Layer7 Privileged Access Management

Expand all | Collapse all

CA PAM License count

Jump to Best Answer
  • 1.  CA PAM License count

    Posted 05-24-2018 11:24 AM



    We have bought CA PAM license for 3000 servers and 100 A2A.

    We want to integrate 2000 servers (linux/unix and windows) and integrate 100 applications (web + thick/desktop clients like sql clients, toad etc)


    For servers:

          And we would like to implement 1. Access to Target servers and 2. Password Management on all 2000 servers.

    For Applications:

          And we would like to implement 1. Access to Application and 2. Password Management on all 100 applications.


    How many license will be counted for the above implementation approach.


    Kindly help.




  • 2.  Re: CA PAM License count
    Best Answer

    Posted 05-24-2018 12:25 PM

    Hi Dina,


    CA PAM licensing for these items is based on which checkboxes you have selected for each device you create.


    There are 3 checkbox options when creating a device:

    1) Access (Enable this device to be able to use RDP, SSH, etc...)

    2) Password Management (Enable this device for Storing & Managing passwords)

    3) A2A (Enable this device for A2A)


    Checking any of these boxes will increment the number of licenses used for that type. A2A is licensed based on Device count, not based on "application" count.


    A2A will depend on how many separate devices you need to use it on and if they are already included in the 2000 above.

    - If these are included in the devices above, then you will only need 1 A2A license for each device that will use it because the Access/PM licences will already be counted.

    - If these are in addition to the 2000 devices, then you will need to add 1 to both Access & PM for each separate A2A device.


    Based on your question above, you would likely use:

    Access: 2000 - 2100

    Password Management (PM): 2000 - 2100

    A2A: 100 or less


    I am also concerned that you may not fully understand what A2A is designed for. A2A is meant to be installed on the application server to remove passwords from things like hard coded settings files. You specifically mentioned Desktop Clients, which would more likely be related to TCP/UDP Services than A2A. I would recommend reviewing the differences between these features to confirm you are going in the correct direction here. For reference, TCP/UDP Services are included in the 'Access' licensing, they don't require separate licensing like A2A.


    More on A2A: Integrate A2A Applications - CA Privileged Access Manager - 3.2 - CA Technologies Documentation 

    More on TCP/UDP Services: Create TCP/UDP Services - CA Privileged Access Manager - 3.2 - CA Technologies Documentation 



    Christian Lutz

    Sr. Support Engineer

    CA Technologies - North America