Entitlement groups allow easier management of entitlements across a group of users. The entitlements that the group’s users are allowed to access are defined by the Allowed Applications list.
Users will be denied access to applications outside of that defined list unless the user is in another group that allows access (see What happens if a user is in multiple Entitlement groups?) or if there is an explicit user-level override for the application.
If the Allowed Applications list is empty, as it will be when first setting up a group, it’s assumed that the configuration is still in progress, so the empty list is not applied. This means that users in the entitlement group will not be blocked from all applications if the list is empty. It will try to apply previous configured exceptions from the old-style groups, if any exist, or apply the access setting from the country-level.
Previously, entitlement groups used an Exceptions list that could be used to override an application’s access setting at the country level. If the group did not have an exception for the application, then the country-level access setting was used.
Entitlement groups now use an explicit Allowed Applications list that defines which applications entitlement group’s users can access.
Previously configured Entitlement groups that have exceptions will continue to operate as before until the Allowed Applications list have been configured. As soon as one application is added to the Allowed Applications list, that list will define the entitlements that the group’s users are allowed to use.
To convert previously configured exceptions into the Allowed Applications list, please see How to Convert existing entitlement group exceptions into Allowed Applications
Previously set User level exceptions will not change: they will continue to take the precedence over group-level access settings.
The only way to see allowed and blocked exceptions previously set for a certain entitlement group is through the conversion dialog.
To access it:
1) Login to https://subscriptionservices.bentley.com/ with a user that has Account Admin or Co-Administrator role
2) Navigate to Entitlement/License Management (https://connect-entitlementmanagement.bentley.com/#!/Account/SubscriptionInformation) from Enterprise portal Entitlement/License Management tile or left navigation menu
3) In left navigation menu under Users and Groups icon select Allowed Access Group https://connect-entitlementmanagement.bentley.com/entitlement/groups
4) Select The entitlement group (if no groups appear, then they have not been created - Entitlement Groups are created under User Management)
5) Click on a convert button
6) A dialog opens and shows all group level exceptions that were created for this Entitlement Group.
To create a new Entitlement Group please follow the steps described in this article.
To enable changes described above, at least one application needs to be added to Allowed Applications list. Otherwise all entitlements available to the account will remain available to the group users.
You can either add allowed application or convert previously set entitlement group exceptions.
4) Click on a previously created Entitlement group name, you will see the following -
5) Start typing in the application search and a dropdown will appear
6) Select Allowed Applications tab
7) In the Search field search for an application that you want this group to HAVE access to. Select the application and click on a blue plus sign
8) Selected application appears on the list. You can repeat this to add many applications in one go.
9) Leave the option to Include Allowed Applications from the entitlement country turned off.
10) Once the group has at least one application in Allowed Applications list, all other applications are blocked for Activation Keys and Group Users associated with this group.
Follow the same steps to How to add Allowed Applications to restrict users in a group to a strict list of entitlements, but enable the option to Include Allowed Applications from the Entitlement country.
Turning on this option will provide the users in the group all of the entitlements from their Entitlements country plus any of the Allowed Applications added to the group. This will override any Denied access settings for the products that might have been set at the Default or Product level.
This is a good way to limit who can access certain products as they can be Denied for everyone else in the organization by using the Product-level or Default-level access controls and Allowed only for the users in a particular Entitlement group.
Note: it's important to keep in mind that all Allowed entitlements are additive across all of a user's Entitlement groups. If a user is in multiple Entitlement groups, that user will have access to all of the Allowed entitlements defined by all of their groups together. If the option for Include Allowed Application from the Entitlement country is turned on for one of the user's groups, even if it's off for the other groups, the user will have access to all the Allowed applications for their Entitlement country as well as all of the products in the Allowed Applications list for all of their groups.
Administrators can convert previously configured exceptions into the Allowed Applications list using the steps below. This conversion will take the exceptions configured for Allowed and add them to the Allowed Applications list. Any exceptions that were configured for Denied will not be converted as leaving them out of the Allowed Applications list will have the same effect. At the end of the conversion, all previously configured exceptions will be removed.
Note: This convert functionality only allows administrators to take the exceptions list from an Entitlement group that was previously configured in Entitlement Management and move that list into the Allowed Applications list. The Convert functionality does not support conversion of a Restricted Applications list from SELECTserver into this list in the Subscription Entitlement Service. That must be done manually.
To convert allowed group level Exceptions to Allowed Applications in a certain Entitlement group:
You can delete all previously set exceptions. This will enable entitlement group’s users access to ALL applications until an application is added to Allowed Applications list.
The same user can belong to several entitlement groups (all belonging to the same Entitlement Country). In such cases, the list of entitlements that the user is allowed to access is defined by all the groups together. In other words, applications that are available to at least one group will be available to the user.
Example: a user belongs to two groups A and B. MicroStation is in the Allowed Applications list in group A but not in group B. The user can use MicroStation.