Entitlement groups allow easier management of entitlements across a group of users. The entitlements that the group's users are allowed to access are defined by the Allowed Applications list.
Users will be denied access to applications outside of that defined list unless the user is in another group that allows access (see What happens if a user is in multiple Entitlement groups?).
If the Allowed Applications list is empty, as it will be when first setting up a group, it's assumed that the configuration is still in progress, so the empty list is not applied. This means that users in the entitlement group will not be blocked from all applications if the list is empty. It will try to apply previous configured exceptions from the old-style groups, if any exist, or apply the access setting from the country-level.
- How to create a new Entitlement Group
- How to enable Entitlement group changes
- How to add Allowed Applications to restrict users in a group to a strict list of entitlements
- How to extend a user's entitlements to include the Entitlement country entitlements plus the group's list Allowed Applications
- What happens if a user is in multiple Entitlement groups?
How to create a new Entitlement Group
To create a new Entitlement Group please follow the steps described in this article.
How to enable Entitlement group changes
To enable the changes described above, at least one application needs to be added to the Allowed Applications list. Otherwise, all entitlements available to the account will remain available to the group users.
You can either add allowed applications or convert previously set entitlement group exceptions.
How to add Allowed Applications to restrict users in a group to a strict list of entitlements
1) Login to https://subscriptionservices.bentley.com/ with a user that has an Account Admin or Co-Administrator role
2) Navigate to Entitlement/License Management (https://connect-entitlementmanagement.bentley.com/#!/Account/SubscriptionInformation) from the Enterprise portal Entitlement/License Management tile or left navigation menu
3) In the left navigation menu under the Users and Groups icon select Allowed Access Group https://connect-entitlementmanagement.bentley.com/entitlement/groups
4) Click on a previously created Entitlement group name and you will see the following:
5) Start typing in the application search and a dropdown will appear:
6) Select the Allowed Applications tab:
7) In the Search field search for an application that you want this group to HAVE access to. Select the application and click on a blue plus sign:
8) Selected application appears on the list. You can repeat this to add many applications in one go:
9) Leave the option to Include Allowed Applications from the entitlement country turned off.
10) Once the group has at least one application in the Allowed Applications list, all other applications are blocked for Activation Keys and Group Users associated with this group.
How to extend a user's entitlements to include the Entitlement country entitlements plus the group's list Allowed Applications
Follow the same steps to How to add Allowed Applications to restrict users in a group to a strict list of entitlements, but enable the option to Include Allowed Applications from the Entitlement country.
Turning on this option will provide the users in the group all of the ALLOWED entitlements (applications with default access "Denied" will not be included) from their Entitlements country plus any of the Allowed Applications explicitly added to the group. Allowed Applications added to the group will override any "Denied" access settings for the products that might have been set at the Header or Product level.
This is a good way to limit who can access certain products as they can be Denied for everyone else in the organization by using the Product-level or Default-level access controls and Allowed (by adding to the Allowed Application list) only for the users in a particular Entitlement group.
Include Allowed Applications from the Entitlement country option is also shown in the Entitlement Groups list, Allowed Applications Included column. Applications column in the same page shows the number of applications enabled for the Entitlement group. It does not add applications from Entitlement Country when such are enabled.
Note: it's important to keep in mind that all Allowed entitlements are additive across all of a user's Entitlement groups. If a user is in multiple Entitlement groups, that user will have access to all of the Allowed entitlements defined by all of their groups together. If the option for Include Allowed Application from the Entitlement country is turned on for one of the user's groups, even if it's off for the other groups, the user will have access to all the Allowed applications for their Entitlement country as well as all of the products in the Allowed Applications list for all of their groups.
What happens if a user is in multiple Entitlement groups?
The same user can belong to several entitlement groups (all belonging to the same Entitlement Country). In such cases, the list of entitlements that the user is allowed to access is defined by all the groups together. In other words, applications that are available to at least one group will be available to the user.
Example: a user belongs to two groups A and B. MicroStation is in the Allowed Applications list in group A but not in group B. The user can use MicroStation.
Other Language Sources
Managing Server Access Key access with Entitlement Group
More detailed information can be found in Bentley Communities