User Hierarchies in the License Portal
The last issue of our KEYnote magazine explained how the License Portal can integrate the automatic creation of CmCloudContainers. We are now following this up with a look at different user levels. The License Portal could distinguish between lecturers and students at a university, between admins and regular users in a corporate setting, or between resellers and customers. These License Portal capabilities include the allocation of custom rights.
The users are arranged in a hierarchy, not limited to the two levels of the above example. This can go up to a wide chain of levels, such as resellers, client admins, and client users.
The individual levels are defined as groups. Depending on the user interface of the Portal, the displayed terminology can vary: One Portal might call them clients, another employees, and a third could call them students. The top-level groups in the hierarchy can only be created by a special user with “isvadmin” rights. Each group can have additional subgroups, which can be formed by any user with the “admin” rights in that group. There is no limit to the number of subgroups in a group, but every group has exactly one higher-up (parent) group or, in the case of top-level groups, none at all.
Users – ISV Admin
“In the beginning, there was ISV admin.” The initial user of the License Portal is created during installation and endowed with “isvadmin” rights. They can create new users, share their “isvadmin” rights, and create new top-level groups or new admins. They can see all users in all subgroups and they have the power to delete any user, except for themselves. Another ISV admin would be needed to do so and ensure that there is always at least one user with “isvadmin” rights.
Users – Group Admin
“isvadmin“ rights are global rights given to a user. All other active rights are assigned to a user in the context of a group. As standard, the License Portal uses the “admin” rights for a group; users with these rights can create or delete subgroups or additional users for their groups and subgroups.
Users – Group User
Group users are distinct from group admins. They are created by group admins and can only access themselves and the groups they are assigned to.
Users – User
Alongside group users, there are users not assigned to any group context. They are created either by an ISV admin, or they registered themselves via the License Portal. They only have access to their own account.
Upward Blindness – Downward Transparency
The core purpose of the License Portal is its ability to assign tickets and the licenses they embody to groups or individual users. The principal rule is that users cannot access any ticket higher up in the hierarchy. A user with “admin” rights has access to all tickets on their level and on the lower branches of the hierarchy. A user without “admin” rights can only access their specific level.
An ISV admin is always listed at the top and has access to all tickets through the hierarchy.
Tickets can be assigned as personal tickets for a user or as group tickets for a group. Any ticket can only ever be assigned to a single user; if it is assigned to a new user, care is taken to check whether the user making that transaction has the right to access both the current and the intended holder of the user. If that is the case, the ticket is moved, i.e. removed from the older holder and assigned to the new user. If the user has no such rights, the transaction is stopped immediately and an error message returned.
Tickets that are not yet assigned can be allocated to any new user. Again, the necessary rights are checked before the transaction is completed.
Visibility and Rights
The following visibility rules and rights apply:
All fundamental functions of the License Portal are available when it is configured for different levels, including all transactions like license activations or deactivations. The same goes for all user-related functions: Registering and removing users, displaying or editing user info, or changing or replacing passwords.
CodeMeter Cloud Support
One special aspect needs to be considered for CodeMeter Cloud Support. Since group admins can access the users in their groups or subgroups, they also have access to the users’ CmCloudContainers. They could reset the access data for these CmCloudContainers and, for instance, prevent users who have left the group from using the licenses in the Container. Group admins can also activate or deactivate licenses in the CmCloudContainers of the users assigned to them. This makes it easy and comfortable to move licenses from one user to the next. A user can download the credential file for a CmCloudContainer to distribute it offline to a headless system. This is particularly interesting if the software is run in virtual machines or container environments like Docker and if the license is to be preconfigured in the relevant template.
Expansion by Wibu-Systems Professional Services
The License Portal can be expanded by our Professional Service team, e.g. to allow resellers to create licenses or, more specifically, tickets. This is done by assigning additional custom rights, e.g. “create_ticket”. Users that have this right get access to the features they need to create licenses.
One project that our team completed for a partner organization added a filter for the products to allow the partner to create licenses for selected products. The resulting tickets are automatically assigned to clients of our partner; our partner only needs to create a new user for the client and the client can start activating licenses right away.
KEYnote 44 – Edition Fall/Winter 2022