This article contains the FAQ for Active Roles licensing.
From version 6.9, a physical license file is no longer required to install and configure Active Roles.
What has changed with licensing from 6.9?
With the release of Active Roles 6.9 we removed the requirement for the physical .asc license file to be installed on the product and in its place introduced the concept of metered usage. This is a move which aligns with some of the other identity management product offerings in the portfolio.
If I don't need a license, does that mean the software is free to use?
No, you must still purchase a license for the software to legally use the software.
Must I install an ‘.asc’ license file for Active Roles 6.9?
No, Active Roles 6.9 and later versions do not require a .asc license file to be installed.
Is there any formal license file of any other type?
No, Active Roles follows a trust model in which there are no product restrictions and there is no difference in the binaries between trial and a full production version of the product. The product must still be purchased and licensed to be used legally.
Is there is different set of binaries available for a trial/evaluation?
No, there is only one set of binaries.
Does Active Roles automatically communicate license data with One Identity or Quest over the Internet?
No, it does not.
Is there a way to exclude specific user objects from the Active Roles Server License user count, i.e. Service Accounts?
Active Roles Server License for Enabled User includes all accounts within the registered domain, falling under the definition of the Enabled User license. The legal definition of which can be found here:
NOTE: Versions 6.9, 7.1, and 7.2 only count enabled users as managed objects. This issue is logged as defect TF00766634 and is now properly reflected in version 7.3.1 to count all managed objects.
If you are using the Managed Person license model, it is possible to exclude specific objects (i.e. Users, OUs) by using the Policy called "Built-In Policy - Exclude from Managed Scope", which will make the objects Read-Only (Unmanaged).
Does a Lab or Development environment count against the licenses needed to run Active Roles in production?
No. The same licenses cover testing and configuration of one or more non-production environments in any scenario(s) designed to replicate production functionality.
Does the 'Enabled User' License model include users with disabled accounts?
Yes, the enabled user license model is defined in our legal documentation as followed:
"Enabled User Accounts are all the user accounts in the domain(s) to be managed by the Software, including, but not limited to, users' logon accounts, secondary accounts tied to users, administrative accounts, service accounts, test accounts, and iNetOrgPerson objects. The license quantity for Software licensed by this License Type must be at least the total number of accounts (regardless of account type) in the domain(s) or other logical group of accounts with which the Software is to be used."
Will a message be displayed if we exceed the license?
No messages will be displayed.
Do I still need to purchase Active Roles Licenses?
You must still purchase an entitlement to use the product if you wish to be legal and compliant.
Active Roles used to require that I licensed every User Object in the domain, what about now?
Active Roles 6.9 allows you to define the ‘scope’ of what is managed and will meter or count the actual usage of the product and display these statistics for you. If you were a previous Active Roles user then all unmanaged domains will become Managed Domains after the upgrade. If you wish to explicitly exclude parts of your domain then you must use the “Exclude from Managed Scope” policy to achieve this if you are operating on the Managed Person license model.
What about Unmanaged Domains from previous versions of Active Roles?
If you were a previous Active Roles User then within 6.9 there is no longer the concept of an unmanaged domain per-se, instead all unmanaged domains will become Managed Domains after you upgrade to 6.9. If you wish to explicitly exclude parts of your domain then you must use the “Exclude from Managed Scope” policy to achieve this of you are operating on the Managed Person license model.
How is usage measured and displayed?
Totals for Managed Objects are counted across all domains and ADLDS Partitions with current, average and maximum values being maintained for both.
Image 1: Managed Objects Statistics
Can I reset these counts?
No, these counters cannot be reset. They begin upon installation and persist indefinitely.
When do these counters begin gathering data?
They begin right after the point of installation/configuration.
How do I obtain licenses for Active Roles?
You would follow the same process you have in the past, contact your Account Team at One Identity and they can help provide you a quotation.
Can I use Active Roles for an Evaluation?
Yes, you can evaluate the product for 30 days, there is no difference in the ‘bits’ of the trial version and the live version.
If we don’t have a license, doesn’t that mean the software can be used illegally?
Yes. Software is often used illegally across a wide range of products. Active Roles delivers value to customers of a certain size, for whom typically, compliance is a huge issue. It is simply not worth their while to use unlicensed software with all of the legal implications that go along with such a compliance issue.
Why has One Identity made this change?
Licensing can be the source of many issues in a production environment, concerns over when a license expires, being under licensed, having to cope with seasonal fluctuations, transience in the domain environment etc.
By making this change we hope to have made the process of managing the customer’s environment much simpler, helping them to cope with seasonal changes and fluctuations, being able to easily see what is actually managing. Making ‘what-if’ changes to include new areas, to see what impact this may have from a licensing perspective and so on.
This approach allows for license true-ups as and when required on a periodic basis by having a meaningful discussion, likely around the time of maintenance renewal or as part of a more general review and can form a part of both any renewal process as well as the best practices of ongoing account management process.
Does Active Roles enforce any license constraints?
Because we no longer require an actual .asc license file, we are therefore not enforcing an actual limitation. However, we understand that customers may want or be required to confirm they are within policy in terms of their license, therefore should the customer wish to monitor the license counts, It is possible to build a policy which can be monitor any set levels to provide the necessary warnings for license overspill.
How does Active Roles know it is licensed in the correct domain?
Active Roles counts objects across all Managed Domains, barring any objects deliberately excluded by policy.
Image 2: Domains
Where can I find the usage data screen?
The usage data is surfaced on what used to be the license screen and can be found here:-
Image 3: Product Usage Statistics
How do we verify that we are not using a trial license?
There is no difference between the ‘bits’ for a trial and a full version of Active Roles.