This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DanielBruss
Contributor
Contributor
‎2019-01-28 01:19 PM

AM 8.3 Licensed User Count

Jump to solution

I have an Authentication Manager system running 8.3 P01 that has a licensed user count of 55 users spread across four different licenses (one has 25 users and the other three all have 10 users).  Our system also shows a total of 75 tokens - 50 assigned and 25 unassigned.  However, when we pull up our License Status screen, we are seeing our Limit being reported as 55 (this seems correct based on our four installed licenses) but we are also seeing 55 for the Actual count.

 

With only 50 tokens assigned, how can I find out where the other 5 user licenses are being consumed?  Based on a tech note that I read, I did run a Users report to look for any users that might have had a Fixed Passcode assigned to them but every user had FALSE under that column so I'm not sure where else to look for the 5 missing licenses.

 

 

Thank you!

Daniel

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2019-01-28 02:34 PM

Jump to solution

On-demand, or risk-based questions would take up license slots.

 

Or....

 

You may have unresolvable users with tokens assigned. This would be if you had users in ldap (active directory) and they had tokens assigned, but they are no longer findable in ldap. The token is still assigned, but you cannot see anything about these items unless you check for unresolvable users.

 

Security console, setup, identity sources, cleanup unresolvable users.

Uncheck the 7 day grace period, hit next for a preview of unresolvable users.

 

Any users listed here, might still be taking up a license slot if they have an authenticator assigned...and if you can verify why they are here (yes we moved users out of this space, or these users no longer work here and need tokens) you can run a cleanup and this can reset active users on license to something more, or completely, accurate. Make a backup before running a cleanup in case you need to revert back. A cleanup will put any tokens that were assigned to these orphaned names back to the unassigned token pile.

View solution in original post

0 Likes
Reply
4 Replies
EdwardDavis
Employee
Employee
‎2019-01-28 02:34 PM

Jump to solution

On-demand, or risk-based questions would take up license slots.

 

Or....

 

You may have unresolvable users with tokens assigned. This would be if you had users in ldap (active directory) and they had tokens assigned, but they are no longer findable in ldap. The token is still assigned, but you cannot see anything about these items unless you check for unresolvable users.

 

Security console, setup, identity sources, cleanup unresolvable users.

Uncheck the 7 day grace period, hit next for a preview of unresolvable users.

 

Any users listed here, might still be taking up a license slot if they have an authenticator assigned...and if you can verify why they are here (yes we moved users out of this space, or these users no longer work here and need tokens) you can run a cleanup and this can reset active users on license to something more, or completely, accurate. Make a backup before running a cleanup in case you need to revert back. A cleanup will put any tokens that were assigned to these orphaned names back to the unassigned token pile.

0 Likes
Reply
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2019-01-28 02:35 PM

Jump to solution

Daniel Bruss‌,

 

Please review the steps in https://community.rsa.com/docs/DOC-47027 and let us know what your reports say abut fixed passcode and token assignments.

 

Regards,

Erica

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to EricaChalfin
‎2019-01-28 05:18 PM

Jump to solution

If you cannot find the easy fix based on Ed's suggestion to check ODA and RBA users, there's a variation on the KB Erica's recommended that might identify who got counted that you do not want counted, you can look at 

https://community.rsa.com/docs/DOC-45944 

 

I would bet that 5 or so people who were in an external Identity Source somehow got 'lost' by Authentication Manager, typically by multiple changes at the same time (e.g. moved to new ou in addition to name or domain name change affecting their DN distinguished name), so they used to count, but now RSA can't see them, and they still count but you have to clean them up.  Call in a support case if you need help here.

0 Likes
Reply
DanielBruss
Contributor
Contributor
‎2019-01-28 05:57 PM

Jump to solution

Thank you everyone for your quick responses!  Ed's suggestion did the trick.  Before I posted, I ran a check for Unresolved users but I left the grace period enabled since I wasn't entirely clear on what that was used for.  After reading Ed's suggestion, I went back and re-ran the Unresolved check with the grace period unchecked and sure enough, I found 10 user objects that were no longer in our internal directory.  I purged those out and 5 of them must have been holding on to something because our license count then went down to Limit 55 and Actual 50.

 

Thank you again for taking the time to read my post and for offering such good advice!

 

 

Regards,

Daniel

Reply
© 2022 RSA Security LLC or its affiliates. All rights reserved.