Unofficial Content
  • This documentation is valid for:

This document explains how to handle licenses in the GXprotection.

The License Manager, i.e.: the administrator of the licenses installed with the product using GeneXus Protection (GeneXus, GXtest, etc.), can be handled by any user with access to the product. In some cases, it is advisable to have one user or group of users acting as licenses administrators, thus limiting the access to other users. 

With GeneXus Protection Server there is a scheme for the administration of centralized licenses available, thus avoiding non-authorized users uninstall and transferring licenses.

Description

Centralized licenses administration allows defining a group of users who will be authorized to use the product1, and a group of users who will act as License Manager administrators, thus avoiding that non-authorized users uninstall or transfer the licenses.

Note1:  In this document, by product, it means any application using GXProtection (e.g.:, GeneXus, GXTest, etc).

As GeneXus Protection Server is a DCOM application that runs under Windows, the solution is based on the security scheme of Windows and DCOM.

Up to now, any user under the domain of the server containing the GeneXus Protection Server could, taking the licenses of that server, either use the product or perform any of the actions of the License manager (Authorization, Uninstallation, Transference, Log Setting). No additional configuration was required.

This feature intends to maintain the above for those users who are not interested in a secure administration of the licenses, thus avoiding unnecessary configurations. 

Those users who adopt this scheme to administrate licenses will have to make some changes in Windows User Manager (server where the GeneXus Protection Server is installed) and in the configuration of the DCOM in the same server.

Next, there is an explanation of how this administration scheme works and a detail of the steps to configure the server.

User Groups

Basically, two groups of users must be defined:

  1. The Administrator group.
  2. A group made up with the application or product users.


1. The users of the group Administrator are the only ones who can handle the licenses of the corresponding server, using the License Manager. That is, they are the ones who will have permissions to Authorize, Uninstall and Transfer the licenses.

2. The application users, if they are authorized, are able to:

  • See the information of the server licenses.
  • Configure where the licenses will be located (option Select Computer).
  • Use any product which takes the licenses of that server.

If the user does not have permissions:

  • He does not see the information of the licenses. He cannot perform any action with them, either.
  • He cannot use any product which takes the licenses of that server.

Who is the administrator?

If there is a group of users in the server (created using the User Manager) named GXProtAdmin, only the users belonging to that group will be able to handle the License Manager.
If there is not a group with that name, any user is the administrator.

Note: The group must have exactly that name (it is not case-sensitive).

Who are the users?

They are the ones inserted in the DCOMCnfg with the right to access the application "GXPrtService".
In that case, either individual users or groups of users can be inserted. It can be any group of that domain, even the GXProtAdmin if the intention is that these users are also able to execute the application. By default, a group named GeneXus Remote Protection Users is created when you install the Protection Server and can be used to define the corresponding users; it is recommended but not mandatory.

Server configuration

These steps imply changes in the security of Windows and DCOM. Therefore, some user who has those rights, for example, the network Administrator, must carry them out.

  1. Install the latest version of GeneXus Protection Server. This setup installs the service "ProtSrvService".
  2. Configure the GeneXus Remote Protection Users group in the server using the User Manager, and add the corresponding users. It is meant to contain the users who will execute the application. The GeneXus Remote Protection Users group, it is already created by default when you install the Protection Server.
  3. Then, if you want to have administrators, you must set up a new group in the local Users and Groups configuration, called GxProtAdmin (not case-sensitive). Here you must add the users you want to administer the licenses. They must also belong to the group that was previously configured in the application permissions. Note: If the group GXProtAdmin has been created EMPTY, nobody can administer the licenses.
  4. Execute the DCOMCnfg in the server. To do it, you have to run DcomCnfg in the Windows Run command, and it shows the Component Services folder:

Component Services in Run command of Windows

Enter the DCOM Config folder. It will show you the following list:

DCOM Config folder Protection Server configuration

Search for ProtSrvService and Doble click on it. The following ProtSrvService Properties window will open:

Protect Services Properties window to configure Protection Server

Go to the Security Tab and select "Customize" in the Launch and Activation Permissions section. Click on the "Edit" button and the following window will be shown:

Launch and Activation Permission Protection server configuration

Then click on the "Add..." button and add the local group GeneXus Remote Protection Users. For this group, only the Remote Activation permission is configured.

        5. Restart the service "ProtSrvService".

(More information here)

 

Considerations

About the step 2, section "Server Configuration":

  • You must restart the computer and carry out a Log Off for the changes to be taken into account.
  • The name of the group Administrator must be GXProtAdmin (it is not case-sensitive).
  • If there is more than one product installed (e.g.: GeneXus, GXtest, Java, WorkWithplus) whose licenses are centralized in the same server, it is not possible to use the administration scheme for one product and not for the other.

Limitations

If it is connected as Local to the license server, the group GXProtAdmin has been created and the user does not belong to that group, he can handle the License Manager as if he were part of the group.

See also

GeneXus Protection Server
Enabling centralized licenses scheme - checklist
Setting user permissions using remote licenses

 

Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant