You are viewing limited content. For full access, please sign in.

Question

Question

Managing licenses from a large AD Group

Licensing License Manager Directory Server Laserfiche
Updated March 9, 2017
asked on March 2, 2017 Show version history

I have a customer that has 160,000 accounts in a single Active Directory group. They only have 13,000-15,000 active users per year though, out of the 160,000. For business reasons they cannot and will not separate active users from inactive users in AD.

The customer is interested in purchasing a block of 25,000 community subscription users but does not want to actively manage accounts. They want users to log in through a portal, submit forms, and be able to have read-only access to documents. The portal authenticates through Active Directory Federation Services (ADFS).

With Laserfiche Directory Server, is it possible to grant access to the AD group, and then have community licenses allocated as the users log in? We do not want to sync the entire 160,000 users in the group.

My thought is that if we can add the large AD group, the as users log in the licenses will be allocated. At the end of the year the administrators can do a one-time de-allocation of licenses and start over again.

Is this possible with 10.2 directory server? Thanks in advance!

1 0

Replies

replied on March 2, 2017

Allowing ad-hoc allocation of licenses, and/or allowing "self-registration", is a functionality we are investigating, but is not currently supported.

Thank you for your use case: it will be helpful as we look into this feature.

A few questions, if you're willing:

  1. Is limiting the registration to the AD group the preferred/required method for determining who can or cannot receive a license? Other possibilities that have been mentioned
    1. A special link that allows you to receive a license, like sharing a doc in google docs
    2. Having an email address from an admin-specified domain
  2. Would you expect to have multiple "profiles" for receiving licenses? e.g., "Forms Authenticated Participant" for some, Full name user licenses for others
0 0
replied on March 9, 2017

Hi Brianna,

You said "Programmatically assigning licensing would be done through the LFDS API, which uses LicenseManagerObjects (LMO). We don't currently have documentation or policy on use, but we are working on both."

 

Which library call would allow us to expose this functionality?

 

Thanks

0 0
replied on March 9, 2017

LicenseManagerObjects.dll is the library you call into. As I said in that quote, we don't currently have any documentation on use of this library.

0 0
replied on March 3, 2017

Hi Brianna,

The use case is for a community college. They receive thousands of applications each semester through various sources, and they accept everyone. This leads to the large 160K+ AD group. The reason they don't do user management is that its too cumbersome to maintain, as students may come in for 1 semester, then not return for 2 years, then come back for 3 semesters, etc.

So to answer 1) Yes I think they would like to limit the education community users to this specific AD group. For 2) all of the users in that AD group would only be eligible for 1 license type - education community users.

I remember that in previous versions of Laserfiche you could add an active directory group (eg Domain\HR) and then any users in that group would be allocated named full users as they logged in, inheriting the license and rights through the AD group. Is that not the case any more with Directory Server?

Thanks again for all your help!

 

0 0
replied on March 8, 2017

What you are describing (assigning licenses to a group and having them allocated to users as they sign in) does not sound familiar, but I am investigating. We allow you to "trust" AD groups for login and have users inherit that, if that's what you're thinking of.

0 0
replied on March 6, 2017

Brianna,

Do you know if it would be possible with the SDK to assign licenses?

0 0
replied on March 8, 2017 Show version history

Programmatically assigning licensing would be done through the LFDS API, which uses LicenseManagerObjects (LMO). We don't currently have documentation or policy on use, but we are working on both.

0 0
replied on March 8, 2017

Thank you Brianna. Is the LFDS API included with the current 10.2 SDK?

0 0
replied on March 8, 2017

The LFDS API is not part of the SDK. The dll required to programmatically perform actions, LicenseManagerObjects is part of the LFDS installation. The packaging of documentation and samples has not yet been determined.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...