Rich (Customer) to rsaSFDCadmin (RSA): asked a question.
Software token license. per user or per environment
Hi,
Customer has SecurID installed in a dark site. No internet access, no self
service from outside. let's say 10 software tokens have been purchased and
installed on the SecurID server. Auth agent set up on Windows server, iPhone
as the authentication device.
It all works, all is good.
Customer would like to so the same in production. Customer understands that
the 10 tokens they purchased are per user, not per environment.
Customer understands they can simply build a new server, and import the same
10 software tokens in prod and go through the process of assigning them again.
Technically this would work as the dark site has no comms anywhere so there is
no way to know they had ever been deployed or activated.
Customer says they were told the token was for a physical person, if that
person happens to need access to two environments, so be it, it is the same
user.
I would have thought you would need very much a separate set of 10 tokens and
licenses for each environment. However this was conjured up between the
customer and a salesman and I feel things may not be so clear cut.
What I need if anyone can help, is RSA documentation on the licensing for the
tokens to make it clear that a token is linked to a person, not an
installation, or location. Or, that is is absolutely one user per environment.
I can find information that one user can have several tokens assigned to them,
but I can't find where it details the limitation of a token license.
Many thanks
Customer has SecurID installed in a dark site. No internet access, no self
service from outside. let's say 10 software tokens have been purchased and
installed on the SecurID server. Auth agent set up on Windows server, iPhone
as the authentication device.
It all works, all is good.
Customer would like to so the same in production. Customer understands that
the 10 tokens they purchased are per user, not per environment.
Customer understands they can simply build a new server, and import the same
10 software tokens in prod and go through the process of assigning them again.
Technically this would work as the dark site has no comms anywhere so there is
no way to know they had ever been deployed or activated.
Customer says they were told the token was for a physical person, if that
person happens to need access to two environments, so be it, it is the same
user.
I would have thought you would need very much a separate set of 10 tokens and
licenses for each environment. However this was conjured up between the
customer and a salesman and I feel things may not be so clear cut.
What I need if anyone can help, is RSA documentation on the licensing for the
tokens to make it clear that a token is linked to a person, not an
installation, or location. Or, that is is absolutely one user per environment.
I can find information that one user can have several tokens assigned to them,
but I can't find where it details the limitation of a token license.
Many thanks
public sites is strictly manual. I have not seen any documentation on this,
and as Support guy I don't necessarily care. I do know that legally a
customer can run a Prod and a Dev/Test site (realm) with same users and same
tokens. So I would say between that and what Sales guy said, this is legal at
least until someone higher up the chain says no.
By "any synchronization between the dark and public sites is strictly manual"
I mean they are like ships in the night, unaware of each other, at least
before radar. If there was a desire to keep things in synch, that would
require a conversation and some planning, but basically you would need to
designate one side / realm as the boss or master and you would 'manually'
synchronize from this site to the dark site, by backing up or exporting
users&tokens to a removable file device like a USB thumb drive. If you use
backup from Ops Console, both sites need to be same version and patch of AM.