Bentley Communities
Bentley Communities
  • Site
  • User
  • Site
  • Search
  • User
Licensing, Cloud and Web Services
  • Welcome to Bentley Communities
  • Bentley's Communities
  • Licensing, Cloud and Web Services
  • More
  • Cancel
Licensing, Cloud and Web Services
Licensing, Cloud and Web Services Wiki Access Controls Best Practices
    • Sign in
    • Eastern Europe Continuity Plan
    • Guest Accounts - Review Access
    • +Web Services
    • -SES Activation
      • SES User QuickStart Guide
      • SES for Administrators: Getting Started
      • Entitlement Management Overview
      • How to enable and configure license alerting
      • How to check out licenses for offline machines
      • Troubleshooting Activation for SES Licensing
      • Announcements
      • Access Controls Best Practices
      • Activating as a non-Select User via SES
      • Troubleshooting license timeout errors
      • Usage information reported to Subscription Entitlement Service
    • +CONNECTION Client
    • +CONNECT Advisor
    • +Federated Identity
    • +SELECTserver based Activation
    • +Pre-SELECTserver Based Activation
    • +Product-Specific Licensing
    • Understanding why you received a TL Invoice
    • Working from Home using Bentley Licensing
    • +Licensing Workflow
    • How to leave a Product Review
    • +Serviços ProjectWise 365
    • About Bentley Trust Licensing
    • How to delete Bentley account and all related data
    • Support for non-Bentley technologies utilized by Bentley products
    • Support for V8i SELECTseries 10 applications after December 31st, 2021
    • +Support Homepage - Localized

    Access Controls Best Practices

    Introduction

    The Entitlement access controls available in Entitlement/License Management provide a very flexible way to manage entitlements across an organization that has users with the different roles and responsibilities. This is a guide to the recommended best practices around managing entitlements.  While it’s difficult to give a general recommendation that will fit every organization’s needs, there are a couple of approaches we will describe here.

    There are two common cases that organizations may need to handle:

    1. They want to limit what specific users can access to a very specific list of applications.
    2. Or they want to limit use of certain applications, possibly ones with more expensive licensing costs, to only the subset of users who are authorized to use them.

    The good news is that the access controls through Entitlement/License Management can easily handle these cases. How to accomplish each is described in the following sections.

    First, it will be helpful to describe entitlements and how the different levels of access control work together.

    Basics of entitlements and entitlement access controls

    • Entitlements
    • Entitlement Access Controls
    • More about Entitlement groups

    Recommendations for Common Cases

    • Limit specific users to a strict list of applications
    • Limit use of certain applications to only the subset of users who are authorized to use them

    Basics of entitlements and entitlement access controls

    Entitlements

    In the Subscription Entitlement Service (SES), the term “Entitlement” simply refers to a user’s authorization to run a Bentley application. These entitlements are available to users at the organization based on the contractual obligations of the Commercial program the organization is participating in. As contracts are signed in specific countries, the list of entitlements is available in those countries. We refer to a country where entitlements are available as an “Entitlement country”.

    Users are associated to an organization and an entitlement country through their registration in Bentley’s Identity Management System (IMS). By default, the organization’s users have access to all the Bentley applications entitled to that organization in their Entitlement country.

    Entitlement Access Controls

    Access controls are available to the organization’s license administrator to help control which products users should have access to. Access can be controlled at multiple levels. 

    1. Default access settings for all applications in an Entitlement country
    2. Application-level access settings for an entitlement country
    3. Entitlement group access settings
    4. User-level access settings.

    When a user requests an entitlement to run an application, SES assesses the access settings from the user level moving up the hierarchy until there is an access setting found that applies to the user. If there is an access setting for the application for that specific user at the User level, that will be the access setting used. If not, SES will look for any group that the user is associated with that includes an access control setting for the application in question.

    The access settings are inherited down as a hierarchy and are assessed from the bottom (user-level) to the top (organization-level) to look for the setting that application access setting that applies to the user. The following should help illustrate the concept.

    More about Entitlement groups

    Entitlement groups are created and managed in User Management. 

    For more information how to create and manage Entitlement Groups, please see Create and Manage Entitlement Groups

    It’s important to note that users can be in multiple Entitlement groups.  In such cases, a user’s entitlements are considered cumulative across all of their groups, so if the user is allowed to use an application because of settings in any one of their groups, then they are allowed to use the application.

    Referring back to the illustration of Access control hierarchy, it’s also worth pointing out the difference in behavior for an Entitlement group that is restricted to a specific set of products versus one that is not restricted, meaning it includes all of the applications marked as Allowed for use in the Entitlement country plus the list defined in the Allowed Application list in the group.  This difference in behavior is enabled with the “Include Allowed Applications from <Entitlement country>” option in the Entitlement group.

    By default, Entitlement groups are configured as Restricted groups with the Allowed Applications list defining all the applications that the group’s users have access to.

    Recommendations for Common Cases

    Now, we’ll move on to the recommendations for the common cases mentioned in the Introduction.

    Limit specific users to a strict list of applications

    In this case, the requirement is to limit certain users to a specific set of applications while others within the organization have access to all applications.  This might be common if certain offices within the organization or certain contractors only need access to specific products.

    The best approach for this case is to create an Entitlement group that includes those users and define the list of Allowed Applications that the group has access to.

    Step 1: Create an Entitlement group and assign users

    To create an entitlement group, navigate to User Management\Groups and choose Add Group.

    Please see Managing Groups for more information

    Step 2: Configure entitlements

    Navigate to Entitlement Management\Entitlement Groups.

    Find your new Entitlement group in the list and click on its name to manage the group entitlements.

    In the Allowed Applications tab, search for and add each product that the group’s users should have access to.

    Make sure that the option for “Include Allowed Applications from <Entitlement country>” remains disabled. 

    A couple of things to note about this approach using Entitlement groups

    1. Any user-level access settings configured for the users will override any group setting. If you know that none of the group’s users have user-level access control settings, then this shouldn’t be an issue.

    If you’re unsure, it would be best to double check that the users don’t have specific user-level overrides to any products they should not have access to. To check that, go to Entitlement Management \ Access and Alerting and search for each of the group’s applications. For each application click on General Access and look in the Exceptions section.  If any of the group’s users have a user-level override to a product they should not have access to, then remove that exception.

    1. Access control settings will only take effect when users update their local policy file. If any of the group’s users had previously requested an entitlement to the application, then their local policy file may keep that valid entitlement for some amount of time.

    Before these users would be restricted from any product that’s not allowed in the Entitlement group, users need to have an updated policy file.  This will happen automatically within 4 hours if users are signed into CONNECTION Client.  An update can also be manually initiated by opening the Bentley Licensing Tool and going to Tools\Refresh Policy.

    Limit use of certain applications to only the subset of users who are authorized to use them

    In this case, the requirement is to allow access of certain products to a smaller group of users within the organization. These users should have access to everything else that is allowed for use from the Entitlement country in addition to the applications that are trying to be controlled.

    Step 1: Create Entitlement group and assign users

    To create an entitlement group, navigate to User Management\Groups and choose Add Group.

    Please see Managing Groups for more information.

    Step 2: Configure group entitlements

    Navigate to Entitlement Management\Entitlement Groups.

    Find your new Entitlement group in the list and click on its name to manage the group entitlements.

    In the Allowed Applications tab, search for and add each product that the group’s users should have access to.

    Turn on the option for “Include Allowed Applications from <Entitlement country>”

    Step 3: Disable access for the applications for everyone else

    Navigate to Entitlement Management\Access and Alerting.

    Note: Make sure you've chosen the Entitlement country you're trying to edit.

    Filter the list of Applications to find each application that was added to the Entitlement group.

    Click on General Access.

    Change the access setting for the application to Denied.

    Other Language Sources

    Deutsch

    Espanol

    • Share
    • History
    • More
    • Cancel
    • DanielB Created by Bentley Colleague DanielB
    • When: Thu, Jul 22 2021 12:11 PM
    • Sarah McCann Last revision by Bentley Colleague Sarah McCann
    • When: Fri, Jul 30 2021 12:05 PM
    • Revisions: 4
    • Comments: 0
    Recommended
    Related
    Communities
    • Home
    • Getting Started
    • Community Central
    • Products
    • Support
    • Secure File Upload
    • Feedback
    Support and Services
    • Home
    • Product Support
    • Downloads
    • Subscription Services Portal
    Training and Learning
    • Home
    • About Bentley Institute
    • My Learning History
    • Reference Books
    Social Media
    •    LinkedIn
    •    Facebook
    •    Twitter
    •    YouTube
    •    RSS Feed
    •    Email

    © 2021 Bentley Systems, Incorporated  |  Contact Us  |  Privacy |  Terms of Use  |  Cookies