Access rules

Last modified: 09 December 2024

To restrict and fine-tune access to licenses within your organization, configure access rules and priorities.

How access rules work

In this section, you'll learn how licenses are distributed before any rules are created and how rules change user access.

Default license distribution policy

By default, before any rules are created, all authorized users have access to all licenses.

Rules help you restrict and fine-tune user access. Here's how it works:

If you create a rule for a specific user or profile:

These users and profiles only have access to the licenses specified in the rule.

If there are no rules for a specific user or profile:

These users and profiles have access to any available licenses. To restrict their access, you need to create a rule.

License distribution example

For example, let's say you have a single rule that grants User A access to PyCharm licenses. Here's how this rule is applied:

  • If User A requests a PyCharm license, they successfully obtain one.

  • If User A requests a CLion license, their request is denied because, according to your rule set, they are only allowed to use PyCharm.

  • If User B requests a CLion or PyCharm license, they successfully obtain one because there aren't any rules that restrict their access.

Enforcing a stricter distribution policy

You can enforce a stricter license distribution policy so that access is only granted to the users and profiles that are explicitly mentioned in your access rules.

If you do this, the semantics of your rules will change from restricting access to granting it.

If you create a rule for a specific user or profile:

These users and profiles only have access to the licenses specified in the rule. (No change here.)

If there are no rules for a specific user or profile:

These users and profiles don't have access to any licenses. To grant them access, you need to create a rule.

License distribution example

Going back to the example with a single rule that grants User A access to PyCharm, here's what will change:

  • If User A requests a PyCharm license, they'll still successfully obtain one.

  • If User A requests a CLion license, their request will still be denied.

  • But if User B requests a CLion or PyCharm license, their request will now also be denied because there are no rules that grant this user access to licenses.

warning

Before restricting global access, make sure to create rules that configure user access licenses. Otherwise, none of your users will be able to obtain licenses.

To restrict global access

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. At the top of the page, clear the Allow users that are not mentioned in the rules to get licenses checkbox.

    The global access checkbox on the 'Rules' tab

  4. Confirm your action in the dialog that pops up.

Adding access rules

This section walks you through the process of creating an access rule. Before you begin, make sure that you have configured user authentication.

To add an access rule

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. In the top-right corner, click Add rule.

  4. In the dialog that pops up, enter the name of your rule.

    The 'Edit New Rule' window

  5. In the same window, under Username or profile, enter the name of the user or profile to which this rule will apply.

    Start typing to see all available user and profile names on the suggestion list. If the name you're looking for is not on the list, check the existing users and profiles to make sure that you're typing the name correctly.

    Gif

  6. Click Next. This will take you to the Specify products tab of the rule settings.

  7. From the dropdown list, select the products you want these users to have access to. You can select multiple products.

    Selecting products in the rule settings

  8. Click Next. This will take you to the Test rule tab of the rule settings.

  9. In this step, you can check the effective permissions that will be granted to users based on your current set of rules, including the one that you're creating.

    To do so, select the user or profile and a product from their respective dropdown lists and click Check effective permissions.

    On the Result tab, you'll see whether the user or profile you selected is allowed to use this product.

    Checking effective permissions – the 'Result' tab

    On the Related Rules tab, you'll see which rules affect their current permissions.

    Checking effective permissions – the 'Related rules' tab

  10. If your rule has the effect you're aiming for, click Finish & Save Rule to save it.

note

Creating a rule that restricts a user's access to licenses does not automatically revoke any licenses this user has already obtained, even if they are no longer permitted to use these licenses.

You will need to manually revoke any such licenses from the user after creating the rule.

How multiple rules interact

Sometimes, more than one rule can apply to the same user. This can happen if:

  • You intentionally create multiple rules that include the same user by username.

  • The user belongs to multiple profiles, and separate rules exist for each group.

  • The user is included by username in one of the rules, but other rules apply to them based on their profile membership.

In this case, the user is allowed to obtain licenses for any of the products specified in the rules that apply to them.

For example, let's say you created a rule that allows User A to use PyCharm and then a second one that allows them to use CLion. In this case, User A will be able to obtain licenses both for PyCharm and CLion.

You can always check the effective permissions granted to any user or profile based on your current set of rules.

To check effective permissions

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. In the top-right corner, click Test rules.

  4. Select a user or profile and a product from their respective dropdown lists and click Check effective permissions.

    On the Result tab, you'll see whether the user or profile you selected is allowed to use this product.

    The 'Tests Rule' dialog showing the 'Result' tab

    On the Related Rules tab, you'll see which rules affect their current permissions.

    The Tests Rule dialog showing the Related Rules tab

Managing rules

As an IDE Services administrator, you can edit, disable, and remove rules.

To disable a rule

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. In the rule list, locate the rule you want to disable.

  4. Click on the toggle next to that rule, situated in the On/Off column.

    The toggle that enables or disables access rules in IDE Services

  5. The rule will remain on the list, but it will no longer affect the users' effective permissions. You can always re-enable it by clicking on the toggle again.

To remove a rule

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. In the rule list, locate the rule you want to remove.

  4. Click the menu icon with three dots next to the rule.

  5. In the menu, select Remove.

warning

Removing a rule cannot be undone. If you plan on using this rule again in the future, consider disabling it instead of removing it.

To edit a rule

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. In the rule list, locate the rule you want to edit.

  4. Click the menu icon with three dots next to the rule.

  5. In the menu, select Edit.

  6. To edit the rule, follow the same steps you followed when adding it.

Adding prioritized users

Add users or profiles to the priority list to ensure they can get licenses even if your team reaches the maximum license capacity.

How distribution priority works

As long as IDE Services has enough licenses for everyone, prioritized users are treated the same as everyone else.

Priority settings start working when all the licenses are taken. In this case, IDE Services denies requests from non-prioritized users. However, if a prioritized user requests a license, IDE Services revokes one from a non-prioritized user and transfers it to the prioritized user.

Whose license will IDE Services revoke?

IDE Services picks a non-prioritized user at random to revoke their license.

Can IDE Services deny a license request from a prioritized user?

A prioritized user's request can only be denied in one of the following cases:

  • IDE Services has no licenses that match the user's request. For example, if the IDE Services administrator only added PyCharm licenses, and the user requests a license for CLion.

  • All the licenses that match the user's request are already taken by other prioritized users.

  • Rules prohibit that this user obtains the requested license. Priority does not override rule restrictions.

To add or remove a prioritized user

  1. From the main menu, select Licenses.

  2. In the menu on the left, select Rules.

  3. At the top of the page, select the Priorities tab.

  4. In the top-right corner, click Edit Priorities.

  5. Edit the list of prioritized users and profiles.

    • To add a new prioritized user or profile, enter their name into the corresponding field.

      Start typing to see all available user and profile names on the suggestion list. If the name you're looking for is not on the list, check the existing users and profiles to make sure that you're typing the name correctly.

      Gif

    • To remove a prioritized user or profile, click on the x button next to their name.

  6. Click Save Priorities to save your changes.