Follow me on Twitter @AntonioMaio2

Friday, December 7, 2012

Understanding User License Enforcement in Microsoft SharePoint 2013

Previously, SharePoint (and still today with SharePoint 2013) can be purchased through either a standard or enterprise license CAL (client access license). The standard or enterprise CAL either enables or disables certain features depending on which one is purchased. In addition, there are additional components that can be licensed for SharePoint from Microsoft, on top of these CALs. Traditionally, customers had to purchase either standard or enterprise for all their end users. If customers were in a situation where features from the enterprise CAL would be accessed by only a very small number of users, that didn’t matter – they still had to purchase the enterprise CAL for all their users. At times, for some customers, this made SharePoint prohibitive to purchase simply because of the cost of licensing the enterprise CAL for every user, even though most would not be using the enterprise features.

Well, SharePoint 2013 solves that in a very elegant way by allowing customers to delegate which users are entitled to enterprise CAL features and which are entitled to only standard CAL features, and SharePoint elegantly deals with the situation when a standard CAL user navigates to a page where an enterprise CAL feature is present.

Lets start by talking about which features are available to only enterprise CAL licenses and which are available to standard CAL licenses. The following features in SharePoint 2013 are only available through an enterprise CAL license:
  • InfoPath Form Web part
  • Excel Web Access
  • Visio Web Access
  • PerformancePoint Filter, Report, Scorecard and Stack Selector
  • Indicator Details (deprecated feature – may be present when upgrading from 2010 to 2013)
  • Status List (deprecated feature – may be present when upgrading from 2010 to 2013)
  • Taxonomy Refinement Panel
  • Catalog-Item Reuse
  • Business Data Actions
  • Business Data Connectivity Filter
  • Business Data Item
  • Business Data Item Builder
  • Business Data List
  • Business Data Related List
  • Search-Driven Content (all web parts)


All other features are available through the standard CAL license.

The following components can be licensed for SharePoint from Microsoft separately:
  • AccessServices
  • BCS
  • Duet
  • InfoPath
  • PPS
  • Project
  • EntSearch
  • VisioServices
  • WAC (Office Web Apps)
  • ExcelServices
  • MySites

Enabling, Disabling and Validating User License Enforcement

By default, user license enforcement is disabled in a new deployment.  It must be enabled manually before you can begin assigning user licenses and having those licenses enforced.  Once it is enabled, then access to features is blocked at runtime for users that do not have the appropriate license… and of course, data about which features a user attempted to access is logged.

To get more specific, you need to enable user license enforcement using the PowerShell command:

Enable-SPUserLicensing

In fact, you simply need to do the following:

  • Click Start > … > SharePoint 2013 > SharePoint Management Shell
  • Enter Enable-SPUserLicensing and click Enter

You can check if user license enforcement is enabled by doing the following:

  • Click Start > … > SharePoint 2013 > SharePoint Management Shell
  • Enter Get-SPUserLicensing and click Enter
  • If user license enforcement is disable then it will return False and if its enabled it will return True

To disable user license enforcement, simply do the same but at the command prompt call:

Disable-SPUserLicensing

Its pretty simple.  In fact, SharePoint 2013 provides the following list of PowerShell commands to manage user license enforcement:


License Assignment and Enforcement

The license that is assigned to a user is based on their active directory group membership.  The way this is done is by mapping an active directory group to a particular license category, and then assigning users that are supposed to have a particular license to that group.  There are 5 categories in total that can be mapped:

  • Standard
  • Enterprise
  • Project
  • Duet
  • WAC

You map a license category to an active directory group using the following PowerShell commands:

  • $stdLicenseGroup = New-SPUserLicenseMapping -SecurityGroup “CONTOSO\StandardCAL” -License Standard
  • Add-SPUserLicenseMapping -Mapping $stdtLicenseGroup

Then you would do the following:

  • $entLicenseGroup = New-SPUserLicenseMapping -SecurityGroup “CONTOSO\EntepriseCAL” -License Enterprise
  • Add-SPUserLicenseMapping -Mapping $entLicenseGroup

Then users that are only licensed to access standard CAl features would be added to the StandardCAL AD group, and users licensed for enterprise CAL features would be added to the AD group EnterpriseCAL.  Users that are not part of the EnterpriseCAL group will be denied access to those features.  Users can be part of more than 1 group, and the user license enforcement feature will check all groups mapped to ensure that user has a sufficient license to access a particular feature.  Mapping the Standard CAL category might seem redundant since the SharePoint installation must at least have the standard CAL installed, but it is not.  If user license enforcement is enabled and a user does not exist in any mapped group, then they will not get access even to the standard CAL features.

So, if you’re going to use the User License Enforcement feature, planning of your license mappings is important, because a poorly mapped set of licenses or a poor assignment of users to AD groups will result in features being inaccessible to some users that should have access.

If a user that is only licensed for standard CAL features, so they are not part of the EnterpriseCAL group, comes across a page where an enterprise CAL feature is used, that feature will be hidden at run time.  In fact, SharePoint will display a nice message to the user inline in the page telling them that “…a license could not be found for this feature… please contact your administrator”.

The enforcement of the user license extends not only to site pages, document libraries and web parts, but also to the Web Part Gallery so that if a user that is not licensed for a web part then they will not be able to add it to a page either.  Very nice!

In addition to mapping an AD group, you can also map a forms based role or even a claim to a user license.  The example above will map the Enterprise CAL license category to the AD group for the entire SharePoint farm.  If you wish to map it just for a web application, that is possible as well by using the web application commandlet parameter.


Another Reason to Use Claims Based Authentication

This feature only appears to work in claims enabled web applications.  If you’re web application is used classic mode authentication, none of this works.

So, if you needed another reason to move to claims based authentication (other than the fact that the default in SharePoint 2013 is now claims based auth, and they’ve actually removed the configuration UI for classic mode auth) then here it is.  User license enforcement only works in claims enabled web applications.

Logging

Whether user license enforcement is enabled or not, usage data is logged about which features a user accesses and which licenses they have.

If user license enforcement is disabled, then the log entries are simply mapped to the installed SKUs which are standard or enterprise.  So, a user accessing a SharePoint deployment that has the Enterprise CAL will be logged as an Enterprise CAL user.  If a user accesses a SharePoint deployment with the Standard CAL, then log entries will contain the Standard CAL for that user.  Only standard and enterprise are logged in this case.

If user license enforcement is enabled, then access to unlicensed features will be logged as ‘unlicensed’.  If a user belongs to more than 1 CAL group, a seperate log entry will be added for each CAL pertaining to the user.  As well, user CAL and device CAL information will be included so that a user’s name that is attempting to access the feature, along with their IP address.

Conclusion

Organizations that could not previously afford SharePoint for all their users will take another look.  Enterprises now have more options about how they license SharePoint and can restrict Enterprise features and other CAL based features to just specific groups within the organization, making deploying a SharePoint Server a much more reasonable investment.

No comments:

Post a Comment