Does it Make Sense to License tenfold Only for Parts of the AD?
tenfold allows you to manage and monitor access rights across systems automatically and always in compliance with applicable policies. But licensing tenfold only for certain parts of the Active Directory can lead to incomplete and possible faulty logs and reports. In this post, we are therefore going to lay out for you why partial licensing is possible, but not advisable.
EULA Regulation
tenfold’s End User License Agreement (EULA) stipulates that all physical, active IT users who are to be managed via tenfold must be licensed. Strictly speaking, this policy is not directly tied to the Active Directory. In practice, however, AD usually serves as the basis for licensing, as this is where most companies manage their users.
The physical, active IT users are usually congruent with the people managed in Active Directory. We therefore strongly recommend that you license tenfold for the entire AD.
The licensing obligation under EULA only applies to all physical, active IT users and not (in legal terms) to the Active Directory. User accounts that are either deactivated or which cannot be assigned to a person (e.g. system users, service accounts) do not have to be licensed.
tenfold Licensing Without AD Account
There are circumstances under which an employee may require a tenfold license even though he/she does not have an AD account. Example: Mr. X is logged on to the client via a collective user that is permanently logged on. Mr. X then boots the SAP-GUI and logs on using a personalized SAP user that is managed by tenfold. Mr. X therefore must be licensed, even though he does not have an AD account.
Partial Active Directory License
The question of whether it is necessary to license tenfold for the entire Active Directory comes up quite often, and the short answer is: no. On a technical level, it is indeed possible to exclude certain Active Directory objects from tenfold:
The scope within a domain can be restricted to include only specific organizational units (OUs).
In multi-domain environments, you can choose to not connect some domains to tenfold and thus exclude them entirely, meaning you will then not be able to manage them using tenfold.
Consequences of Partial Licensing
If tenfold is only licensed for parts of the Active Directory, this will have an impact on the scope of documentation. Objects such as users, groups and computers that are located in OUs or domains that are NOT managed by tenfold will not be imported and thus remain unknown to tenfold.
If these objects are then used in other objects which tenfold is aware of (e.g. users, groups, computers, file servers, Exchange or SharePoint), the objects not known to tenfold will not show up.
Watch Our Demo Video to See tenfold in Action!
Examples of “Invisible” Objects
Example #1: The group “g-citrix-excel” within an OU that has been imported to tenfold contains a group member, “mjohnson”, who belongs to an OU which has not been licensed and thus has not been imported to tenfold. When viewing the group “g-citrix-excel”, the user “mjohnson” does not show up because tenfold does not recognize him and therefore cannot break him down.
Example #2: The user “kmiller”, who is in an OU that has not been imported to tenfold, has privileges for a directory that is managed by tenfold. tenfold reads the directory during the scan, but is unable to display the user ID (SID; Security Identifier) behind the privileges, as it does not know the associated user. The user therefore does not appear in the directory report.
Conclusion
One of tenfold’s main objectives is to provide clear and concise access reports. So, while tenfold can be licensed only for parts of the AD, doing so will inevitably lead to problems regarding the reliability and authenticity of these reports. We therefore strongly advise against licensing tenfold only for parts of the AD.
Note:
The license agreement is subject to change without notice. This non-binding policy on tenfold licensing is not part of existing or future license agreements.