GXprotection 2000: Centralized licenses administration scheme

Unofficial Content

Introduction

The License Manager, i.e.: the administrator of the licenses installed with the product using GXProtection 2000 (GeneXus, GXplorer, etc.), can be handled by any user with access to the product. In some cases, it is advisable to have one user or group of users acting as licenses administrators, thus limiting the access to other users. 

As from GeneXus Protection Server 1.4 version, there is a scheme for the administration of centralized licenses available, thus avoiding that non-authorized users uninstall and transfer licenses.

Description

Centralized licenses administration allows to define a group of users who will be authorized to use the product1, and a group of users who will act as License Manager administrators, thus avoiding that non-authorized users uninstall or transfer the licenses.

Note1:  In this document, by product it is meant any application using GXProtection 2000 (e.g.:, GeneXus, GXplorer, etc).

As GeneXus Protection Server is a DCOM application that runs under Windows NT/2000, the solution is based on the security scheme of the NT and DCOM.

Up to now, any user under the domain of the server containing the GeneXus Protection Server could, taking the licenses of that server, either use the product or perform any of the actions of the License manager (Authorization, Uninstallation, Transference, Log Setting). No additional configuration was required.

This feature intends to maintain the above for those users who are not interested in a secure administration of the licenses, thus avoiding unnecessary configurations. In that case, you just have to mark the property ‘Use Default Access Permissions’ in the section ‘Security’ of the ProtSrvService in the DCOMCnfg (it is the value by default).

Those users who adopt this scheme to administrate licenses will have to make some changes in the NT User Manager (server where the GeneXus Protection Server is installed) and in the configuration of the DCOM in the same server.

Next, there is an explanation of how this administration scheme works and a detail of the steps to configure the server.

User Groups

Basically, two groups of users must be defined, the Administrator group and a group made up with the application or product users.

The users of the group Administrator are the only ones who can handle the licenses of the corresponding server, using the License Manager. That is, they are the ones who will have permissions to Authorize, Uninstall and Transfer the licenses.

The application users, if they are authorized, are able to:

  • see the information of the server licenses
     
  • configure where the licenses will be located (option Select Computer)
     
  • use any product which takes the licenses of that server.

If the user does not have permissions:

  • He does not see the information of the licenses. He cannot perform any action with them, either.
     
  • He cannot use any product which takes the licenses of that server.

Who is the administrator?

If there is a group of users in the NT (created using the User Manager) named ‘GXProtAdmin’, only the users belonging to that group will be able to handle the License Manager.
If there is not a group with that name, any user is the administrator.

Note: The group must have exactly that name (it is not case sensitive).

Who are the users?

They are the ones inserted in the DCOMCnfg with right to access the application ‘GXPrtService’.
In that case, either individual users or groups of users can be inserted. It can be any group of that domain, even the GXProtAdmin if the intention is that these users are also able to execute the application.

Possible combinations

There are different access levels to the License Manager and to the product, depending on whether there are groups or not; and in case they exist, whether they are inserted in the DCOMCnfg or not.

The different combinations are:

  1. If the group GXProtAdmin has not been created and the ‘Use Default Access Permissions’ is marked in the DCOMCnfg -> any user can access the application and anyone is the administrator (able to use the License Manager)
     
  2. If the group GXProtAdmin has not been created and permission is granted to a group X in the DCOMCnfg -> only that group can access the application and is also the Administrator (able to use the License Manager).
     
  3. If the group GXProtAdmin has been created and the ‘Use Default Access Permissions’ is marked in the DCOMCnfg -> any user can access the application but only the administrator can use the License Manager.
     
  4. If the group GXProtAdmin has been created and the group X in the DCOMCnfg is granted permission -> Only the users of the group X can use the application and nobody manages the licenses.
     
  5. If the group GXProtAdmin has been created and permission is granted to the group X and to the group GXProtAdmin in the DCOMCnfg -> users of the group X together with users of the group GXProtAdmin can use the application, but only the last ones administer the licenses.

Note: If the group GXProtAdmin has been created EMPTY, nobody can administer the licenses.

Server configuration

These steps imply changes in the security of Windows NT/2000 and DCOM. Therefore, some user who has those rights, for example the network Administrator, must carry them out.

  1. Install the latest version of GeneXus Protection Server. This setup installs the service ‘ProtSrvService’ in the NT.
     
  2. Create the groups 'GXProtAdmin' and the application users in the server, using the User Manager and add the corresponding users in each one of them. The first group contains the administrators of the licenses and the second one contains the users who will execute the application.
     
  3. Execute the DCOMCnfg in the server, select the application ‘ProtSrvService’ and mark 'Use custom access permissions' in the security section. Add the two groups created in 2 using the button Edit.
     
  4. Restart the service ‘ProtSrvService’.

Considerations

About the step 2, section ‘Server Configuration’:

  • If Windows 2000 is used, you must carry out a ‘Log Off’ so the changes are taken into account.
     
  • The name of the group of users can be anyone, but the name of the group Administrator must be ‘GXProtAdmin’ (it is not case sensitive).
     
  • If there is more than one product installed (e.g.: GeneXus and GXplorer) whose licenses are centralized in the same server, it is not possible to use the administration scheme for one product and not for the other.

Limitations

If it is connected as ‘Local’ in the license server, the group ‘GXProtAdmin’ has been created and the user does not belong to that group, he can handle the License Manager as if he were part of the group.

See also

GeneXus Protection Server

Enabling centralized licenses scheme - checklist