Home7.x Network GuideReference—Options FileAccess Control in 7.x Concurrent Network

5.3. Access Control in 7.x Concurrent Network

You can limit access to your Concurrent Network licenses by adding lines to the options file. Before you do that, you need to decide which way you want to structure your permissions for a given product:

In this Article:

Features

You control access to some or all of your products by specifying the "feature name" on INCLUDE and EXCLUDE lines. In FLEXnet terms, each product is a feature, and every access control command in the options file relates to a particular feature. Different editions of the same product, like @RISK Professional and @RISK Industrial, are different features.

To find the feature name for a license, in Palisade Server Manager click Status and then look at the display for lines beginning "Users of". Those list the feature names of licenses on this server. (For information about how licenses are actually being used, see How do I monitor client use of my network license?)

The feature names for 7.x software all contain 70, regardless of the actual 7.x version number. This is why you don't need a new license when you perform a minor upgrade, from one 7.x release to a later 7.x release, and why you do need a new license when you upgrade between major versions, such as 6.x to 7.x.

Here is the full list of feature names:

If you misspell a feature name, or if you have no license on this server for that feature, then when the options file is reread there will be a line in the log file diagnosing it as an invalid feature. See Troubleshooting License Denials to access the log file.

Method 1: Only Named Users Can Use a Feature

You can designate users by Windows user name or Windows computer name. If you have any INCLUDE lines for a feature, then everyone else is locked out from that feature.

Example:

# Stan can use @RISK Industrial from any computer,
# and anyone on computer Atlantis can use @RISK Industrial,
# but no one else can use @RISK Industrial.
INCLUDE @RISK70_Industrial USER Stan<
INCLUDE @RISK70_Industrial HOST Atlantis

Only one user name or host name can appear on a line. If you are granting access to just a few users or computers, use multiple INCLUDE lines, like this:

INCLUDE @RISK70_Industrial USER Stan
INCLUDE @RISK70_Industrial USER Michelle
INCLUDE @RISK70_Industrial USER Fernando
INCLUDE @RISK70_Industrial HOST EC-Server
INCLUDE @RISK70_Industrial HOST Atlantis

If you need to grant access to a large number of users or hosts, you'll want to define a group rather than have many INCLUDE lines. See User and Host Groups.

In any conflict between INCLUDE and EXCLUDE lists, EXCLUDE wins. Consider this example:

INCLUDE Evolver70_Industrial HOST Atlantis
EXCLUDE Evolver70_Industrial USER Lucy

Lucy can't use Evolver from any computer, not even Atlantis. All other users can use Evolver from computer Atlantis, but not from any other computer.

According to FLEXnet documentation, "Anywhere a host name can be used in an options file, an IP address can be used instead."

Caution: If you have any INCLUDE...USER lines in your options file for a feature, and your network license is the activatable type, user access to run the software on network will follow the INCLUDE...USER lines, but no one will be able to borrow a license of that feature for off-network use. This does not apply to certificate-type licenses, and it does not apply to INCLUDE...HOST lines with either type of license.

Method 2: All Except Named Users Can Use a Feature

You can designate users by Windows user name or Windows computer name. If you have any EXCLUDE lines for a feature, then the named people or computers are locked out from that feature, but everyone else can use it.

Example:

# Stan cannot use @RISK Industrial from any computer,
# and no one on computer Atlantis can use @RISK Industrial,
# but everyone else can use @RISK Industrial.
EXCLUDE @RISK70_Industrial USER Stan
EXCLUDE @RISK70_Industrial HOST Atlantis

Only one user name or host name can appear on a line. If you are blocking access to just a few users or computers, use multiple EXCLUDE lines, like this:

EXCLUDE @RISK70_Industrial USER Stan
EXCLUDE @RISK70_Industrial USER Michelle
EXCLUDE @RISK70_Industrial USER Fernando
EXCLUDE @RISK70_Industrial HOST EC-Server
EXCLUDE @RISK70_Industrial HOST Atlantis

If you need to block access by a large number of users or hosts, you'll want to define a group rather than have many EXCLUDE lines. See User and Host Groups.

According to FLEXnet documentation, "Anywhere a host name can be used in an options file, an IP address can be used instead."

User and Host Groups

It's tedious to put a lot of INCLUDE or EXCLUDE lines in the options file. Rather than do that, define one or more user groups or host groups. Here's an example:

GROUP Lawyers Michelle Mark Doug Cristina Robson
GROUP Doctors Stan Sally
HOST_GROUP ThirdFloor Asus14132 Asus14133 Asus14134 \
    Asus14135 Asus14136
INCLUDE DecisionTools70_Industrial HOST_GROUP ThirdFloor
INCLUDE DecisionTools70_Industrial GROUP Doctors
INCLUDE DecisionTools70_Industrial USER Vince
INCLUDE StatTools70_Professional GROUP Lawyers
INCLUDE StatTools70_Professional USER Vince

This lets the ThirdFloor group of computers, the Doctors group of users, and user Vince use a DecisionTools70_Industrial license, but no one else can. The Lawyers group, Vince, and no one else can use a StatTools70_Professional license. The ThirdFloor and Doctors groups, and Vince, can still use StatTools Industrial, as part of the DecisionTools Suite. If all the DecisionTools70_Industrial licenses are in use, the Third Floor and Doctors groups will not be able to run StatTools under the StatTools70_Professional license, but Vince and the Lawyers group will. (Vince, who was previously using the DecisionTools Suite license, can use Select License in License Manager to switch to the StatTools license.)

If your group contains too many members for one line, you can split it into multiple lines, like this:

GROUP giants many names
GROUP giants many more names
GROUP giants still more names

The license system will merge all the lists of users into the "giants" group.

Your HOST_GROUP can identify computers by name or by IP address. According to FLEXnet documentation, "Anywhere a host name can be used in an options file, an IP address can be used instead."

User names and computer names on INCLUDE and EXCLUDE lines are always case sensitive. But you can make them case insensitive on GROUP and HOST_GROUP lines by including this line in the options file:

GROUPCASEINSENSITIVE ON

Even with that line in the options file, the name of the group is still case sensitive.

If you EXCLUDE a group, you cannot then INCLUDE one user or computer from that group, because EXCLUDE always wins.

Caution: If you have any INCLUDE...GROUP lines in your options file for a feature, and your network license is the activatable type, user access to run the software on network will follow the INCLUDE...GROUP lines, but no one will be able to borrow a license of that feature for off-network use. This does not apply to certificate-type licenses, and it does not apply to INCLUDE...HOST_GROUP lines with either type of license.

More Options for On-Network Use

With MAX and RESERVE lines, you can allocate licenses among user groups.

MAX 2 DecisionTools70_Professional GROUP Muggles

Members of the Muggles group may not use more than 2 DecisionTools Professional licenses at a time. If two Muggles are already using licenses and a third member of that group tries to run the software, the request will be denied, even if some licenses are not in use.

RESERVE 2 DecisionTools70_Professional HOST_GROUP Wizards

Two DecisionTools Professional licenses are reserved for the use of the computers in the Wizards group. Another authorized user who tries to use the license from another computer will succeed only if the number of free licenses, plus the number currently in use by computers in the Wizards group, is greater than 2.

RESERVE 1 DecisionTools70_Professional USER Frances

A DecisionTools Professional license is reserved for use by Frances. When any other authorized user tries to use the license, they will succeed if the number of free licenses is greater than 1 or if Frances is currently using a license.

This setting is usually not a good idea: rather than reserve a Concurrent Network license for Frances permanently, it would make more sense for her to have a standalone license on her workstation. But you might want this setting temporarily, for instance if she is teaching a class and must have guaranteed use of a license while the class runs.

Options for Borrowing

Borrowing is available for both certificate and activatable Concurrent Network Licenses. All of the access-control options mentioned above work with either type; but the three options in this section are different. End users can borrow either type of Concurrent Network license, but you can control borrowing with these options only if your Concurrent Network license is the certificate type. If you try to use these options with an activatable license, the software will simply ignore them without any kind of error message in the log file.

If you need to use these options and you have an activatable license, please contact Palisade Technical Support to surrender your activatable license and receive a certificate license. You won't need to reinstall any software.

BORROW_LOWWATER DecisionTools70_Professional 4

Authorized users may borrow licenses, but there will always be at least 4 unborrowed licenses. This ensures that at least some users will still be able to run on network.

INCLUDE_BORROW DecisionTools70_Professional USER Heather
INCLUDE_BORROW DecisionTools70_Professional GROUP Managers

Heather, and members of the Managers group, can borrow a DecisionTools70_Professional license for off-network use. Other authorized users can use a license while on network but cannot borrow it. (For defining groups, see User and Host Groups.)

If you have any INCLUDE_BORROW lines, then all users not mentioned on those lines are prohibited from borrowing.

Our software lets you borrow only the license you are currently using. Therefore, there's no way to configure options so that someone can borrow a license for use off network but cannot use it on network.

EXCLUDE_BORROW DecisionTools70_Professional USER Denise
EXCLUDE_BORROW DecisionTools70_Professional HOST_GROUP Contractors

Denise, on any computer, and anyone on computers in the Contractors group, cannot borrow a DecisionTools70_Professional license for off-network use, but they can still run on network unless you have separate INCLUDE or EXCLUDE lines forbidding that. Other authorized users can use a license while on network and can borrow it for off-network use. (For defining groups, see User and Host Groups.)

If the same user is covered by an INCLUDE_BORROW line and an EXCLUDE_BORROW line, explicitly or as part of a group, then EXCLUDE_BORROW wins.

If an unauthorized user tries to borrow, or if any user tries to borrow when no more borrowable licenses are left, the borrow operation will fail "for an unknown reason". The administrator can find the reason by looking at the log file. See the next section to access the log file.

Troubleshooting License Denials

If a user is locked out of a license, the client software will tell them only that there is no license. FLEXnet doesn't make a specific failure reason available to the client software, so Palisade software can't display it for the end user. The same is true if the user tries to borrow a license but is locked out from borrowing.

You can find specific reasons in the log file on the server. The log file is PalisadeService.log, in the same folder where Palisade Server Manager is installed. You can access it directly in Windows Explorer, or run Server Manager and click Open .LIC Folder. Either way, scroll to the bottom of the file and you'll see the reason why the license was denied.

Last edited: 2017-01-27

This page was: Helpful | Not Helpful