Solution 1-B9PM1N

ULM Access Control Configuration

Updated for UniSim Design R390.0.1 / ULM 4.10 or later

12th February 2010

1 Summary
The UniSim License Manager (ULM) features an Access Control capability which allows network licenses or
license buckets to be restricted to certain users (logging into certain network domains) and/or certain
machines (operating in certain network domains).
This document is a guide for server administrators configuring access control.
Here the ULM Server is a machine running the ULM software, hosting licenses which are accessible over the
network to ULM client machines which may be running UniSim Design, UniSim Heat Exchangers or other
software which is licensed using the ULM.

2 What’s New?
For UniSim Design R390.0.1 and ULM 4.10 several major enhancements have been made to the Access
Control capabilities:
• Optional use of User Principle Name (UPN) user names and * wildcards within UPNs
• Deny keyword introduced
• Groups may now be defined over multiple lines
• *:[user name] nomenclature introduced to mean any machine with user [user name]
• Introduction of a new top-level AllLicenses element, which can optionally replace the use of the
AllLicenses group and allows new functionality like denying all access to particular users/groups
• PrintAllowedLicenses now explicitly lists any access and deny lists for each available license (when
used with new /v switch)
• Admin Console shows an error if access control file gives an error when parsed
Additionally now when a machine name is specified, the full machine name including domain must be used.

3 Server Settings – AccessControl.xml

Access control is set on the ULM server by creating a text file named AccessControl.xml and placing it in the
ULM folder (C:\Program Files\Common Files\Honeywell\SimStation). It is NOT necessary to restart the ULM
service (SimStation) after making changes to this file.
If there is an error when the access control file is read by the ULM a message:
failed to parse AccessControl.xml.
is shown in the Admin Console Server Messages window.

3.1 Introductory Examples

Listed below, in Example 1, is a very simple AccessControl.xml file which illustrates the file structure.

www.honeywell.com/ps/UniSimDesignSupport 1
 Example 1
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<License name="UniSimDesign.Process" access="*@*.tudor.co.uk"/>
<License name="UniSimDesign.Amsim" deny="henry@eighth.tudor.co.uk"/>
</AccessControl>
Here User Principle Name (UPN) user names are used, with wildcards, as well as the access and deny
keywords. This access control file means that any user who matches the UPN *@*.tudor.co.uk, where * can
represent any single word (an * cannot contain any dots) can use the UniSimDesign.Process and the user
henry@eighth.tudor.co.uk may not use the UniSimDesign.Amsim license, implicitly any other user may.
Example 2, below, shows how machine names can be also be used:
Example 2
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<License name="UniSimDesign.Process" access="*.*.kings.com:*"/>
</AccessControl>
Here any user (signified by the * after the colon) may use the UniSimDesign.Process license when they are
logged into a machine whose name matches the *.*.kings.com string (for example
georgesPC.windsor.kings.com or jamesPC.stuart.kings.com) again the * can represent any single word (an *
cannot contain any dots) so a user with the machine name elizabethsPC.queens.windsor.kings.com is not
allowed access.

4 Pre-Requisites
The use of access control requires ULM 2.24 or later.
To allow access control filtering by machine domain name ULM 2.38 or later must be present on the server
and USD R350.12 with ULM 2.38 must be present on the client.
Note: if a ULM server is running ULM 2.38 with access control in place which includes filtering by
domain name then all ULM clients prior to ULM 2.38 will NOT get access to ANY licenses; they will
have ALL their license requests rejected (as they do not report their domain name to the server).
To use UPN user name definitions requires UniSim Design Suite R390.0.1 and ULM 4.10 or later.
The use of the Deny keyword and the other new features listed in Section 2 requires ULM 4.10 or later.

5 General Syntax
The general syntax to grant or deny access to licenses is as follows:
<License name=[license name] access=[machine/user or group name(s) semi-colon
delimited] deny=[machine/user or group name(s) semi-colon delimited]/>
Similarly, if the licenses on the server are grouped into buckets then this syntax may be used; any access
control will then apply to all licenses within the bucket:
<Bucket name=[bucket name] access=[machine/user or group name(s) semi-colon
delimited] deny=[machine/user or group name(s) semi-colon delimited]/>
The PrintAllowedLicenses command (covered in Section 9 below) can be used to list the licenses available on
the server, including which bucket they are in. The Admin Console also displays the bucket for each license.
Changes to the bucket configuration of the server license file can only be made by Honeywell.
Group and Machine/User definition is covered in Section 6 below.
An exclusiveAccess syntax can also be used to override all other access permissions, for example for a
license inside a bucket where other permissions have been set.
<License name=[license name] exclusiveAccess =[machine/user or group name(s)
semi-colon delimited]/>

2 www.honeywell.com/ps/UniSimDesignSupport
Comments may be included in the access control file using the syntax:
<!-- Anything inside is ignored -->

6 Machine/User Definition
In overview, Machine/User name definitions are made as follows:

"[machine]:[user]" – for example "windsor.kings.com:henry"

If no colon (:) is entered then the entry is assumed to be just the user name:

"[user]" – for example "henry"

A single asterisk (*) wildcard may be used to imply any machine or any user:

"*:[user]" – a specified user on any machine – this is equivalent to “[user]”, as

above

"[machine]:*" – any user on a specified machine

6.1 Machine Definition

From ULM 4.10 onwards if a machine name is included in the access control file the full machine name with
full domain must be specified.
Note: if a ULM server is running ULM 2.38 with access control in place which includes filtering by
machine domain name then all ULM clients prior to ULM 2.38 will NOT get access to ANY licenses;
they will have ALL their license requests rejected (as they do not report their domain name to the
server).
The asterisk wildcard (*) can replace a machine name, a complete domain name or one or more prefix names
of a domain name. No other variations are accepted. The asterisk (*) wildcard can only replace a whole word
(there can be no “.”’s in the section to be replaced by the *).
Consider the examples:

"*.domain" – any machine in a given domain for example “*.kings.com”

"machine.domain" – a specific machine in a specific domain for example

“henryspc.kings.com”

"*.*.suffix" –any machine in any domain that has a given suffix for example
“*.*.kings.com”

Asterisk wildcards (*) can only be used at the start of the machine definition. The ULM does not check for an
explicit machine on any domain such as: “machine.*” or “machine.*.*” etc.
Consider also the following two examples:
A) "*.queens.windsor.kings.com"
B) "*.windsor.kings.com"
Example B does NOT include example A. Example A defines any user on any computer in the
queens.windsor.kings.com domain. Example B defines any user on any computer in the windsor.kings.com
domain. This illustrates the point that the * wildcard can only replace a whole word (there can be no “.”’s in
the section to be replaced by the *). This is consistent with how network domain privileges work (where a
privilege in the “b” domain does not automatically extend to the “a.b” domain).
Returning to one of the introductory examples to see this in practice:

www.honeywell.com/ps/UniSimDesignSupport 3
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<License name="UniSimDesign.Process" access="*.*.kings.com:*"/>
</AccessControl>
Here any user (signified by the * after the colon) may use the UniSimDesign.Process license when they are
logged into a machine whose name matches the *.*.kings.com string (for example
georgesPC.windsor.kings.com or jamesPC.stuart.kings.com). The * can represent any single word (no dots
within a *) so a user with the machine name elizabethsPC.queens.windsor.kings.com is not allowed access.

6.2 User Definition

From ULM 4.10 onwards user names are now reported and tracked in User Principle Name (UPN) form:
user@domain
The UPN of any user will be reported in the usage.log file which may be examined in the Usage Monitor, for
example:
02/12/2010 9:00 License: UniSimDesign.Process (SS) +1 Referencer: UniSimDesign
@ henryspc.kings.com (1):henry@kings.com
If the use of the domain name is required as part of the access control then the @ sign must be used in the
user name specification. It is still possible to make ‘old style’ non-UPN user specifications.
So both

"[user]" – for example “henry"

and

"[user]@[domain]" – for example "henry@eighth.tudor.co.uk"

are permissible.
In the first case above a user henry would match the user definition regardless of the domain they were
logging in to.
Asterisk wildcards (*) may be used within the UPN user name definition subject to the same restrictions as
described above for machine names:
• Asterisk wildcards can be used to replace any single words in the [user]@[domain] string. (*
wildcards cannot contain dots)
• Asterisk wildcards can also be used only at the start of the domain name only. (for example “*@sub.*”
won’t work.)
ULM clients that do not supply the UPN (prior to R390.0.1 / ULM 4.10) are not expected to work with
access control user definitions that use UPNs. Honeywell recommends that customers who want to
use access controls involving user domains first upgrade all their clients so they can provide this
identity.

7 Group Definition
In order to simplify configuration, groups of users may be defined at the start of the access control file and
then later used in access= and deny= statements.
Groups can be defined as a combination of users and other group names with the syntax:
<Group name=[unique name for group] members=[machine/user or group names(s) semi-
colon delimited]/>
Or this multi-line syntax:

4 www.honeywell.com/ps/UniSimDesignSupport
<Group name=[unique name for group]>
<member name=[machine/user or group name]/>
<member name=[machine/user or group name]/>
</Group>
Or any combination of the two as in Example 3 below:
Example 3
<Group name="Group1" members="William;Henry"/>
<Group name="Group2">
<member name="Arthur"/>
<member name="Group1"/>
</Group>
<Group name="Group3" members="Elizabeth;Mary">
<member name="Victoria"/>
<member name="Group1"/>
</Group>
Group names must not match with any user names or use the special group name of “AllLicenses”. Adding
members to AllLicenses gives them access to all licenses on the server.

8 Precedence, Inheritance and Implicit access

The access control precedence, inheritance and implicit access rules are defined as follows:
1. Any licenses or buckets on a license server which are not explicitly mentioned within an access control file
on the server are implicitly accessible to any user.
2. Access control statements on licenses within a bucket extend or augment those made for the bucket
overall.
3. Any members placed in the special group AllLicenses have access to any licenses on the server overriding
any other access defined in the access control file, except any access given by the exclusiveAccess keyword.
4. ULM 4.10 also introduces a new top-level AllLicenses element, which can optionally replace the use of the
AllLicenses group. Functionally it is treated just like the AllLicenses group, if both syntaxes are used together
the results are merged; however, the use of this new element is necessary to give extra functionality, for
example in order to deny access to licenses on the server. The syntax is the same as for a Bucket or
License:
<AllLicenses access="Tudors" deny="James"/>
5. For license files containing buckets if a <License name=…/> statement is made in the access control file
outside of a bucket then the access established applies to this license in every bucket, except if this access is
overridden by the use of the exclusiveAccess keyword.
6. The exclusiveAccess keyword grants access that overrides any other access established in the access
control file. exclusiveAccess set for licenses within a bucket overrides any exclusiveAccess settings for the
bucket as a whole, and any exclusiveAccess statements made for that license outside of a bucket. In other
words for license files containing buckets, if a <License name=… exclusiveAccess =… /> statement is made
in the access control file outside of a bucket, then the access established applies to this license in every
bucket, except if overridden by any exclusiveAccess= settings made on the bucket or within the buckets.
Based on these rules the table below shows the order of precedence (top of list has the highest precedence):

www.honeywell.com/ps/UniSimDesignSupport 5
 Table 1

Order of Precedence Order of Precedence (for exclusiveAccess)

AllLicenses (all licenses) License within Bucket

License outside of bucket (named license in any Bucket
bucket)
License outside of bucket
Bucket (all licenses within this bucket)
License within Bucket (just this license)
[Use of exclusiveAccess overrides this order and
leads to its own order of precedence – see right]

These rules are illustrated in the examples below.

Consider the access control file in Example 4 below:
Example 4
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<Groups>
<Group name="Tudors">
<member name="*@tudor.co.uk"/>
</Group>
<Group name="Stuarts">
<member name="*@stuart.co.uk "/>
</Group>
<Group name="Windsors">
<member name="*@windsor.co.uk "/>
</Group>
</Groups>
<Bucket name="UHX" access="Windsors"/>
<Bucket name="SSandDyn" deny="Stuarts">
<License name="UniSimDesign.Dynamic" deny="Tudors"/>
<License name="UniSimDesign.Fidelity" deny="Tudors"/>
</Bucket>
<Bucket name="SS">
<License name="UniSimDesign.Process" deny="Stuarts"/>
</Bucket>
</AccessControl>
The license file contains three buckets:

UHX – containing UniSim Heat Exchangers licenses

SSandDyn – containing Process, Crude, Oil (Steady State) and Dynamics and
Fidelity licenses (Dynamics)

SS – containing Process, Crude, Oil (Steady State) licenses

Based on the access control file above these have the following access:

Bucket: UHX – Any user in the group Windsors is explicitly granted access to this
access="Windsors" bucket, any other user is hence implicitly denied.

Bucket: SSandDyn – Any user in the group Stuarts is explicitly denied access to this
deny="Stuarts" bucket, any other user is hence implicitly granted access.

6 www.honeywell.com/ps/UniSimDesignSupport
Dynamic and Fidelity licenses
within Bucket SSandDyn
deny="Tudors"
– Access control statements on licenses within the bucket augment
those for the bucket overall, hence any user in the group Tudors is
explicitly denied access. All other users, except those in group
Stuarts which are denied access to the whole bucket (including
those in group Windsors) still have implicit access.

Bucket SS – There are no access control statements for the bucket, hence any
user is implicitly granted access.

Process license within Bucket As above, the access control statement on the license within the
SS bucket augments that for the whole bucket (none) so any users in
deny="Stuarts" the group Stuarts are explicitly denied access.

Consider Example 5 below where groups are defined and the special AllLicenses and exclusiveAccess
keywords used.
Example 5
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<Groups>
<Group name="AllLicenses" members="Stephen;Richard"/>
<Group name="Group1" members="William;Henry"/>
<Group name="Group2" members="Arthur;Group1"/>
</Groups>
<License name="UniSimDesign.Process" access="Group1"/>
<License name="UniSimDesign.Amsim" exclusiveAccess="John"/>
<License name="UniSimDesign.Crude" access="Group2"/>
</AccessControl>
Here Richard and Stephen are assigned to the special group AllLicenses which means they can access all
licenses (with exceptions noted below). William and Henry (Group1) can access the UniSimDesign.Process
license. Arthur, William and Henry (Group2) can access the UniSimDesign.Crude license.
Note the exclusiveAccess setting on UniSimDesign.Amsim; this supersedes any more global access rights
and assigns only the access mentioned. So for UniSimDesign.Amsim, only John has access and not Richard
and Stephen (even though they have been added to the AllLicenses group).
Note Example 6 below (here the license feature names SpecialLicense and ThisLicenseInAnyBucket are
made up to illustrate the effect of the settings):
Example 6
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<Groups>
<Group name="Group1" members="Charles;Henry"/>
<Group name="Group2" members="Arthur;Group1"/>
</Groups>
<AllLicenses access="Edward;Mary;Elizabeth"/>
<Bucket name="USDBucket1" access="Group1;William">
<License name="UniSimDesign.Process" access="Anne;George"/>
<License name="UniSimDesign.OLIInterface" access="Anne"/>
</Bucket>
<Bucket name="USDSpecial" exclusiveAccess="Victoria">
<License name="UniSimDesign.Dynamic" exclusiveAccess="Richard"/>
</Bucket>
<Bucket name="USDSpecial2" exclusiveAccess="John"/>
<License name="UniSimDesign.SpecialLicense" exclusiveAccess="John"/>
<License name="UniSimDesign.ThisLicenseInAnyBucket" access="Group2"/>
</AccessControl>

www.honeywell.com/ps/UniSimDesignSupport 7
Here the users Edward, Mary and Elizabeth have access to all licenses in all buckets (using the new
<AllLicenses …/> syntax) with the exception of those licenses marked as exclusiveAccess below.
When defining access control for a bucket it is possible to set which users have access to all the licenses in
the bucket and to grant extra access to particular licenses within that bucket. So in this case Charles, Henry
(Group1) and William have access to all the licenses in USDBucket1, Additionally Anne and George have
access to the UniSimDesign.Process license and Anne has access to the UniSimDesign.OLIInterface license.
When the exclusiveAccess keyword is used for a license within a bucket then this supersedes the containing
access. So for the bucket USDSpecial, Victoria has exclusive access to all the licenses in the bucket except
UniSimDesign.Dynamic. Again because of the exclusiveAccess keyword, only Richard has access to
UniSimDesign.Dynamic regardless of access settings on the bucket or on AllLicenses.
Similarly the user John has exclusive access to all the licenses in bucket USDSpecial2 (this overrides the
AllLicenses access for Edward, Mary and Elizabeth).
Note that the example above has some “License name” definitions outside the Bucket definitions. This means
that the defined access is applied to the named license(s) regardless of their containing bucket. So
UniSimDesign.SpecialLicense is only ever accessible by the user John whatever bucket it appears in and
UniSimDesign.ThisLicenseInAnyBucket is always accessible by the members of Group2 whatever bucket it
appears in, unless access is prohibited by an exclusiveAccess keyword for the bucket or license within the
bucket.

9 Troubleshooting
The PrintAllowedLicenses command line tool, available in the SimStation folder (typically C:\Program
Files\Common Files\Honeywell\SimStation) can be used to display all the licenses available to the currently
logged in user, and the bucket in which they are contained (displayed in brackets). It can be run on the client
or the server. When run on the client it shows all the licenses available on all the configured alternate hosts.
When run with the /v (verbose) switch PrintAllowedLicenses will display any access and deny lists for each
available license. PrintAllowedLicenses can also be supplied with a machine/user name to display the
licenses available for that machine/user. For full details run PrintAllowedLicenses /?.
If there is an error when the access control file is read by the ULM a message:
failed to parse AccessControl.xml.
is shown in the Admin Console Server Messages window (and in the diagnostic.log file).
When access is blocked by access control settings the usage.log (viewable in the Usage Monitor) shows a
failure message and the user can see the following license message (in Unisim Design on the Messages tab
of the Licensing Information window – accessible via the Tools menu Licensing option):
Reason: User does not have access.

8 www.honeywell.com/ps/UniSimDesignSupport
10 Appendix – License Glossary
10.1 UniSim Design Suite
Table 2

Package License(s) Note

UniSim Design UniSimDesign.Process These licenses come

Steady State together as part of the
UniSimDesign.Oil
UniSim Design Steady
UniSimDesign.Crude State option. Without the
Process license the
UniSimDesign.Rating application will not open.

UniSim Design UniSimDesign.Dynamic These licenses come

Dynamics together as part of the
UniSimDesign.Fidelity
UniSim Design
UniSimDesign.OLGALINK Dynamics option.

OLI UniSimDesign.OLIInterface
Aqueous + Mixed
Solvent Electrolytes

OLI Aqueous UniSimDesign.OLIAqueousElectrolyteInterface

Electrolytes

PIPESYS UniSimDesign.Extensions.PIPESYS
UniSim Design (USD)

Amines Property UniSimDesign.Amsim

Package

OLGAS 2 phase UniSimDesign.OLGAS OLGAS correlation in

pipe segment 2 phase
only

OLGAS 2 and 3 phase UniSimDesign.OLGAS 2 and 3 phase

UniSimDesign.OLGAS3P

MultiFlash UniSimThermo.InfochemMultiFlash Embedded MultiFlash

thermo

Blackoil UniSimThermo.NeotecBlackOil Embedded Black Oil

thermo

Optimiser UniSimDesign.HoneywellSQP
UniSimDesign.SelectionOpt

Corrosion Analyzer UniSimDesign.CorrosionAnalyzer Enables use of

Standalone + Link standalone and linked
UniSimDesign.CorrosionAnalyzerLink
Corrosion Analyzer
program

Corrosion Analyzer UniSimDesign.CorrosionAnalyzerLink Linked only

Link

www.honeywell.com/ps/UniSimDesignSupport 9
 Package License(s) Note

Predict Sour Water UniSimDesign.PredictSWUtility

Thermo Workbench UniSimConceptual.COM

UniSimConceptual.THERMO
UniSimConceptual.H89C797859CO77MO78

Exchanger Net UniSimConceptual.COM

Conceptual

UniSimConceptual.H89C797859CO77MO78
UniSimConceptual.HI
UniSimConceptual.HI_ADM
UniSimConceptual.HI_GRID

Exchanger Net UniSimConceptual.HI_OPER"

Operations

UniSim Crossflow UniSimHeatExchangers.CFE

Exchanger Modeler

UniSim Plate Heat UniSimHeatExchangers.PHE

UniSim Heat Exchangers (UHX)

Exchanger Modeler

UniSim Fired Process UniSimHeatExchangers.FPH

Heater Modeler

UniSim Feedwater UniSimHeatExchangers.FWH

Heater Modeler

UniSim Plate-Fin UniSimHeatExchangers.PFE

Exchanger Modeler

UniSim Process UniSimHeatExchangers.PPL

Pipeline Modeler

UniSim Shell-Tube UniSimHeatExchangers.STE

Exchanger Modeler

10 www.honeywell.com/ps/UniSimDesignSupport