Roles and Permission Groups based security – KB4006
This document describes the OpenLM Roles and Permission Groups feature, and serves as a reference guide to system administrators who seek intricate grouping and permission granting over their OpenLM managed licensing control system.
The OpenLM Server supports a role-based security feature that enables system administrators to implement customized access to OpenLM tools by setting access roles. This feature facilitates the implementation of OpenLM tools for diverse groups; like help desk, system administrators, managers and developers. The role based security system secures nearly all the resources of the OpenLM system’s entities, such as listed servers, fields and action buttons.
Permitting a Resource is the act of granting a certain accessibility level to that resource. Each permission is attached to a specific Resource, granting it a permission attribute. Permission attributes may hold either one of the following values:
- Allow: The resource is accessible for a user or a user group.
- Disable: The resource is visible but not accessible for a user or a user group.
- Deny: The resource is neither visible nor accessible to a user or a user group.
A set of such Resource permissions is referred to as a role. Roles are attributed to certain groups of function holders in a company, each group having different accessibility options to OpenLM’s resources.
Roles’ implementation may be set on, enabling the differentiation of users and groups according to permission levels, or turned off altogether, thus granting all users and user groups full accessibility to all the system’s resources.
Handling of roles and permissions is easily done by system administrators on the EasyAdmin administrative interface of the OpenLM system. The intuitive EasyAdmin control panel incorporates all the options required to configure the roles and permission groups according to administration requirements.
Permission groups possess an inheritance property. This property facilitates the application of similar permission schemes to different groups. By doing so, different groups may be easily created with only slight differences between their permission schemes.
The characteristics of the roles and permissions feature have evolved over time, through constant feedback from OpenLM’s dependable customers, and are continuing to evolve according to common requests. For this reason OpenLM encourages its customers to send back their feedback and specific required features.
In order to create a new role, go through the following steps:
1. First, your organization’s SMTP server has to be configured. Simply open up the OpenLM User Interface –> Click Start –> Select Administration –> Click on Email/SMS –> Fill in your organization’s SMTP Sever details –> Send Test Email –> Save.
3. Open the EasyAdmin web application, and log in with the Administrator’s name and password.
4. Click the Start button on the EasyAdmin control panel. Select Administration → Roles tab. The Administration-Roles window appears, with some predefined default roles and their description.
5. Click the Add icon, to add a role. The Role Details dialog window appears.
6. Type in the role name and description (e.g. “HelpDesk” and “Help Desk Team” as they appear respectively in the image above). Click Save. Note that the new role name would be saved in lower-case format (i.e. “helpdesk”).
Adding resources to the newly created role may be done in either one of two methods. The 1st is by manually selecting Resources and attaching them to the new role:
1. In the Roles window, Select the required role, e.g.: “helpdesk”. Click the “Edit” icon. The “Role Details for helpdesk” window appears (Similar to the “Role Details” dialog window depicted above). Note that the default predefined roles may not be edited.
2. Select the Resources tab, and click the Add button. The “Resources Search” dialog box appears. Note that each line in this table contains a Resource name and description, easing the linkage between a registry in the table and its actual function in the OpenLM system.
3. Select a resource (e.g. the add_project as marked above), and click the Select button. The “Role Details” window’s Resources tab now appears with the newly attached “add_project” resource.
4. Select the Resources tab and click on any line while under the Permission heading. The drop-down functionality is engaged and the user may now select a permission attribute for a resource per user.
1. In the “Role Details for helpdesk” dialog window, select the “Parent Roles” tab and click the Add icon. The Roles search dialog window appears.
2. Select the role that would serve as the parent of the newly created “helpdesk” role, e.g. “admin_role” in the image above, and click the Select button. Note that the “admin_role” is the default basic role, and is always apparent for serving as a parent role. The new “helpdesk” role now possesses all the permission attributes of the parent “admin_role”.
In order to assign roles to users, we should first make sure such users exist in the OpenLM database. The list of users is shown in the EasyAdmin ‘Start’ → “Users & Permissions” → “Users” tab.
Users can be added to the OpenLM database in a number of ways:
1. By synchronizing the OpenLM database with the organization’s Active Directory. See these Application notes for more information:
2. Through monitoring of license usage.
3. By reading the FlexLM License file (See the OpenLM Broker Comprehensive Installation Guide)
5. Manually created, as described below.
Only users who have been introduced into the OpenLM Database via the last option (Manually created) are assigned an EasyAdmin login password in the process. Other users need to be assigned login passwords in order to access EasyAdmin. In order to do so:
- Login as an administrator,
- In the EasyAdmin Start → Users and Permissions → Users window, select the user name, and click “Change password”
- Assign a login password to the user.
In order to manually create a new user entry in EasyAdmin, go through the following steps:
1. Follow this path, EasyAdmin Start→ Users & Groups → Users tab. The Users window appears.
2. Click the Add User button. The User details form appears. Fill in the appropriate information items, check the Enabled box and click Save as depicted below.
Note that the new user, Mr. Winston Churchill, has been assigned an EasyAdmin login password in the process of introduction. The new user’s information is presented attached to the Username on the Users window:
Users can be made members of a group by either:
1. Synchronizing the OpenLM database with the organization’s Active Directory. See these documents for more information:
2. Manually, as described below:
a. Follow this path: EasyAdmin Start→ Users & Groups → Groups. The Groups window appears.
b. Select a group from the Group window (e.g. “GroupName”), and click the Members icon in order to view the members of the selected group. The Users in Group Name window appears.
c. Click the Add icon, in order to add further users to Group Name’s list of users.
After establishing a new role of permissions and introducing a new user or group of users, it is now possible to attach this role to the users, in order to assign the role’s permission set to these users.
In order to do so, Please:
1. Follow this path: EasyAdmin Start→ Administration → Roles.
2. Select the new role (e.g. “helpdesk”), The Role details for help desk” dialog window appears.
3. Click the Users or Groups buttons on the bottom of the window. The appropriate window (i.e. the Users in helpdesk or Groups in help desk) appears.
4. Click the Add icon. The appropriate window (User search or Groups) appears. Select the required instance of user or group, and click the Select icon. The added user or Group instance has been added to the role, and may be seen there in the Users in help desk or Groups in help desk window.
In order to change a Resource’s permission attribute, e.g. to disable accessibility to this Resource by a certain role, follow this procedure:
1. Follow this path: EasyAdmin Start –> Users and Groups –> Workstations. In this example – this would be the affected Resource.
2. Follow this path: EasyAdmin Start –> Administration –> “Roles” tab.
3. Select a specific role, e.g. “helpdesk”. Click the Edit button. The Role details for helpdesk dialog window appears.
4. Select the Resources tab and click the Add icon.
5. Select a resource, e.g. “control_panel_menu_workstations” as depicted, and click Select. The control_panel_menu_workstations resource is added to the Role details for helpdesk dialog window
6. Stand and click on the Permission attribute of that Resource. a drop-down list appears. Click the drop down list, and select the required permission attribute value, e.g.: Disable.
7. Click the Save icon, close and reopen the OpenLM EasyAdmin UI.
8. Click the Start button on the EasyAdmin control panel. Select the Users & Groups tab. Notice that Workstation is no longer visible. It has been removed from the admin_role view.
If the permission of a Resource entry which name starts with the word “server_*” is disabled or denied, the respective user groups would become unable to view items on that server. Moreover, that server would become omitted from the OpenLM Agent’s “License usage information” window.
The following is an administrator Frequently Asked Question: “Why is all license usage information on the Agent blocked whenever an admin account is created in the OpenLM Server Configuration window?“ The answer is that when permissions are enabled, users need to be assigned a set of permissions that would allow them to view license servers’ details. In order to achieve this, please follow this action list:
1. Uncheck, and then recheck the Require Login Credentials checkbox. Follow the Creating a new role section above.
2. Assign resources to the new role: After you save the new role, the Resources tab will become enabled. Navigate to that tab. Note that it is assigned with one default resource. Now you need to add all resources that have this name pattern “server_servername” e.g. server_srv1 (where srv1 is the name of the server that you will grant access to). In order to do so, Follow the description in section Adding resources to a role above.
3. Assign the new role to the admin user: In order to do so, Follow the description in section Assigning roles to a user or group of users above.
Using the permissions tool, it is possible to grant resource permissions to single users independently. Also, as stated above, permissions may be inherited from parent roles. If one method grants permission and the other denies is, a mismatch condition may be present. In this case – an arbitration procedure is executed; The closest entity to a single user, i.e. a permission attribute granted to an individual user, or to the “youngest child” of an inherited attribute is the most “powerful”. If two contradicting attributes of the same strength are applied: an unknown condition may occur.
For example, picture the following circumstance:
- Admin role is parent to two roles: Role1 and Role2.
- Admin denies permission to a resource.
- Role1 does not explicitly refer to that resource, hence – it denies it implicitly.
- Role2 explicitly allows the resource permission.
- If User is attached to any one single role, its permission attributes will be the same as that of the role.
- If User is attached to roles Admin and Role1 the permission will be denied.
- If User is attached to Role1 & Role2, the permission would be allowed, since Role2 is the “youngest child” to infer to that resource.
- If User is attached to roles Admin and Role2, an unknown condition occurs.
Please see the example below:
A ‘Guest’ user role may also be defined. This user will not require a password in order to login, and will normally be granted limited permissions.
In order to do so:
- Click the ‘Start’ –> Administration button, and select the ‘Roles’ icon
- Check the “Enable guest account” box.
- Assign resources to the “Guest_role” role.
On the next EasyAdmin login the user will be handed the option to log in as a guest, without the need to type in a password.
List of resources
The following is a list resources that are available beginning with OpenLM version 3.0.0.*
- add_group: Permission to add a new group
- add_group_members: Permission to add group members
- add_parent_role: Permission to add a parent role
- add_project: Permission to add a project
- add_project_groups: Permission to add project groups
- add_project_members: Permission to add members to a project
- add_project_members_groups: Permission to add members groups to a project
- add_role: Permission to add a new role
- add_role_group: Permission to add a group to a role
- add_role_resource: Permission to add a resource to a role
- add_role_user: Permission to associate a user with a role
- add_user: Permission to add a new user
- admin_panel_roles: Administrative Panel – Show “Roles”
- configuration_form_read: Permission to open “OpenLM Server Configuration” tool
- configuration_form_update: Permission to make updates in the “OpenLM Server Configuration” tool
- control_panel_menu_administration: Permission to configure administration actions
- control_panel_menu_alerts: Control Panel – Show “Alert” (under “Widgets” menu)
- control_panel_menu_all_features: Control Panel – Show “All Features” (under “Option Files” menu)
- control_panel_menu_audit_report: Control Panel – Show “Audit Report” (under “Management” menu)
- control_panel_menu_change_password: Control Panel – Show “Change Password” in “Start” menu
- control_panel_menu_currently_consumed_licenses: Control Panel – Show “Currently Consumed Licenses” (under “Operational” menu)
- control_panel_menu_denials: Control Panel – Show “Denials” (under “Reports” menu)
- control_panel_menu_feature_usage_status: Control Panel – Show “Feature Usage Status” (under “Wi