Zero-footprint: Accounts and Privileges

FlexNet Manager Suite 2020 R1 (On-Premises)

In the Zero-footprint case, when the FlexNet inventory core components (installed as part of the FlexNet Beacon code base) reach out to gather hardware and software inventory from remote target inventory devices, there are accounts required on both the local inventory beacon and on the remote target device.

On the inventory beacon, no separate account or privileges are required for the inventory beacon to exercise the Zero-footprint case: the FlexNet Beacon itself must be executed by a service account able to log in as a batch job, and to run scheduled tasks (and, if the inventory beacon is running IIS, to run IIS application pools). This same account executes the remote discovery and inventory collection tasks.
Tip: A service account configured for the above privileges does not normally allow interactive login. To access the FlexNet Beacon interface on an inventory beacon requires a separate account with local administrator privileges.
One of the first actions when Zero-footprint inventory gathering is triggered is to configure software on the target inventory device to complete the inventory gathering action (the methods vary across platforms, and are detailed in Zero-footprint: Normal Operation. This means that there may be two accounts required for each device:
  • The initializing account
  • The operational account that actually gathers the inventory.

Naturally, the requirements vary across platforms.

On Microsoft Windows target devices

  • The initializing account:
    • May be either a Windows domain account, or a local account on the target device
    • Requires full access to the Windows Service Control Manager on the target device (specifically, it must have the SC_MANAGER_ALL_ACCESS access right)
    • Must be appropriately registered in the secure Password Manager on the inventory beacon that is responsible for collecting inventory from this target device (for details, see FlexNet Manager Suite Help > Inventory Beacons > Password Management Page and its child topics)
    • May conveniently be the LocalSystem account, since this is required for the following operational stage.
  • For the operational account, FlexNet inventory core components (and in particular the ndtrack component) run as the LocalSystem account.

On UNIX-like target devices

  • The initializing account:
    • Is a local account on the target inventory device
    • Has ssh privileges on that device
    • Must be appropriately registered in the secure Password Manager on the inventory beacon that is responsible for collecting inventory from this target device (for details, see FlexNet Manager Suite Help > Inventory Beacons > Password Management Page and its child topics)
  • For the operational account, FlexNet inventory core components (and in particular the ndtrack component) run as root.
    Tip: As always, it makes no difference whether you invoke the tracker directly as root, or whether you run as another account and use sudo (or similar) to elevate to root before invoking the tracker.

FlexNet Manager Suite (On-Premises)

2020 R1