feature Statistics”)”
control_panel_menu_host_availabilityControl Panel – Show Host Availability” (under “Widgets” menu)”
control_panel_menu_audit_reportControl Panel – Show Audit Report” (under “Management” menu)”
control_panel_menu_active_users_reportControl Panel – Show Active Users Report” (under “Management” menu) “
control_panel_menu_user_settingsControl Panel – Show User Settings” in “Start” menu”
currently_consumed_licenses_column_host_idCurrently Consumed Licenses Panel – Show Host Id column
currently_consumed_licenses_column_first_nameCurrently Consumed Licenses Panel – Show First Name column
currently_consumed_licenses_column_last_nameCurrently Consumed Licenses Panel – Show Last Name column
currently_consumed_licenses_column_phone_numberCurrently Consumed Licenses Panel – Show Phone Number column
currently_consumed_licenses_column_emailCurrently Consumed Licenses Panel – Show Email column
currently_consumed_licenses_column_start_timeCurrently Consumed Licenses Panel – Show Start Time column
currently_consumed_licenses_column_ipCurrently Consumed Licenses Panel – Show IP column
currently_consumed_licenses_column_durationCurrently Consumed Licenses Panel – Show Duration column
currently_consumed_licenses_column_borrowedCurrently Consumed Licenses Panel – Show Borrowed column
currently_consumed_licenses_column_linger_timeCurrently Consumed Licenses Panel – Show Linger Time column
currently_consumed_licenses_column_linger_dueCurrently Consumed Licenses Panel – Show Linger Due column
currently_consumed_licenses_column_recent_application_idle_periodCurrently Consumed Licenses Panel – Show Recent Application Idle Period column
currently_consumed_licenses_column_workstation_idle_timeCurrently Consumed Licenses Panel – Show Workstation Idle Time column
currently_consumed_licenses_column_idle_timesCurrently Consumed Licenses Panel – Show Idle Times column
license_activity_filter_workstationPermission To Run Filter On License Activity By Workstation
license_activity_filter_userPermission To Run Filter On License Activity By User
license_activity_column_first_nameLicense Activity Panel – Show First Name column
license_activity_column_last_nameLicense Activity Panel – Show Last Name column
license_activity_column_ipLicense Activity Panel – Show IP column
license_activity_column_host_idsLicense Activity Panel – Show Host Ids column
denials_filter_workstationPermission To Run Filter On Denials By Workstation
denials_filter_userPermission To Run Filter On Denials By User
denials_column_user_nameDenials Panel – Show User Name column
denials_column_first_nameDenials Panel – Show First Name column
denials_column_last_nameDenials Panel – Show Last Name column
denials_column_workstationDenials Panel – Show Workstation column
add_project_members_groupsPermission to add members groups to a project
remove_project_members_groupsPermission to remove members groups to a project
view_unmanaged_processesPermission to view unmanaged processes (under Administration” menu)”
edit_unmanaged_processesPermission to edit unmanaged processes
license_activity_column_emailLicense Activity Panel – Show Email column
view_system_messagesPermission to view system messages
license_usage_filter_userPermission to run filter on License Usage by Users
view_dashboardPermission to view the Dashboard
view_router_monitoringPermission to view the Router Monitoring
control_panel_menu_feature_usage_per_groupControl Panel – Show Feature Usage per Group” (under “Reports” menu)”
control_panel_menu_feature_usage_per_userControl Panel – Show Feature Usage per User” (under “Reports” menu)”
license_servers_upload_license_fileAllows to upload license file in License Servers -> Files window
scheduling_reports_show_allShow Scheduling Reports from all users
scheduling_reports_showUsing Scheduling Reports
denials_column_emailDenials Panel – Show Email column
license_servers_show_candidatesShow candidate servers in License Servers” window”
add_workstationPermission to add workstations
view_token_flex_reportsPermission to view Token Flex reports
control_panel_menu_named_license_analysisControl Panel – Show Named License Analysis (NNU)” report  (under “Reports” menu)”
currently_consumed_licenses_filter_userPermission to filter by Users in Currently Consumed Licenses report
currently_consumed_licenses_filter_workstationPermission to filter by Workstations in Currently Consumed Licenses report
currently_consumed_licenses_column_groupCurrently Consumed Licenses Panel – Show Group Name column
currently_consumed_licenses_column_projectCurrently Consumed Licenses Panel – Show Project Name column
currently_consumed_licenses_column_vendorCurrently Consumed Licenses Panel – Show Vendor Name column
currently_consumed_licenses_column_serverCurrently Consumed Licenses Panel – Show Server Name column
currently_consumed_licenses_column_featureCurrently Consumed Licenses Panel – Show Feature Name column
currently_consumed_licenses_column_product_nameCurrently Consumed Licenses Panel – Show Product Name column
currently_consumed_licenses_column_versionCurrently Consumed Licenses Panel – Show Version column
currently_consumed_licenses_column_additional_keyCurrently Consumed Licenses Panel – Show Additional Key column
currently_consumed_licenses_column_license_typeCurrently Consumed Licenses Panel – Show License Type column
currently_consumed_licenses_column_handleCurrently Consumed Licenses Panel – Show Handle column
currently_consumed_licenses_column_total_licensesCurrently Consumed Licenses Panel – Show Total Number of Licenses column
currently_consumed_licenses_column_consumed_tokensCurrently Consumed Licenses Panel – Show Consumed Tokens column
view_token_flex_released_idle_licensesview_token_flex_released_idle_licenses
license_servers_admin_readPermission to read License Server
license_servers_admin_updatePermission to update License Server
view_license_filesView License Files
edit_license_filesEdit License Files
server_OpenLM reusable tokensDisplay data of server OpenLM reusable tokens over any panel in OpenLM User Interface””
admin_server_OpenLM reusable tokensLicense Servers Panel – Permission to Stop/Start/Reread server OpenLM reusable tokens
What are your feelings
Skip to content