SharePoint 2013 Snippet: User License Enforcement

In MOSS 2007 and SharePoint Server 2010, it’s technically possible to set up an environment so that some users have the SharePoint Standard CAL and some users have the Enterprise CAL. Note the word “technically.” In order to get it to work and be compliant, you have to be extremely careful about how you structure your SharePoint environment and how you manage security. You have to make sure that none of your standard users are able to ever have access to any of the enterprise features. Ever. And you have to be able to demonstrate that you know who your standard and enterprise users are and show how you make sure that the security is implemented correctly to enforce those license levels.

In SharePoint Server 2013, implementing these mixed license environments becomes a lot easier using the new User License Enforcement functionality.

SharePoint Server 2013 uses claims based authentication by default. This means you can have claims tokens associated with each user and these claims are used to determine authorisation. What you would need to do is make sure you have a claim associated with your users which sets their license level (e.g. this user only has a standard license). You can then block features at runtime based on this token.

The upshot is that you can have a single site containing standard and enterprise features. Using these claims tokens, you can determine which users are able to see which of the features. Web parts using enterprise functionality will either not appear at all or show an error (depending on how the page was built).

In a similar manner to audience targeting, you can show parts of the page based on authorisation – which could be pulled in from AD groups using the user profile sync.

You can also use User License Enforcement to control access to things like Office Web Applications and Duet Enterprise.

Bill Baer has written a nice blog post about this.