Application Note 2006 : OpenLM Roles and Permission Groups based security

General

OpenLM provides tools for monitoring a variety of concurrent license servers (e.g.: Flexera FlexLM (Flexnet publisher), Beta LM, IBM LUM, DSLS, Sentinel HASP, Sentinel RMS, Reprise RLM, MathLM, Easycopy, and LM-X) over WAN or LAN.

The OpenLM Server supports a role-based security feature that enables system administrators to implement customized access to OpenLM tools by setting access roles. This feature facilitates the implementation of OpenLM tools for diverse groups like help desk, system administrators, managers and developers. The role based security system secures nearly all the resources of the OpenLM system’s entities, such as listed servers, fields and action buttons.

Permissions and roles

Permitting a Resource is the act of granting a certain accessibility level to that resource. Each permission is attached to a specific Resource, granting it a permission attribute. Permission attributes may hold either one of the following values:

  • Allow: The resource is accessible for a user or a user group.

  • Disable: The resource is visible but not accessible for a user or a user group.

  • Deny: The resource is neither visible nor accessible to a user or a user group.

A set of such Resource permissions is referred to as a role. Roles are attributed to certain groups of users in a company, each group having different accessibility options to OpenLM’s resources.

Roles’ implementation may be set on, enabling the differentiation of users and groups according to permission levels, or turned off altogether, thus granting all users and user groups full accessibility to all the system’s resources.

Handling of roles and permissions is easily done by system administrators on the EasyAdmin administrative interface of the OpenLM system.

Role inheritance

Permission groups possess an inheritance property. This property facilitates the application of similar permission schemes to different groups. Thus new groups may be easily created  with only slight differences between their permission schemes.

Creating a new role

In order to create a new role go through the following steps:

1. Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” → “Roles” tab. The “Roles” dialog window appears.

2. Press the “Add” button.

3. Type in the role name and description (e.g. “HelpDesk”). Click the “Save” icon. Note that the new role name will be saved in lower-case format (i.e. “helpdesk”).

Adding resources to a role

Adding resources to the newly created role may be done in either one of two methods. The 1st is by manually selecting Resources and attaching them to the new role:

1. In the “Roles” window, Select the required role, e.g.: “helpdesk”. Click the “Edit” icon. The “Role Details for helpdesk” window appears (Similar to the “Roles” dialog window depicted above).

2. Select the Resources tab, and click the green “Add” button. The “Resources Search” dialog box appears. Note that each line in this table contains a Resource name and description, easing the linkage between a registry in the table and its actual function in the OpenLM system.

3. Select a resource (e.g. the control_panel_menu_policy), and click the green “Select” button. The “Role Details” window’s “Resources” tab now appears with the newly attached “control_panel_menu_policy” resource.

Another option for adding Resource Permissions to the new role is by employing the inheritance property:

1. In the “Role Details for helpdesk” dialog window, select the “Parent Roles” tab and click the green “Add” icon. The roles search dialog window appears.

2. Select the role that would serve as the parent of the newly created “helpdesk” role, e.g. “admin_role” in the image above, and click the green select button. Note that the “admin_role” is the default basic role, and is always apparent for serving as a parent role. The new “helpdesk” role now possesses all the permission attributes of the parent “admin_role”.

In order to add a user to the users list, go through the following steps:

3. Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” → “Users” tab. The Users window appears.

4. Click the “Add User” button. The “User details” form appears. Fill in the appropriate information items, check the “Enabled” box and click “Save“ as depicted below.

The new user’s information is presented attached to the Username on the “Users” window.

Adding a user to a group

In order to add a user to a group, follow this procedure:

1. Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” → “Groups” tab. The “Groups” window appears.

2. Select a group from the “Groups” window (e.g. “GroupName”), and click the “Members” icon in order to view the members of the selected group. The “Users in “GroupName” window appears.

3. Click the green “Add” icon, in order to add further users to GroupName ’s list of users.

Assigning roles to a user or group of users

After establishing a new role of permissions and introducing a new user or group of users, it is now possible to attach this role to the users, in order to assign the role permission set to these users:

1. Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” → “Roles” tab. The “Roles” dialog window appears.

2. Select the new role (e.g. “helpdesk”), and click the “Edit” button. The “Role details for helpdesk” dialog window appears.

3. Click the “Users” or “Groups” icon on the bottom of the window. The appropriate window (i.e. the “Users in helpdesk” or “Groups for Role”) appears.

4. Click the green “Add” icon. The appropriate window (“User search” or “Groups Search”) appears. select the required instance of user or group, and click the green “Select” icon. The added user or Group instance has been added to the role, and may be seen there in the “Users in helpdesk” or “Groups in helpdesk” window.

Changing a Resource’s permission attribute

In order to change a Resource’s permission attribute, e.g. to disable accessibility to this Resource by a certain role, follow this procedure:

Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” tab. Observe the “Workstations” tab. In this example – this would be the affected Resource.

1. Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” → “Roles” tab. The “Roles” dialog window appears.

2. Select a specific role, e.g. “admin_role”. Click the Edit button. The “Role details for admin_role” dialog window appears.

3. Select a resource, e.g. “control_panel_menu_workstations” as depicted. Hover over the permission attribute of that Resource. A drop-down list appears. Click the drop down list, and select the required permission attribute value, e.g.: Disable.

4. Click the save icon, close and reopen the OpenLM EasyAdmin UI.

5. Click the ‘Start’ button on the EasyAdmin control panel. Select the “Users & Permissions” tab. Observe the LACK of the “Workstations” tab. It has been removed from the admin_role view.

Server Resource visibility:

If the permission of a Resource entry which name starts with the word “server_*” is disabled or denied, the respective user groups are now unable to view items on that server. Moreover, that server would become omitted from the OpenLM Agent’s “License usage information” window.

Creating an administrative account with full permissions:

The following is an administrator Frequently Asked Question: “Why is all license usage information on the Agent blocked whenever an admin account is created in the OpenLM Server Configuration window?“ The answer is that when permissions are enabled, users need to be assigned a set of permissions that would allow them to view license servers’ details. In order to achieve this, please follow this action list:

1. Preliminary step: Create the required admin account on the OpenLM Server Configuration window: This can be done by unchecking, and then rechecking the “Enable permissions” highlighted checkbox. A small dialog box subsequently appears, requiring a name & password for the new user.

2. Create a role: Login to EasyAdmin with the “admin” account. follow the steps described in the “Creating a new role” section above.

3. Assign resources to the new role: After you save the new role, the “Resources” tab will become enabled. Navigate to that tab. Note that it is assigned with one default resource. Now you need to add all resources that have this name pattern “server_servername” e.g. server_srv1 (where srv1 is the name of the server that you will grant access to). In order to do so, Follow the description in section “Adding resources to a role” above.

4. Assign the new role to the “admin” user: In order to do so, Follow the description in the section “Assigning roles to a user or group of users” above.

Permission arbitration

Using the permissions tool, it is possible to grant resource permissions to single users independently. Also, as stated above, permissions may be inherited from parent roles. If one method grants permission and the other denies is, a mismatch condition may be present. in this case – an arbitration procedure is executed; The closest entity to a single user, i.e. a permission attribute granted to an individual user, or to the “youngest child” of an inherited attribute is the most “powerful”. If two contradicting attributes of the same strength are applied: an unknown condition may occur.

For example, picture the following constellation:

  • Admin role is parent to two roles: Role1 and Role2.

  • Admin denies permission to a resource.

  • Role1 does not explicitly refer to that resource, hence – it denies it implicitly.

  • Role2 explicitly allows the resource permission.

User attributes:

  • If User is attached to any one single role, its permission attributes will be the same as that of the role.

  • If User is attached to roles Admin and Role1 the permission will be denied.

  • If User is attached to Role1 & Role2, the permission would be allowed, since Role2 is the “youngest child” to infer to that resource.

  • If User is attached to roles Admin and Role2, an unknown condition occurs.

Please follow and like us: