Credentials for FlexNet Inventory Scanner Inventory
When using FlexNet Inventory Scanner as your inventory-gathering tool, you configure your preferred scheduling tool (such as Microsoft Task Scheduler on Windows, or cron on UNIX-like platforms) to invoke FlexNet Inventory Scanner with the appropriate tracker command line parameters (documented in ndtrack Command Line in the Gathering FlexNet Inventory PDF). Since this invocation is local on the target inventory device, there is no requirement to register any credentials in the Password Manager on any inventory beacon.
The credentials required on the target device vary across platforms.
On Microsoft Windows target devices
- The
LocalSystem
account is recommended. - A non-
LocalSystem
account with administrator privileges is also acceptable. (This means that the account is a member of the Administrators security group in Active Directory.)Note: On Microsoft Windows, the tracker does not prevent invocation by an account that has lesser privileges; but you would then need to ensure that such an account had all the required access rights for the kinds of inventory you expected to gather on a target device. Since this is highly dependent on your environment, this approach is unsupported. - The chosen account must have read-only access to the Windows Service Control Manager (this allows discovery of Oracle services).
- It must be a member of the Windows local security group
ora_dba
(in which context, theLocalSystem
account is displayed asNT AUTHORITY\SYSTEM
). - This account uses local OS authentication to take inventory; which means
that the
SQLNet.AUTHENTICATION_SERVICES
property must be set to(NTS)
in thesqlnet.ora
file located in the %ORACLE_HOME%\network\admin directory (and be aware that, conversely, disabling OS authentication for your Oracle Database prevents FlexNet Inventory Scanner from gathering inventory from Oracle database instances). By default, Oracle disables OS authentication on Windows platforms.
ndtrack
as a non-LocalSystem
user
account. To do this,
ensure that the account has administrator privileges on the target device (that is, is
included in the Administrators security group) so that it can collect sufficient hardware
inventory information; and then set up your Windows scheduled task to include the following:
- In the General tab of the Task Scheduler, set the user account name in the field for When running the task, use the following user account.
- In the Actions tab, set the action to Start a
program, and the Program/script: value to
Thendtrack.exe -t machine
-t machine
option is mandatory in this scenario (in contrast, it is the default when the tracker runs asLocalSystem
).
On UNIX-like target devices
- Must run as
root
to collect Oracle inventory. If it is run under any other account on UNIX-like systems, the gathering of Oracle inventory is blocked.Tip: As always, it makes no difference whether you invoke FlexNet Inventory Scanner (ndtrack.sh
) directly asroot
, or whether you run as another account and usesudo
(or similar) to elevate toroot
before invoking FlexNet Inventory Scanner. - May impersonate other trusted accounts with lower privilege levels — as discussed in
detail in the Common: Child Processes on UNIX-Like Platforms topic in the Gathering FlexNet Inventory PDF, along with coverage of the following preferences in the co-located
ndtrack.ini file that affect the choice of account to
impersonate:Tip: With neither of the following preferences specified, the default behavior is for the FlexNet Inventory Scanner to impersonate the account currently running the database instance, which is assumed to be a member of the
dba
group. This is the most straight-forward configuration, with no settings needed. If, instead, you intend to specify theOracleInventoryUser
preference, it must be an exact match for any Oracle user name that:- Is also an operating system account
- Has OS authentication enabled (and as well, OS authentication, which defaults
to enabled for UNIX-like platforms, must not have been disabled using the
SQLNet.AUTHENTICATION_SERVICES
property in thesqlnet.ora
file located in the %ORACLE_HOME%/network/admin folder) - Is a member of
oinstall
(or equivalent group, granting execute permissions forsqlplus
) - Is either a current member of the
dba
group on the UNIX host server; or has adequate permissions for inventory gathering (as outlined in this table).
OracleInventoryAsSysdba OracleInventoryUser Impersonation Connection/Notes True
(or omitted)Configured
The account nominated in OracleInventoryUser
is impersonatedDatabase connection is made as
sysdba
(and account must be a member of thedba
group)True
(or omitted)Not configured
The account running the database instance is impersonated
Database connection is made as
sysdba
False
Configured
The account nominated in OracleInventoryUser
is impersonatedDatabase connection is made as that same account (which in addition to the prerequisites above, must be configured with adequate read-only privileges as detailed in Appendix C: Oracle Tables and Views for Oracle Inventory Collection)
False
Not configured
None
Oracle inventory collection does not proceed - The impersonated account may need an environmental variable set
within its login profile. This applies only in the case where:
- A target Oracle database instance is running on a UNIX platform, and
- This account (operating system user) was the one used to start the database instance, and
- The start-up specified an
ORACLE_HOME
path which included a symbolic link.
- The account running the database instance (say
OSUser4Oracle) may set an environment variable within
its login profile specifying the
ORACLE_HOME
path (including the symbolic link) which was used to start the database instance. To test this setting, the following command should display the correctORACLE_HOME
path:su -OSUser4Oracle -c "echo \$ORACLE_HOME"
Tip: If this environment variable is set for any account on the database server, it is applied to all database instances started by the same account on this server. Any mismatch between the (non-empty) environment variable, and the actual path used to start any of these database instances, prevents the collection of database inventory from the mismatched instance by the locally-installed inventory component (ndtrack). Conversely, you can prevent the environment variable option being used for all accounts on the target Oracle server by setting theUserDefinedOracleHome
preference (details of this preference are included in Gathering FlexNet Inventory. - You can ensure that the Oracle home specified in the /etc/oratab file represents the ORACLE_HOME path used to start the database instance.
FlexNet Manager Suite (On-Premises)
2023 R1