About SIMULIA Execution Engine Access Control Lists

The SIMULIA Execution Engine provides a means to limit access to specific data and information stored in the SIMULIA Execution Engine database. In particular, SIMULIA Execution Engine library objects (models and components) and job results can be protected with Access Control Lists (ACLs). An access control list contains a set of permission levels and names of users or groups.

No explicit administrative action is needed to enable the Access Control List feature. This feature is always available in the SIMULIA Execution Engine once you have enabled security. The ACL feature should, however, be configured as described in this section to achieve the level of default permissions as required by the organization.

This feature is not useful if each user cannot be distinguished and authenticated. Thus, the client authentication capability of SIMULIA Execution Engine is a prerequisite for using Access Control Lists.

The following permission levels are available:

  • ALTER. The user or group has full access to the object, including the ability to edit the object's permissions. The object can be fetched (copied to a local library), new versions of the object can be published to the library, and any version of the object can be deleted from the library.

  • MODIFY. The user or group has all the accessibility granted with the ALTER option, with the exception of editing the object's permissions.

  • READ. The user or group can only load or use the object by reference. Although the model and its contents (components, simulation process flows, parameters, etc.) can be viewed and altered, and the model itself can be executed, no new versions of the model can be published to the library.

  • REFERENCE. This protection level applies only to models stored in the SIMULIA Execution Engine library. This protection level is a limited read access that provides information about the model inputs and outputs but does not provide any access to the model structure or internal configuration. If this level of permission is set for a user who incorporates a published model into another model, the content of the referenced model is available and it can be executed by the reference.

  • NONE. The user or group will have no access to the published object. Any model that references this object cannot be used.

Important: User names are case-sensitive.

For instructions on how to apply these permissions to library data and jobs, see Setting Default Permissions in the Isight User’s Guide.

An ACL system administrator can define new groups, add and remove users from groups, define default system-wide permissions, and add and remove other ACL system administrators. The Dashboard is used by the ACL system administrator to configure the ACL system settings. For more information on this interface, see Using the Dashboard.

The ACL system administrator should then use the Dashboard's Access Control tab to define the system-wide default permission settings. This tab is shown in the following figure.

Access Control Tab on the SIMULIA Execution Engine Dashboard

Only an ACL system administrator will see the Access Control tab on the Dashboard. When the SIMULIA Execution Engine is first installed, the only users who are considered ACL system administrators are those who have been assigned the fiperadmin security role (see About Roles in SIMULIA Execution Engine). These users can add other ACL system administrators using the System Administration subtab; these users will have complete control over all published objects and assigned permissions in the SIMULIA Execution Engine but will not have any WebSphere administrative privileges.

The System Default subtab defines the permissions that will be applied to any object (model, component, job) that has no explicit permission for the requesting user.

For the most secure system, the System Default tab should have All other users set to NONE. This action will prevent access by any user to any data to which they are not otherwise given explicit permission to use. Setting this value to ALTER will give all users access to all data unless the author of the data explicitly prevents it.