Advanced licensing
The Cardbox Server's standard licensing modes are flexible enough for most purposes and they require little in the way of setup. Sometimes, however, you may have more complex requirements, and this page describes one possible scenario with its solution.
How licensing normally works
Suppose that you have a Cardbox Server with some read-only and some read/write (Cardbox Professional) licences installed, and a population of Cardbox users who start off without any licences at all.
In that case, when a user connects to the Cardbox Server and opens a database,
- The Cardbox Server allocates one of the read/write licences to the user.
- If all the read/write licences are already in use, the user is not allowed to connect.
...unless the user opens the database using a read-only profile, in which case:
- The Cardbox Server allocates one of the read-only licences to the user.
- If all the read-only licences are already in use, the Cardbox Server allocates one of the read/write licences to the user.
- If all the read/write licences are already in use, the user is not allowed to connect.
Additional control with licence lending
You can also turn on the option "Lend Cardbox Professional licences to clients that have no licence" on the Licensing page of the Cardbox Server control (more details on page 24 of The Cardbox Server Book) and selectively turn on the corresponding option for licence borrowing on certain users' Cardbox Client installations. In that case, those users will automatically borrow a read/write licence from the Cardbox Server as soon as they start up. This allows them to create and manipulate databases on their own computers as well as on the Cardbox Server.
The disadvantages of this approach
This approach works perfectly for almost all installations. However, it does mean that anyone who knows the name and password of a read/write use profile is automatically entitled to use up a read/write licence on the Cardbox Server – and in a high-security setup this is not ideally secure, since a profile name and password are pieces of information that can easily be passed from one person to another.
Using a separate licence server
If you have two separate Cardbox Servers — let us call them the Cardbox Server and the Cardbox Licence Server — then you can set things up as follows:
- The Cardbox Server has all the Cardbox databases, and it also has the read-only licences.
- The Cardbox Licence Server has no databases, but it does have the read/write licences, and it has licence lending turned on.
Now you can have two classes of Cardbox users, privileged and unprivileged. The copies of Cardbox used by the privileged class are set up to borrow licences from the Cardbox Licence Server, and the other copies of Cardbox are not. So:
- When a privileged user connects to the Cardbox Server to open a database, he already has a read/write licence and does not need to occupy any licence on the Cardbox Server.
- When an unprivileged user connects to the Cardbox Server to open a database, he does not yet have a licence. Consequently the Cardbox Server has to allocate a licence for his use. Since the only licences installed on the Cardbox Server are read-only ones, this means that an unprivileged user can only ever receive the use of a read-only licence and so can only ever use a read-only user profile, even if a friend has told him the name and password of a read/write profile.
Security
The security of this setup is now immune from users (accidentally or intentionally) revealing their profile details to one another. It does, however, rely on users not being able to change their own installations from unprivileged to privileged: that is, on users not being able to turn on licence borrowing for themselves. You have two main means of control.
- Licence borrowing is controlled by an .ini file in the Cardbox Client program directory. If you enforce read-only access to this directory, a user will not be able to change how own .ini file to enable licence borrowing.
- For licence borrowing to work, the user's Cardbox Client has to be able to communicate with the Cardbox Licence Server. In networking (TCP/IP) terms the Cardbox Licence Server is distinct from the Cardbox Server, so it is possible to configure a firewall to bar access to the Cardbox Licence Server while still giving access to the Cardbox Server.
There is nothing to stop you using both these means in combination.
Note, however, that there is no built-in way to prevent someone going out and buying his own copy of the Cardbox Professional Edition and attempting to connect to the Cardbox Server using it. If someone does this, your user profiles and their passwords will be your only remaining line of defence. On the other hand, you may have your own security policies that prevent the installation of unauthorised software on users' computers or the connection of unknown computers to your network and to your Cardbox Server: these, combined with user profiles and passwords, will mean that you are not entirely defenceless.
Setting up a licence server
The Cardbox Licence Server is physically the same program as the Cardbox Server, but it is set up slightly differently during installation. This page gives full details of how to do this.
The Cardbox Licence Server can co-exist with the Cardbox Server on the same computer, so you do not need to install a separate computer specifically in order to run the Cardbox Licence Server.