Professional Documents
Culture Documents
ULM Access Control Configuration
ULM Access Control Configuration
1 Summary
The UniSim License Manager (ULM) features an Access Control capability which allows network licenses or
license buckets to be restricted to certain users (logging into certain network domains) and/or certain
machines (operating in certain network domains).
This document is a guide for server administrators configuring access control.
Here the ULM Server is a machine running the ULM software, hosting licenses which are accessible over the
network to ULM client machines which may be running UniSim Design, UniSim Heat Exchangers or other
software which is licensed using the ULM.
2 What’s New?
For UniSim Design R390.0.1 and ULM 4.10 several major enhancements have been made to the Access
Control capabilities:
• Optional use of User Principle Name (UPN) user names and * wildcards within UPNs
• Deny keyword introduced
• Groups may now be defined over multiple lines
• *:[user name] nomenclature introduced to mean any machine with user [user name]
• Introduction of a new top-level AllLicenses element, which can optionally replace the use of the
AllLicenses group and allows new functionality like denying all access to particular users/groups
• PrintAllowedLicenses now explicitly lists any access and deny lists for each available license (when
used with new /v switch)
• Admin Console shows an error if access control file gives an error when parsed
Additionally now when a machine name is specified, the full machine name including domain must be used.
www.honeywell.com/ps/UniSimDesignSupport 1
Example 1
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<License name="UniSimDesign.Process" access="*@*.tudor.co.uk"/>
<License name="UniSimDesign.Amsim" deny="henry@eighth.tudor.co.uk"/>
</AccessControl>
Here User Principle Name (UPN) user names are used, with wildcards, as well as the access and deny
keywords. This access control file means that any user who matches the UPN *@*.tudor.co.uk, where * can
represent any single word (an * cannot contain any dots) can use the UniSimDesign.Process and the user
henry@eighth.tudor.co.uk may not use the UniSimDesign.Amsim license, implicitly any other user may.
Example 2, below, shows how machine names can be also be used:
Example 2
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<License name="UniSimDesign.Process" access="*.*.kings.com:*"/>
</AccessControl>
Here any user (signified by the * after the colon) may use the UniSimDesign.Process license when they are
logged into a machine whose name matches the *.*.kings.com string (for example
georgesPC.windsor.kings.com or jamesPC.stuart.kings.com) again the * can represent any single word (an *
cannot contain any dots) so a user with the machine name elizabethsPC.queens.windsor.kings.com is not
allowed access.
4 Pre-Requisites
The use of access control requires ULM 2.24 or later.
To allow access control filtering by machine domain name ULM 2.38 or later must be present on the server
and USD R350.12 with ULM 2.38 must be present on the client.
Note: if a ULM server is running ULM 2.38 with access control in place which includes filtering by
domain name then all ULM clients prior to ULM 2.38 will NOT get access to ANY licenses; they will
have ALL their license requests rejected (as they do not report their domain name to the server).
To use UPN user name definitions requires UniSim Design Suite R390.0.1 and ULM 4.10 or later.
The use of the Deny keyword and the other new features listed in Section 2 requires ULM 4.10 or later.
5 General Syntax
The general syntax to grant or deny access to licenses is as follows:
<License name=[license name] access=[machine/user or group name(s) semi-colon
delimited] deny=[machine/user or group name(s) semi-colon delimited]/>
Similarly, if the licenses on the server are grouped into buckets then this syntax may be used; any access
control will then apply to all licenses within the bucket:
<Bucket name=[bucket name] access=[machine/user or group name(s) semi-colon
delimited] deny=[machine/user or group name(s) semi-colon delimited]/>
The PrintAllowedLicenses command (covered in Section 9 below) can be used to list the licenses available on
the server, including which bucket they are in. The Admin Console also displays the bucket for each license.
Changes to the bucket configuration of the server license file can only be made by Honeywell.
Group and Machine/User definition is covered in Section 6 below.
An exclusiveAccess syntax can also be used to override all other access permissions, for example for a
license inside a bucket where other permissions have been set.
<License name=[license name] exclusiveAccess =[machine/user or group name(s)
semi-colon delimited]/>
2 www.honeywell.com/ps/UniSimDesignSupport
Comments may be included in the access control file using the syntax:
<!-- Anything inside is ignored -->
6 Machine/User Definition
In overview, Machine/User name definitions are made as follows:
If no colon (:) is entered then the entry is assumed to be just the user name:
A single asterisk (*) wildcard may be used to imply any machine or any user:
"*.*.suffix" –any machine in any domain that has a given suffix for example
“*.*.kings.com”
Asterisk wildcards (*) can only be used at the start of the machine definition. The ULM does not check for an
explicit machine on any domain such as: “machine.*” or “machine.*.*” etc.
Consider also the following two examples:
A) "*.queens.windsor.kings.com"
B) "*.windsor.kings.com"
Example B does NOT include example A. Example A defines any user on any computer in the
queens.windsor.kings.com domain. Example B defines any user on any computer in the windsor.kings.com
domain. This illustrates the point that the * wildcard can only replace a whole word (there can be no “.”’s in
the section to be replaced by the *). This is consistent with how network domain privileges work (where a
privilege in the “b” domain does not automatically extend to the “a.b” domain).
Returning to one of the introductory examples to see this in practice:
www.honeywell.com/ps/UniSimDesignSupport 3
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<License name="UniSimDesign.Process" access="*.*.kings.com:*"/>
</AccessControl>
Here any user (signified by the * after the colon) may use the UniSimDesign.Process license when they are
logged into a machine whose name matches the *.*.kings.com string (for example
georgesPC.windsor.kings.com or jamesPC.stuart.kings.com). The * can represent any single word (no dots
within a *) so a user with the machine name elizabethsPC.queens.windsor.kings.com is not allowed access.
and
are permissible.
In the first case above a user henry would match the user definition regardless of the domain they were
logging in to.
Asterisk wildcards (*) may be used within the UPN user name definition subject to the same restrictions as
described above for machine names:
• Asterisk wildcards can be used to replace any single words in the [user]@[domain] string. (*
wildcards cannot contain dots)
• Asterisk wildcards can also be used only at the start of the domain name only. (for example “*@sub.*”
won’t work.)
ULM clients that do not supply the UPN (prior to R390.0.1 / ULM 4.10) are not expected to work with
access control user definitions that use UPNs. Honeywell recommends that customers who want to
use access controls involving user domains first upgrade all their clients so they can provide this
identity.
7 Group Definition
In order to simplify configuration, groups of users may be defined at the start of the access control file and
then later used in access= and deny= statements.
Groups can be defined as a combination of users and other group names with the syntax:
<Group name=[unique name for group] members=[machine/user or group names(s) semi-
colon delimited]/>
Or this multi-line syntax:
4 www.honeywell.com/ps/UniSimDesignSupport
<Group name=[unique name for group]>
<member name=[machine/user or group name]/>
<member name=[machine/user or group name]/>
</Group>
Or any combination of the two as in Example 3 below:
Example 3
<Group name="Group1" members="William;Henry"/>
<Group name="Group2">
<member name="Arthur"/>
<member name="Group1"/>
</Group>
<Group name="Group3" members="Elizabeth;Mary">
<member name="Victoria"/>
<member name="Group1"/>
</Group>
Group names must not match with any user names or use the special group name of “AllLicenses”. Adding
members to AllLicenses gives them access to all licenses on the server.
www.honeywell.com/ps/UniSimDesignSupport 5
Table 1
SSandDyn – containing Process, Crude, Oil (Steady State) and Dynamics and
Fidelity licenses (Dynamics)
Based on the access control file above these have the following access:
Bucket: UHX – Any user in the group Windsors is explicitly granted access to this
access="Windsors" bucket, any other user is hence implicitly denied.
Bucket: SSandDyn – Any user in the group Stuarts is explicitly denied access to this
deny="Stuarts" bucket, any other user is hence implicitly granted access.
6 www.honeywell.com/ps/UniSimDesignSupport
Dynamic and Fidelity licenses – Access control statements on licenses within the bucket augment
within Bucket SSandDyn those for the bucket overall, hence any user in the group Tudors is
deny="Tudors" explicitly denied access. All other users, except those in group
Stuarts which are denied access to the whole bucket (including
those in group Windsors) still have implicit access.
Bucket SS – There are no access control statements for the bucket, hence any
user is implicitly granted access.
Process license within Bucket As above, the access control statement on the license within the
SS bucket augments that for the whole bucket (none) so any users in
deny="Stuarts" the group Stuarts are explicitly denied access.
Consider Example 5 below where groups are defined and the special AllLicenses and exclusiveAccess
keywords used.
Example 5
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<Groups>
<Group name="AllLicenses" members="Stephen;Richard"/>
<Group name="Group1" members="William;Henry"/>
<Group name="Group2" members="Arthur;Group1"/>
</Groups>
<License name="UniSimDesign.Process" access="Group1"/>
<License name="UniSimDesign.Amsim" exclusiveAccess="John"/>
<License name="UniSimDesign.Crude" access="Group2"/>
</AccessControl>
Here Richard and Stephen are assigned to the special group AllLicenses which means they can access all
licenses (with exceptions noted below). William and Henry (Group1) can access the UniSimDesign.Process
license. Arthur, William and Henry (Group2) can access the UniSimDesign.Crude license.
Note the exclusiveAccess setting on UniSimDesign.Amsim; this supersedes any more global access rights
and assigns only the access mentioned. So for UniSimDesign.Amsim, only John has access and not Richard
and Stephen (even though they have been added to the AllLicenses group).
Note Example 6 below (here the license feature names SpecialLicense and ThisLicenseInAnyBucket are
made up to illustrate the effect of the settings):
Example 6
<?xml version="1.0" encoding="utf-8" ?>
<AccessControl>
<Groups>
<Group name="Group1" members="Charles;Henry"/>
<Group name="Group2" members="Arthur;Group1"/>
</Groups>
<AllLicenses access="Edward;Mary;Elizabeth"/>
<Bucket name="USDBucket1" access="Group1;William">
<License name="UniSimDesign.Process" access="Anne;George"/>
<License name="UniSimDesign.OLIInterface" access="Anne"/>
</Bucket>
<Bucket name="USDSpecial" exclusiveAccess="Victoria">
<License name="UniSimDesign.Dynamic" exclusiveAccess="Richard"/>
</Bucket>
<Bucket name="USDSpecial2" exclusiveAccess="John"/>
<License name="UniSimDesign.SpecialLicense" exclusiveAccess="John"/>
<License name="UniSimDesign.ThisLicenseInAnyBucket" access="Group2"/>
</AccessControl>
www.honeywell.com/ps/UniSimDesignSupport 7
Here the users Edward, Mary and Elizabeth have access to all licenses in all buckets (using the new
<AllLicenses …/> syntax) with the exception of those licenses marked as exclusiveAccess below.
When defining access control for a bucket it is possible to set which users have access to all the licenses in
the bucket and to grant extra access to particular licenses within that bucket. So in this case Charles, Henry
(Group1) and William have access to all the licenses in USDBucket1, Additionally Anne and George have
access to the UniSimDesign.Process license and Anne has access to the UniSimDesign.OLIInterface license.
When the exclusiveAccess keyword is used for a license within a bucket then this supersedes the containing
access. So for the bucket USDSpecial, Victoria has exclusive access to all the licenses in the bucket except
UniSimDesign.Dynamic. Again because of the exclusiveAccess keyword, only Richard has access to
UniSimDesign.Dynamic regardless of access settings on the bucket or on AllLicenses.
Similarly the user John has exclusive access to all the licenses in bucket USDSpecial2 (this overrides the
AllLicenses access for Edward, Mary and Elizabeth).
Note that the example above has some “License name” definitions outside the Bucket definitions. This means
that the defined access is applied to the named license(s) regardless of their containing bucket. So
UniSimDesign.SpecialLicense is only ever accessible by the user John whatever bucket it appears in and
UniSimDesign.ThisLicenseInAnyBucket is always accessible by the members of Group2 whatever bucket it
appears in, unless access is prohibited by an exclusiveAccess keyword for the bucket or license within the
bucket.
9 Troubleshooting
The PrintAllowedLicenses command line tool, available in the SimStation folder (typically C:\Program
Files\Common Files\Honeywell\SimStation) can be used to display all the licenses available to the currently
logged in user, and the bucket in which they are contained (displayed in brackets). It can be run on the client
or the server. When run on the client it shows all the licenses available on all the configured alternate hosts.
When run with the /v (verbose) switch PrintAllowedLicenses will display any access and deny lists for each
available license. PrintAllowedLicenses can also be supplied with a machine/user name to display the
licenses available for that machine/user. For full details run PrintAllowedLicenses /?.
If there is an error when the access control file is read by the ULM a message:
failed to parse AccessControl.xml.
is shown in the Admin Console Server Messages window (and in the diagnostic.log file).
When access is blocked by access control settings the usage.log (viewable in the Usage Monitor) shows a
failure message and the user can see the following license message (in Unisim Design on the Messages tab
of the Licensing Information window – accessible via the Tools menu Licensing option):
Reason: User does not have access.
8 www.honeywell.com/ps/UniSimDesignSupport
10 Appendix – License Glossary
10.1 UniSim Design Suite
Table 2
OLI UniSimDesign.OLIInterface
Aqueous + Mixed
Solvent Electrolytes
PIPESYS UniSimDesign.Extensions.PIPESYS
UniSim Design (USD)
Optimiser UniSimDesign.HoneywellSQP
UniSimDesign.SelectionOpt
www.honeywell.com/ps/UniSimDesignSupport 9
Package License(s) Note
UniSimConceptual.H89C797859CO77MO78
UniSimConceptual.HI
UniSimConceptual.HI_ADM
UniSimConceptual.HI_GRID
Exchanger Modeler
10 www.honeywell.com/ps/UniSimDesignSupport