Home6.3 Network GuideReference—Options FileAccess Control in 6.x Concurrent Network

5.3. Access Control in 6.x Concurrent Network

Disponible en español: Control de Acceso para Licencias Concurrentes de red 6.x
Disponível em português: Controle de acesso para redes simultâneas 6.x

Applies to: All 6.x products deployed as Concurrent Network

If you have a 7.x network, see Access Control in 7.x Concurrent Network.

Can I control user access to particular products, so that certain licenses are reserved to certain users or forbidden to certain users?

For example, I have some @RISK Professional licenses and some @RISK Industrial licenses, and I want to limit who can use the Industrial licenses. Or, I have some DecisionTools Suite licenses and some StatTools licenses, and I want to specify who can use the full Suite and who can use only StatTools. How do I accomplish that?

Yes, you can do this by adding lines to the options file on the server. Before you do that, you need to decide which way you want to structure your permissions for a given product:

There's no reason to mix INCLUDE and EXCLUDE lines for a given product. But if you do, then anyone not listed on an INCLUDE line is locked out from using the product, and anyone listed on both an INCLUDE line and an EXCLUDE line is also locked out.

Contents of This Article

What Is a "Feature"?

You control access to some or all of your products by specifying the "feature name" on INCLUDE and EXCLUDE lines. In FLEXnet terms, each product is a feature, and every access control command in the options file relates to a particular feature. Different editions of the same product, like @RISK Professional and @RISK Industrial, are different features.

To find the feature name for a license, in Palisade Server Manager click the Status button and then look at the display for lines beginning "Users of". Those list the feature names of licenses on this server. (For information about how licenses are actually being used, see Monitoring License Use on 6.x Network.)

The feature names for 6.x software all contain 60, regardless of the actual 6.x version number; this is why you don't need a new license when you upgrade from a 6.x version to a later 6.x version. Here is the full list of feature names:
  • DecisionTools60_Industrial, DecisionTools60_Professional
    The DecisionTools features allow use of all components of the Suite. If a DecisionTools Suite user has more than one application open at the same time, only one license is consumed.
  • @RISK60_Industrial, @RISK60_Professional, @RISK60_Standard
  • Evolver60_Industrial, Evolver60_Professional
  • NeuralTools60_Industrial, NeuralTools60_Professional
  • PrecisionTree60_Industrial, PrecisionTree60_Professional
  • StatTools60_Industrial, StatTools60_Professional

If you misspell a feature name, or if you have no license on this server for that feature, then when the options file is reread there will be a line in the log file diagnosing it as an invalid feature. See Troubleshooting License Denials, below, to access the log file.

Method 1: Only Named Users Can Use a Feature

You can designate users by Windows user name or Windows computer name. If you have any INCLUDE lines for a feature, then everyone else is locked out from that feature.

Example:

# Stan can use @RISK Industrial from any computer,

# and anyone on computer Atlantis can use @RISK Industrial,

# but no one else can use @RISK Industrial.

INCLUDE @RISK60_Industrial USER Stan

INCLUDE @RISK60_Industrial HOST Atlantis

Only one user name or host name can appear on a line. If you are granting access to just a few users or computers, use multiple INCLUDE lines, like this:

INCLUDE @RISK60_Industrial USER Stan

INCLUDE @RISK60_Industrial USER Michelle

INCLUDE @RISK60_Industrial USER Fernando

INCLUDE @RISK60_Industrial HOST EC-Server

INCLUDE @RISK60_Industrial HOST Atlantis

If you need to grant access to a large number of users or hosts, you'll want to define a group rather than have many INCLUDE lines. See User and Host Groups, below.

In any conflict between INCLUDE and EXCLUDE lists, EXCLUDE wins. For example:

INCLUDE Evolver60_Industrial HOST Atlantis

EXCLUDE Evolver60_Industrial USER Lucy

Lucy can't use Evolver from any computer, not even Atlantis. All other users can use Evolver from computer Atlantis, but not from any other computer.

According to FLEXnet documentation, "Anywhere a host name can be used in an options file, an IP address can be used instead."

Method 2: All Except Named Users Can Use a Feature

You can designate users by Windows user name or Windows computer name. If you have any EXCLUDE lines for a feature, then the named people or computers are locked out from that feature, but everyone else can use it.

Example:

# Stan cannot use @RISK Industrial from any computer,

# and no one on computer Atlantis can use @RISK Industrial,

# but everyone else can use @RISK Industrial.

EXCLUDE @RISK60_Industrial USER Stan

EXCLUDE @RISK60_Industrial HOST Atlantis

Only one user name or host name can appear on a line. If you are blocking access to just a few users or computers, use multiple EXCLUDE lines, like this:

EXCLUDE @RISK60_Industrial USER Stan

EXCLUDE @RISK60_Industrial USER Michelle

EXCLUDE @RISK60_Industrial USER Fernando

EXCLUDE @RISK60_Industrial HOST EC-Server

EXCLUDE @RISK60_Industrial HOST Atlantis

If you need to block access by a large number of users or hosts, you'll want to define a group rather than have many EXCLUDE lines. See User and Host Groups, below.

According to FLEXnet documentation, "Anywhere a host name can be used in an options file, an IP address can be used instead."

User and Host Groups

It's tedious to put a lot of INCLUDE or EXCLUDE lines in the options file. Rather than do that, define one or more user groups or host groups. Here's an example:

GROUP Gentry Michelle Mark Doug Cristina Robson

GROUP Peasants Stan Sally

HOST_GROUP ThirdFloor Asus14132 Asus14133 Asus14134 \

Asus14135 Asus14136

INCLUDE DecisionTools60_Industrial HOST_GROUP ThirdFloor

INCLUDE DecisionTools60_Industrial GROUP Peasants

INCLUDE DecisionTools60_Industrial USER Vince

INCLUDE StatTools60_Professional GROUP Gentry

INCLUDE StatTools60_Professional USER Vince

This lets the ThirdFloor group of computers, the Peasants group of users, and user Vince use a DecisionTools60_Industrial license, but no one else can. The Gentry group, Vince, and no one else can use a StatTools60_Professional license. The ThirdFloor and Peasants groups, and Vince, can still use StatTools Industrial, as part of the DecisionTools Suite. If all the DecisionTools60_Industrial licenses are in use, the Third Floor and Peasants groups will not be able to run StatTools under the StatTools60_Professional license, but Vince and the Gentry group will. (Vince, who was previously using the DecisionTools Suite license, can use the Select License button in License Manager to switch to the StatTools license.)

If your group contains too many members for one line, you can split it into multiple lines, like this:

GROUP giants many names

GROUP giants many more names

GROUP giants still more names

The license system will merge all the lists of users into the "giants" group.

Your HOST_GROUP can identify computers by name or by IP address. According to FLEXnet documentation, "Anywhere a host name can be used in an options file, an IP address can be used instead."

User names and computer names on INCLUDE and EXCLUDE lines are always case sensitive. But you can make them case insensitive on GROUP and HOST_GROUP lines by including this line in the options file:

GROUPCASEINSENSITIVE ON

Even with that line in the options file, the name of the group is still case sensitive.

If you EXCLUDE a group, you cannot then INCLUDE one user or computer from that group, because EXCLUDE always wins.

More Options for On-Network Use

With MAX and RESERVE lines, you can allocate licenses among user groups.

MAX 2 DecisionTools60_Professional GROUP Muggles

Members of the Muggles group may not use more than 2 DecisionTools Professional licenses at a time. If two Muggles are already using licenses and a third member of that group tries to run the software, the request will be denied.

RESERVE 2 DecisionTools60_Professional HOST_GROUP Wizards

Two DecisionTools Professional licenses are reserved for the use of the Wizards group. When any other authorized user tries to use the license, they will succeed if the number of free licenses, plus the number currently in use by members of the Stars group, is greater than 2.

RESERVE 1 DecisionTools60_Professional USER Frances

A DecisionTools Professional license is reserved for use by Frances. When any other authorized user tries to use the license, they will succeed if the number of free licenses is greater than 1 or if Frances is currently using a license.

This setting is usually not a good idea: rather than reserve a Concurrent Network license for Frances permanently, it would make more sense for him to have a standalone license on his workstation. But you might want this setting temporarily, for instance if she is teaching a class and must have guaranteed use of a license while the class runs.

Options for Borrowing

Borrowing is available for both certificate and activatable Concurrent Network Licenses. All of the access-control options mentioned above work with either type; but the three options in this section are different. End users can borrow either type of Concurrent Network license, but you can control borrowing with these options only if your Concurrent Network license is the certificate type. If you try to use these options with an activatable license, the software will simply ignore them without any kind of error message in the log file.

If you need to use these options and you have an activatable license, please contact Palisade Technical Support to surrender your activatable license and receive a certificate license. You won't need to reinstall any software.

BORROW_LOWWATER DecisionTools60_Professional 4

Authorized users may borrow licenses, but there will always be at least 4 unborrowed licenses. This ensures that at least some users will still be able to run on network.

INCLUDE_BORROW DecisionTools60_Professional USER Heather
INCLUDE_BORROW DecisionTools60_Professional GROUP Managers

Heather, and members of the Managers group, can borrow a DecisionTools60_Professional license for off-network use. Other authorized users can use a license while on network but cannot borrow it. (For defining groups, see User and Host Groups.)

If you have any INCLUDE_BORROW lines, then all users not mentioned on those lines are prohibited from borrowing.

Our software lets you borrow only the license you are currently using. Therefore, there's no way to configure options so that someone can borrow a license for use off network but cannot use it on network.

EXCLUDE_BORROW DecisionTools60_Professional USER Denise
EXCLUDE_BORROW DecisionTools60_Professional HOST_GROUP Contractors

Denise, on any computer, and anyone on computers in the Contractors group, cannot borrow a DecisionTools60_Professional license for off-network use, but they can still run on network unless you have separate INCLUDE or EXCLUDE lines forbidding that. Other authorized users can use a license while on network and can borrow it for off-network use. (For defining groups, see User and Host Groups.)

If the same user is covered by an INCLUDE_BORROW line and an EXCLUDE_BORROW line, explicitly or as part of a group, then EXCLUDE_BORROW wins.

If an unauthorized user tries to borrow, or if any user tries to borrow when no more borrowable licenses are left, the borrow operation will fail "for an unknown reason". The administrator can find the reason by looking at the log file. See the next section to access the log file.

Troubleshooting License Denials

If a user is locked out of a license, the client software will tell them only that there is no license. FLEXnet doesn't make a specific failure reason available to the client software, so Palisade software can't display it for the end user. The same is true if the user tries to borrow a license but is locked out from borrowing.

You can find specific reasons in the log file on the server. The log file is PalisadeService.log, in the same folder where Palisade Server Manager is installed. You can access it directly in Windows Explorer, or run Server Manager and click Open .LIC Folder. Either way, scroll to the bottom of the file and you'll see the reason why the license was denied.

Additional keywords: Selective access, License permission, License access, License control, Access control, Dual editions, Dual products, Multiple editions, Multiple products, Multiple network licenses on one server

Last edited: 2015-04-28

This page was: Helpful | Not Helpful