Do I need a FIM 2010 R2 CAL for user identities that will only ever be sync'd? RRS feed

  • Question

  • Hi,

     I have 2 domains and I'm using FIM 2010 R2 for synchronization between them using CSV files. End users will never use the fim portal, only administrators will be using the FIM portal for configuring the sync rules and doing administration.

    Reading the FIM 2010 R2 licensing documentation it states that each user identity managed by FIM 2010 R2 requires a CAL, however it also states that CALs are not required if the user identities are only being used in sync rules (i.e. no portal access).

    In a scenario where I've setup independent forests and installed FIM in one to manage the import\sync of several thousand accounts, am I correct in thinking that I only need licenses as follows:

    1 x FIM 2010 R2 server license
    1 x Windows\SQL license as required by FIM
    small number # of CAL licenses for ADMINISTRATORS only
    0 x end user licenses (identities to be managed\sync'd by FIM)

    IT Support/Everything

    Wednesday, May 1, 2013 7:31 AM

All replies

  • It has always been my understanding that a CAL is required for any person identity that is in the FIM Portal, regardless of whether they will actually log in to the Portal or not.  The exception is when you only use the FIM Synchronization Service (no Service/Portal), the portion of FIM that equates to its predecessors MIIS and ILM. 

    If you're happy using classic synchronization rules (direct flows or .NET coded rule extensions), then you just need the FIM server license.  Once the FIM Service is installed and you set up the FIM MA, you need CALs to cover every user identity.  There is no supported way to exclude certain user populations from the FIM MA and thus the Portal, as Microsoft considers the FIM Service to be a mirror of the FIM Sync Service's metaverse.


    • Proposed as answer by Steve Kradel Wednesday, May 1, 2013 3:18 PM
    Wednesday, May 1, 2013 3:04 PM
  • Straight from the horse's mouth: "CALs are not required to synchronize identity information for users and administrators who are using only the Forefront Identity Manager synchronization service."
    Wednesday, May 8, 2013 1:48 PM
  • CALs are required for each identity that is in the FIM Service and Portal database (ie, users in the FIM MA). The exception is if these users meet the criteria for the external connector licensing.

    In the above, if you are not using the FIM Portal, you don't need the Administrator CALs. If you are, and your users exist within the FIM Portal, then you need end user licenses, regardless of whether your users login to the portal or not.

    CALs are not required if you don't use the FIM Portal. Just the server license.

    Or, such is my understanding.

    - Ross Currie | MCTS: FIM 2010 | Now Offering ECMA1->ECMA2 Upgrade Services

    • Proposed as answer by Ross Currie Wednesday, May 8, 2013 3:21 PM
    Wednesday, May 8, 2013 3:21 PM