Creating an Account

FlexNet Manager Suite 2023 R1 (On-Premises)

Note: This process registers accounts in FlexNet Manager Suite so that they may be assigned to roles that control their access and privileges. For Windows authentication, the candidates must first:

Exist as users in Active Directory
Be imported into FlexNet Manager Suite
Be present in the All Users page
Have a status value other than Retired or Inactive (the default value is Active).

FlexNet Manager Suite supports the following types of accounts:

Interactive account: An account that enables an operator to log into FlexNet Manager Suite and use its features. To access any part of the product, an operator account must be (a) enabled and (b) assigned to one (or more) role(s). An enterprise typically has several interactive operator accounts.
Tip: Operators throughout your enterprise may log in to interactive accounts using Windows authentication (using the accounts saved in Active Directory); or, if your enterprise has implemented single sign-on with a SAML 2.0-compliant tool, authentication may use your chosen identity provider, such as Okta. The two modes cannot be mixed. For more about configuring single sign-on, see the Authentication chapter in the FlexNet Manager Suite System Reference PDF, available at https://docs.flexera.com/.

Tip: A limitation of the underlying library (Kentor.AuthServices) means that SAML authentication for FlexNet Manager Suite cannot support Federal Information Processing Standards (FIPS).
Service account: Enables access to FlexNet Manager Suite through the web API service. An enterprise typically needs at most one service account. To access FlexNet Manager Suite through a web API service, you must have:
- A license for API integration: Navigate to the system menu ( in the top right corner) > FlexNet Manager Suite License and look for the value of the FNMP API integration enabled option. The value Yes indicates that you have this license.
- A service account: Required to access FlexNet Manager Suite through its web API interface. A service account is assigned to the Web Service role. You cannot log in to FlexNet Manager Suite web interface with a service account (that is, it is not an interactive account).

Tip: The following instructions apply exclusively to a single-tenant implementation. Managed Service Providers (MSPs) who have a multi-tenant implementation must use the separate processes documented in the Installing FlexNet Manager Suite 2023 R1 for a Managed Service PDF file.

To create an account:

Log in to FlexNet Manager Suite as an operator with administrator privileges.
Navigate to the system menu ( in the top right corner) > Accounts.
Click Create an account.
If you have licensed the API Integration option (making it possible to create a service account), a drop-down appears where you may click either:
- Interactive account
- Service account.
Otherwise, you are automatically creating an interactive account.
FlexNet Manager Suite displays the Account Properties page. The appearance and behavior of the first field, for the Account, depend on the infrastructure in use in your enterprise.
Complete the Account field as appropriate for your environment:
- If your enterprise uses a SAML 2.0-compliant, single sign-on solution, the Account is a simple text field. Enter the identifying assertion details for this account: for example, your enterprise may use email addresses or employee IDs for assertions from your identity provider to the service provider (FlexNet Manager Suite). You may use any property of the employee/operator that suits your corporate standards, provided that you specify identical values here and in the NameID (or similar) within your identity provider. Be sure to get the details correct: once saved, this value cannot be edited, and the account cannot be deleted from FlexNet Manager Suite. The value is saved to the OperatorLogin column of the ComplianceOperator table of the compliance database. When, after someone logs in, and your identity provider asserts an identity using this value, only an operator whose value is matched in OperatorLogin is granted access to FlexNet Manager Suite. Optionally, you may also complete the Name, Email, and Job title fields to more readily identify the operator within FlexNet Manager Suite, as normally these details are not exchanged between this service provider and your identity provider.
  Tip: In the above case, using an identity provider, the operator may log into the SAML tool with another attribute. For example, they may log in using employee numbers, but the assertion from the identity provider to the service provider may use the email address to assert the account identity.
- If you log into FlexNet Manager Suite separately (using Windows authentication), this control includes a search mechanism. In this case, operators can only be created by "promoting" a computer end-user already recorded in the compliance database after an import from Active Directory. Operators must have Active Directory accounts in the same domain where the central application server is located. (Records for users from other domains can be created, but when these operators attempt to log in, they will fail Windows Authentication.)
  1. Optionally enter (part of) an existing user name, or leave blank to list all users.
    Note: Users whose employment Status is set to Inactive or Retired are not listed as an account can only be created for active users. (For more information, see General Tab.)
  2. Click Search to display matching user names from the database.
  3. Select the desired user record, and click Get account details. FlexNet Manager Suite populates the Name, Email, and Job title (if known) from the database. (For more information about these fields, see Account Properties.)
    Tip: An Active Directory user account is used for this creation of the related operator record; and at each subsequent login by the operator to FlexNet Manager Suite, the account is validated against the user account in Active Directory. However, after creation, the editing/deletion of the two accounts is handled separately. Specifically, if an employee leaves your company and the relevant user account is removed from Active Directory, this does not automatically close the operator account within FlexNet Manager Suite (although future login attempts using that operator account will fail, since the Active Directory validation against the missing AD user account will fail). Once created, operator accounts must be managed separately, and of course can only be accessed from within FlexNet Manager Suite. Furthermore, once the new account is first saved (when the account is created in FlexNet Manager Suite), the Account value is non-editable, and the account cannot be deleted (although it can be disabled). So be sure to get these details correct during the creation process.
Select Enabled from the Status drop-down list.
An operator can log in to FlexNet Manager Suite only with an enabled account. A service account is enabled by default.
Select a role for this account from the Role drop-down list.
You must select a role to enable the account to use FlexNet Manager Suite. A service account is assigned to the Web Service role. A human operator may be assigned to multiple roles, and then has access to the set of all privileges provided by all those roles. If one assigned role allows a privilege, and another assigned role has Deny setting for the same privilege, the denial wins. To add another role for this operator, click the + icon beside the field.
Click Create.
A FlexNet Manager Suite operator account is saved in the database:
- For Windows authentication, the details match the Active Directory account, and at each login, the operator is validated against the Active Directory account.
- For a SAML-compliant single sign-on system, you must register the account separately in your chosen identity provider, being sure to exactly match the text entered in the Account field (this is the 'handle' for the account passed between the identity provider and the service provider, which in this case is FlexNet Manager Suite).

FlexNet Manager Suite (On-Premises)

2023 R1