SecurID^® Discussions

setup1 is build with license1 which will have tokens with serial numbers

setup2 is build with license2 which will have tokens with serial numbers.

license2 will be having different serial numbers than license1.

so my question:

if i am export/import users with tokens from setup1, will it work in setup2 which is built on license2 which will have different serial numbers?

while setting up the primary appliance it asks for the license file, is it possible that we can use the same license files in 2 different setups in production.

in setup and configuration guide it is mentioned that:

• The Account ID must be the same for all licenses.
• The License ID (or Stack ID), must be unique for each license. You cannot install the same license twice.

what is the impact if  'Users with Assigned Authenticators'  is lesser than the user & tokens to be imported.

e.g. target setup has 1000 'Users with Assigned Authenticators'  limit but users and tokens to be imported system are approx. 2000.

Edward Davis‌

When your license limit is 2000, you can import as many tokens as you want, and you could connect to an LDAP Identity Source that contained 100,000 users, but only users that have at least one authenticator assigned; hardware or software token, Fixed passcode, or is enabled for OnDemand Authentication (ODA) or Risk Based authentication (RBA), that user counts against the 2000 active user license limit.

RSA sells two things; Active User Licenses (which is a count) and Authenticators (which are software or hardware tokens, Fixed passcodes, or ODA/RBA enabled users).  But confusion comes from RSA and how it names products, because when you enable an ODA/RBA user, which technically is an Authenticator, you do this with an ODA/RBA license.  Therefore you need an ODA/RBA license to enable a user who will then count against your Acitve User License Limit

000030005 - How to get an accurate active user license count in RSA Authentication Manager 8.1 using SQL 

Couple of points;

1. a User only counts once against the active User license limit, even if they have 3 tokens, a fixed passcode and are enabled for both ODA and RBA., i.e. they would be a single licensed user with multiple authenticators.

2. When you reach your active license limit you will not be able to assign any new users with any authenticator until you unassign authenticators from other users

3. You can sometimes exceed your active user limit if you import users and tokens in bulk, or restore a database from your 11,000 user license deployment into your 2000 user license deployment.  It will work, but you cannot assign any new users, and will have problems managing users and making changes that are not un-assigning tokens

4. expired tokens that are assigned to users, even former users still listed in your LDAP identity source count against your active user license limit.  You need to run clean up immediate or batch jobs.  We have seen some situations where the user in LDAP or AD, while still assigned an authenticator, gets moved in LDAP and renamed at the same time, so that RSA cannot find them.  They still count against the License limit.  If you only make a single change at a time in LDAP, RSA will still be able to find this user, but making multiple changes at once does not allow RSA to maintain the link nor does it allow RSA to unlink.  Call Support.

Hello Jay Guillette,

i was exporting users & tokens in small chunks to import to the new RSA which is having license limit of 1000.

when the import count exceeded 1000, it didn't let me import the tokens in new RSA instead it rollback the import job.

is it expected behavior, please clarify.

Thanks

Yes, because importing users with Tokens is like assigning tokens to users - if you are going to exceed your license limit the Security Console will prevent you from doing that.  You can keep authenticating existing users, but you cannot add new ones.  If you think the license count is wrong, have a look at KB 30005 above, to find out which if any are counted in error (users with expired tokens count, users who left your company and were removed from LDAP / AD will count until you run a clean-up job.)

But if the count is accurate, then you either have to increase your license limit or decrease the number of users with authenticators.

Thanks Jay Guillette‌