You are viewing limited content. For full access, please sign in.

Question

Question

WebLink Portal Licensing For Entire Organization

asked on April 11, 2014

I am working with an organization that has the 25 user public portal license and then Rio licensing for full licenses.  They have 20+ people that have a full license assigned to their AD account via License Manager.  They want to have all 600+ employees have access to WebLink via Windows Authentication. They have an AD group that contains All Employees that we can add and then set the group to "Only allow read-only access" in the admin console.  If we do this though, the 20+ users with full licenses who are also a member of this All Employees group will get set as Read-Only.  

 

For large organizations that have employees constantly being hired it can become quite tedious to maintain an AD group to just control this read-only access.  Is there a better way to handle these licenses so that everyone can use Windows Authenticated WebLink without having to maintain unique groups for the two types of licenses?  Why doesn't the full-license trump the "allow read-only access" permissions since they have bought and assigned a full license anyways?

5 0

Replies

replied on January 19, 2015

Hi there,

I work for a police service and we have the same issue.  All our officers use Weblink Public Portal.  We also have Device Licence users.  One in particular has to be able to use Weblink Public Portal when sitting at computer A, then use Laserfiche Client with more privs when sitting at computer B (with device licence).  So, there is no user licence involved her.  We are using Active Directory for our accounts.  I tried to put her in the 'Officer' active directory group, and the 'ABCClient' active directory group, but the 'read only' seems to override everything and she can't do her work when on computer B.

Any suggestions?  By reading through here, this seems like a common issue.

2 0
replied on February 3, 2015

This is a common issue and the root of the problem is that to authenticate to WebLink without having a full user license, the user essentially must have the Only allow read-only access box checked or inherited.  This appears ok as you'd think this would only grant them view access but essentially it Denies everything else.  Since Laserfiche rightfully lives by the rule that Deny will always trump Allow, the user can never have more than view access.  What would resolve this is if this box just allows them view access and any type of better license (full user or device) that the user has or inherits would trump that.  This would solve the two major issues that come from the current design:

  1. Having a user utilize a device license at one pc and authenticate via WebLink at all others
  2. Grant an entire organization the right to authenticate via WebLink without having to micro manage the group to keep licensed users separate

I am hoping this is resolved in future versions, especially as the LFDS continues to grow and take over more of the licensing functionality.

3 0
replied on April 16, 2014

Why does WebLink require that "Only allow read-only access"  be checked in the 1st place ? Why this limitation ? It prevents us from taking advantage of the Named Device license to allow some users to do occasional work (a few times a year) in LF client. If there are 30 people like this, we have to buy 30 Named User licenses while one machine with a Named Device license would be enough to cover all those 30 users that rarely have to go in LF client or QuickFields.

 

Can this requirement (to check "Only allow read-only access" for a user to be able to use WebLink) be removed ?

 

Thanks

1 0
replied on April 29, 2014

Actually, 'Only allow read-only access' only needs to be checked for accounts logging in through the Public Portal (unlicensed) connections. Any account with a named user license allocated to it (full or retrieval) can always connect through WebLink regardless of the state of that checkbox.

1 0
replied on April 29, 2014 Show version history

I understand that, but for a user who uses WebLink on a daily basis, and only occasionally needs to go to a designated workstation (that has a Named Device license) to do work say, in LaserFiche Client, twice a year, then this can't work.

 

A user who *never* uses WebLink can do that as 'Only allow read-only access'  is *not* checked for his account. Nor does he/she have a Named User license.

But the user who *does* use WebLink, cannot use this workstation as it will not allow him/her to acquire a read/write license as the Named Device licence is intended to. That's where this checkbox breaks things.

 

And it is why I'm asking : is the check box really necessary and can it be simply removed ? It's kind of obvious that a user logging in to WebLink will only be given a Retrieval (public portal) license. I don't see the need for the check box.

 

Thanks

0 0
replied on April 29, 2014

The confusion here is basically one of license policy. The premise of a named device is that the licensing model allows allocating to the machine instead of the user if the user only ever logs in through that machine. Once that user is logging in through another system/machine (WebLink in this case), that's no longer the case and they will need their own named license. They could of course log into Public Portal as a public user, it's just authenticated directory users from multiple machines are going to require their own named user license allocation.

 

Since this sounds like a license policy question at this point, I'd recommend talking to your reseller or account manager who would be better able to address your specific scenario.

0 0
replied on May 3, 2014

Hi Justin,

 

I have a similar usage case for a secondary education college.

They have 400+  students who infrequently would download documents via Weblink. Each student is only permitted to see their own documents so a LF user account and password must be entered as Weblink login.  The students are not stored in AD or an LDAP source.

 

There are about 25 teachers and admin staff who will be Named Users who will add documents to the LF repository for the 400+ students to access by Weblink portal only.

We are proposing to use LF Portal license for the students (not Named or Read Only) and 25 Full named users for the teachers.

 

Can this work?

Do we need unlimited portal license?

Is there a better way to license this scenario?

What is the easiest way to create the student accounts in LF?

 

Many thanks for your help on this.

0 0
replied on May 16, 2014

Hi Warren,

 

Sorry about the delay in response, I've been on vacation since you posted this.

 

So long as the students never need to modify anything, there should be no major issues here - so long as they are logging into WebLink through an account flagged as read-only, they will use portal licensing and do not need to have their own named licenses. Since the students are a) not stored in AD or LDAP and b) the students need to have a specific account to see their own documents, you'll need to generate Laserfiche username and password accounts for each of them on the repository. There are ways to automate this in some fashions, but it will need to be handled. There are no licensing issues beyond that though (again, so long as you flag those accounts as read-only or put them all in a group flagged as read-only), you just need to create the accounts themselves and set up the security for them. 

 

You can copy/paste or export/import user definitions through the Laserfiche Administration Console. My suggestion would be to create a standard user account and export it. That will give you an xml file where you can then clone them and enter the specific information and then import that back into the administration console. It's still going to be a bit of a pain, but it's easier then going through the UI one by one. Since there's nothing to lookup against though, there's really not much else to do. You can use Workflow to set up secured folders corresponding to each of these users automatically, so you shouldn't need to do that manually (actually, you might be able to also do the user creation in workflow as well, but that might require WF scripting).

 

Whether or not you need an unlimited portal license has to do entirely with how many people will be accessing WebLink at any given time, not the number of users. If you think only 10 users will need to access WebLink at any time, then you can use a 10 user portal license. If an 11th tries to access though, they will be unable to. So that one just comes down to your expected concurrent load. Since it's 'infrequent', you probably don't need unlimited, unless it's always going to be every student at the same time.

 

Again, sorry for the delay in response, hope this is still helpful.

 

 

0 0
replied on May 18, 2014

Hi Justin,

 

We will modify the User list.xml as you have suggested.

 

 
Many thanks for the reply and guidance on Weblink licensing.
regards
 
Warren Cook

 

0 0
replied on May 20, 2014

Hi Justin

 

In 9.0.2 LFAdmin Console, when I right-click on Named Users and Devices, I get an Export List option.

But that only allows to save the list as either .TXT or .CSV. No .XML.

 

Also, where do we import ?

 

Thanks !

0 0
replied on April 29, 2014

I ran into this exact scenario. Thousands of users that only need to access company documentation once a year. We had the same confusion about trying to configure A/D. It certainly is an unusual scenario and I prefer to use weblink only for custom public projects like embedding documents into the corporate webpage or public forms.

 

On the other hand, there are many other options in Laserfiche to distribute documents outside your licensed repository. You could configure a request server to temporarily briefcase the document to a public/private repository, export to a secure location for the requester, or display the document on a form.

1 0
replied on January 14, 2016

I agree with the fact that it's somewhat ridiculous to manage a separate group for users who require Weblink access. We have about 8000 users and of course a public portal license. Instead of having a group and everyone part of that and that we have to keep managing, I just made the "everyone" group in Laserfiche marked as read-only. This eliminates the need for the group, but that means everyone who is a RW user now needs the "manage trustees" right in order to override that read-only setting on the everyone group.

It seems somewhat ridiculous that if you have an unlimited public portal license for instance, that Weblink (being a read-only product anyways) needs to check if the user has that checkbox enabled. If you have that public portal license, everyone should be able to just login by default (as long as they have permissions) since there's no "license" that each user needs. If you have the limited public portal license, then have Weblink check for that "read-only" box so that you can limit what users can potentially use that license. Another option you could do instead is if you have a large number of public portal licenses, maybe make a "deny" checkbox that you can add users to a group and assign that right. That way you would be only managing a smaller number of users.

1 0
replied on April 29, 2014

I am still hoping to hear something from Laserfiche on the best practice for allowing an entire organization of 3000+ employees to use WebLink via Windows Authentication without having to maintain an ever changing AD group of who should pull the read-only WL license vs. who gets a full license?

0 0
replied on April 29, 2014

You're correct that there isn't a good way to do this. That's because this isn't really the intent of Public Portal (note the Public there in the name). While directory authenticated users can log into WebLink, the system isn't designed for that as a primary function, so our user automation tools are not optimized for that case. The intended approach for managing an ever-changing set of internal read-only users would be to use Rio Retrieval Named User licensing, and we do have tools for your exact scenario in that case. License Manager AD Synchronization rules allow you to specify the level of granularity you are trying to do here - that is, automatically update and grant most users retrieval access based on their domain group setup without impacting those users to whom you specifically want allocated full named user licenses to. As of Laserfiche 9.1, Directory accounts that are allocated Retrieval Named Users do not also need to be individually added with 'Only allow read-only access' checked - you can simply take your All Employees Domain Group with the checkbox unchecked and those users allocated Retrieval Named Users will automatically log in as named users. So basically there is in fact a completed automatic method to do exactly what you are trying to do, just not as 'public' portal users.

 

Note also that you do NOT need to be flagged with the 'only allow read-only access' checkbox to log in through WebLink as an account with a Named user license, full or retrieval. That checkbox is only relevant if you are logging in as a public portal connection (that is, an account without an allocated license).

0 0
replied on April 29, 2014

So you are suggesting that a company with 10,000+ employees should buy retrieval licenses for all 10,000+ employees if they want them to use WebLink?  Then we have to assign licenses to all employees, minus those that get full licenses, and thus are still having to maintain a separate AD group for the retrieval license users.  Not to mention they have to purchase all of these retrieval licenses when the processor based public portal license would allow all of these people in.  These people get in once or twice a year so it hardly seems worth it to pay for these licenses for limited access anyways.  Why cant a full license assigned to an AD account trump a public portal license in WebLink if connecting in via Windows Authenticaiton?  It's not like they didn't pay for the full license.

0 0
replied on April 29, 2014 Show version history

For questions on pricing and license policy, please talk to your RM. My point is simply that we do have tools to do exactly what you want, based on how the products and licenses are intended to interact with each other.

 

You would not need to maintain a separate AD group, the Rio License Manager sync rules will allow you to customize it exactly as you want and still maintain a single group in the repository.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.