Access Controls Best Practices


Introduction

The Entitlement access controls available in Entitlement/License Management provide a very flexible way to manage entitlements across an organization that has users with the different roles and responsibilities. This is a guide to the recommended best practices around managing entitlements.  While it’s difficult to give a general recommendation that will fit every organization’s needs, there are a couple of approaches we will describe here.

There are two common cases that organizations may need to handle:

  1. They want to limit what specific users can access to a very specific list of applications.
  2. Or they want to limit use of certain applications, possibly ones with more expensive licensing costs, to only the subset of users who are authorized to use them.

The good news is that the access controls through Entitlement/License Management can easily handle these cases. How to accomplish each is described in the following sections.

First, it will be helpful to describe entitlements and how the different levels of access control work together.

Basics of entitlements and entitlement access controls

Recommendations for Common Cases

Basics of entitlements and entitlement access controls

Entitlements

In the Subscription Entitlement Service (SES), the term “Entitlement” simply refers to a user’s authorization to run a Bentley application. These entitlements are available to users at the organization based on the contractual obligations of the Commercial program the organization is participating in. As contracts are signed in specific countries, the list of entitlements is available in those countries. We refer to a country where entitlements are available as an “Entitlement country”.

Users are associated to an organization and an entitlement country through their registration in Bentley’s Identity Management System (IMS). By default, the organization’s users have access to all the Bentley applications entitled to that organization in their Entitlement country.

Entitlement Access Controls

Access controls are available to the organization’s license administrator to help control which products users should have access to. Access can be controlled at multiple levels. 

  1. Default access settings for all applications in an Entitlement country
  2. Application-level access settings for an entitlement country
  3. Entitlement group access settings
  4. User-level access settings.

When a user requests an entitlement to run an application, SES assesses the access settings from the user level moving up the hierarchy until there is an access setting found that applies to the user. If there is an access setting for the application for that specific user at the User level, that will be the access setting used. If not, SES will look for any group that the user is associated with that includes an access control setting for the application in question.

The access settings are inherited down as a hierarchy and are assessed from the bottom (user-level) to the top (organization-level) to look for the setting that application access setting that applies to the user. The following should help illustrate the concept.

More about Entitlement groups

Entitlement groups are created and managed in User Management. 

For more information how to create and manage Entitlement Groups, please see Create and Manage Entitlement Groups

It’s important to note that users can be in multiple Entitlement groups.  In such cases, a user’s entitlements are considered cumulative across all of their groups, so if the user is allowed to use an application because of settings in any one of their groups, then they are allowed to use the application.

Referring back to the illustration of Access control hierarchy, it’s also worth pointing out the difference in behavior for an Entitlement group that is restricted to a specific set of products versus one that is not restricted, meaning it includes all of the applications marked as Allowed for use in the Entitlement country plus the list defined in the Allowed Application list in the group.  This difference in behavior is enabled with the “Include Allowed Applications from <Entitlement country>” option in the Entitlement group.

By default, Entitlement groups are configured as Restricted groups with the Allowed Applications list defining all the applications that the group’s users have access to.

Recommendations for Common Cases

Now, we’ll move on to the recommendations for the common cases mentioned in the Introduction.

Limit specific users to a strict list of applications

In this case, the requirement is to limit certain users to a specific set of applications while others within the organization have access to all applications.  This might be common if certain offices within the organization or certain contractors only need access to specific products.

The best approach for this case is to create an Entitlement group that includes those users and define the list of Allowed Applications that the group has access to.

Step 1: Create an Entitlement group and assign users

To create an entitlement group, navigate to User Management\Groups and choose Add Group.

Please see Managing Groups for more information

Step 2: Configure entitlements

Navigate to Entitlement Management\Entitlement Groups.

Find your new Entitlement group in the list and click on its name to manage the group entitlements.

In the Allowed Applications tab, search for and add each product that the group’s users should have access to.

Make sure that the option for “Include Allowed Applications from <Entitlement country>” remains disabled. 

A couple of things to note about this approach using Entitlement groups

  1. Any user-level access settings configured for the users will override any group setting. If you know that none of the group’s users have user-level access control settings, then this shouldn’t be an issue.

If you’re unsure, it would be best to double check that the users don’t have specific user-level overrides to any products they should not have access to. To check that, go to Entitlement Management \ Access and Alerting and search for each of the group’s applications. For each application click on General Access and look in the Exceptions section.  If any of the group’s users have a user-level override to a product they should not have access to, then remove that exception.

  1. Access control settings will only take effect when users update their local policy file. If any of the group’s users had previously requested an entitlement to the application, then their local policy file may keep that valid entitlement for some amount of time.

Before these users would be restricted from any product that’s not allowed in the Entitlement group, users need to have an updated policy file.  This will happen automatically within 4 hours if users are signed into CONNECTION Client.  An update can also be manually initiated by opening the Bentley Licensing Tool and going to Tools\Refresh Policy.

Limit use of certain applications to only the subset of users who are authorized to use them

In this case, the requirement is to allow access of certain products to a smaller group of users within the organization. These users should have access to everything else that is allowed for use from the Entitlement country in addition to the applications that are trying to be controlled.

Step 1: Create Entitlement group and assign users

To create an entitlement group, navigate to User Management\Groups and choose Add Group.

Please see Managing Groups for more information.

Step 2: Configure group entitlements

Navigate to Entitlement Management\Entitlement Groups.

Find your new Entitlement group in the list and click on its name to manage the group entitlements.

In the Allowed Applications tab, search for and add each product that the group’s users should have access to.

Turn on the option for “Include Allowed Applications from <Entitlement country>”

Step 3: Disable access for the applications for everyone else

Navigate to Entitlement Management\Access and Alerting.

Note: Make sure you've chosen the Entitlement country you're trying to edit.

Filter the list of Applications to find each application that was added to the Entitlement group.

Click on General Access.

Change the access setting for the application to Denied.

Other Language Sources

Deutsch

Espanol