This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Roles AD How is this licensed?

Hi

I need to know how the licensing is worked out for Active Role


Is it per user? If so, is that enable user only ALL users?  What about other objects do they need a license?

 

Thanks in advance

 

 

  • The product is licensed by managed user object count.  Though typically, from a $ perspective, customers are asked to license for the number of employees in their organization as the number of "other" users is normally not that significant.

  • Thanks, is this ALL users account or just Enabled ones?  IE leavers left on the system

  • I would suggest you have a read through the AdminGuide (starting on pg 563 for version 6.9) where there is discussion of "Managed Object Statistics".

    To quickly summarize:

    1) There is a built-in scheduled task called "Managed Object Counter" that counts managed objects

    2) You can choose to exclude objects (i.e. their OUs) from being counted by the Statistics process by applying the policy called "Built-in Policy - Exclude from Managed Scope" to the OU(s).  So to your point about your "leavers", you could apply the above policy to the OU(s) containing these objects and your statistics would no longer count them.

    3) If you would like to be warned when you are reaching your managed objects limit (as determined by you), you can configure notification of this by a built in workflow called "Notification of managed object excess (Template)" found in Configuration | Policies | Workflow | Builtin

  • AFAIK, the license is expected to cover all enabled accounts, and does not distinguish between employee, service, generic, etc. And I would not expect Dell to be okay with excluding arbitrary OUs from that count. That said, I will confirm this with Dell, because on the off-chance that the previous posts in this thread are actually correct, then we can drop our own licensing by a couple of thousand enabled accounts that fit the above criteria.

  • Active Roles is licensed based on Managed and Enabled User Account objects.

    An "Enabled User Account" does not include inter-domain trust accounts, contacts, disabled mailbox-enabled user accounts in an Exchange resource forest. Computer object and Group object management also does not count against the licensing count.

    By default, all User Account objects are Managed. If you wish to exclude a Domain or one or more OU's from the Managed scope, use the "Built-in Policy - Exclude from Managed Scope" Policy.

  • Apparently this is not true anymore and "Enabled User Account objects" means "All Objects" https://support.oneidentity.com/active-roles/kb/134201/active-roles-licensing-faq .

    It looks like licensing terms changed without notice at some point few years ago and ARS 6.9, 7.1 and 7.2.X were consistent with what Terrance wrote.

    Is there a way to exclude specific user objects from the Active Roles Server License user count, i.e. Service Accounts?

    Active Roles Server License includes all "enabled" and "disabled" user accounts within the registered domain(s). This will also include any accounts designated as Service Accounts.

    Note: ARS v6.9, ARS v7.1, ARS v7.2.X count just "enabled" users as managed objects, this is a known issue (766634) that has been fixed in ARS v7.3.1.

    If you are using the Managed Person license model then it is possible to exclude specific Users, OUs, and Containers, you may use the Policy called "Built-In Policy - Exclude from Managed Scope", which will make the objects Read-Only (Unmanaged).

    Does the “Enabled User” License model include users with disabled accounts?

    Yes, the enabled user license model is defined as follows:-

    Enabled User Accounts are all the user accounts in the domain(s) to be managed by the Software, including, but not limited to, users' logon accounts, secondary accounts tied to users, administrative accounts, service accounts, test accounts, and iNetOrgPerson objects. The license quantity for Software licensed by this License Type must be at least the total number of accounts (regardless of account type) in the domain(s) or other logical group of accounts with which the Software is to be used.