Accounts

For installation and operation, FlexNet Manager Suite requires several different sets of account privileges. While it is possible to load a single account with all these privileges, this is typically unacceptable in secure environments, which require a separation of concerns between interactive login accounts for installation and maintenance, and operational service accounts (usually with long-term and closely-guarded credentials).

Important: The accounts used for administration of FlexNet Manager Suite must be mapped to SQL Server User objects in some way (depending on whether you use Windows Authentication, SQL authentication perhaps embedded in connection strings, and so on). It is critical that every relevant SQL Server user has the same default schema for each of the databases, correctly configured. (By default, Microsoft SQL Server Management Studio does not check the default schema name, so it is best entered explicitly – and without enclosing square brackets.) For more information, see Create Databases.

The following tables list the various privilege levels, their purpose within FlexNet Manager Suite, and a suggested set of Active Directory accounts allowing for that separation of concerns. The three account types described are:

db-admin — A database administrator (typically this is an existing database administrator within your enterprise)
fnms-admin — An installing system administrator (account details must be made available to db-admin)
svc-flexnet — A service account for normal operations (account details must be made available to db-admin).

Tip: Where privileges are controlled by Active Directory Group Policy Objects (GPOs), ensure that the accounts and group(s) are added to the appropriate GPO settings prior to attempting installation. A suggested practice when creating the databases is to assign the installing administrator account (fnms-admin) and the service account (svc-flexnet) to an Active Directory group (suggested: FNMS Administrators) in order to grant them appropriate privileges; so you may choose to manage other rights through that group. Also note that these accounts and their privileges must remain active for the lifetime of the FlexNet Manager Suite environment.

Table 1. **Database administration privileges** — suggested AD account: `db-admin`
Privileges	Required on	Purpose
Database administrator, with `db_owner` rights on all operations databases related to FlexNet Manager Suite (compliance data, warehouse data, snapshot data, and inventory data).	Database servers	Provides the following accounts with database access rights as described.
Member of the public database role in the `model` database on the database server.	Database servers	Required so that the account can run scripts that check the database compatibility level.
SELECT rights to the following tables in the msdb database: `dbo.sysjobs` `dbo.sysjobsteps` `sysjobs_view`. EXECUTE rights to the stored procedures from the msdb database used in the database scripts, including: `sp_add_job` `sp_add_jobserver` `sp_add_jobstep` `sp_add_jobschedule` `sp_delete_job`.	Database servers	Only required if an existing installation of FlexNet Manager Suite 2015 or earlier is being migrated to a later release.

Tip: If you are installing Flexera Analytics (powered by Cognos) as part of your implementation, you also need a SQL Server account with read/write access to the Content Store database required by Cognos. The Flexera Analytics installer asks for the login name and password for this account (for details, including character set restrictions, see Installing Flexera Analytics).

Table 2. **Installing administrator privileges** — suggested AD account: `fnms-admin`
Privileges	Required on	Purpose
Membership in the `db_owner` role on all operations databases (compliance data, warehouse data, snapshot data, and inventory data).	Database server.	Post-installation, for continuing administration, this account can be reduced to the same privileges as for the service account (described below). However, the standard installation scripts set some database properties (`ARITHABORT`, `QUOTED_IDENTIFIER`) that can only be configured by an account with `db_owner` privileges. Therefore the installing account needs membership in the `db_owner` role at least temporarily during installation.
Local administrator	Central application server(s) (including, where separated, web application server, batch server, and inventory server); All inventory beacons.	Installs and configures software on all servers. On inventory beacons, interactive login to the inventory beacon interface also requires local administrator privileges (that is, on inventory beacons this is an operational account as well as being required for setup).
Set the execution policy for, and execute, PowerShell scripts	Central application server(s) (including, where separated, web application server, batch server, and inventory server).	PowerShell scripts are used to complete the configuration of central servers during implementation. Includes an attempt to enable Microsoft Message Queuing, where this is not already enabled.
Create tasks in Windows Task Scheduler	Central application server(s) (including, where separated, web application server, batch server, and inventory server); All inventory beacons.	Runs PowerShell scripts during installation that create scheduled tasks.
Internet connection to https://flexerasoftware. flexnetoperations.com	A central server (with network access to all other central application servers in a multi-server implementation).	Retrieve installers for implementing FlexNet Manager Suite and the license from Flexera for its operation.
Internet connection to https://www.managesoft.com (Typically granted through membership in the `FNMS Administrators` security group in Active Directory.)	The batch server (or, in smaller implementations, the processing server or application server).	Maintenance or unscheduled collection of the Application Recognition Library, the SKU libraries, and the Product Use Right Libraries.

Table 3. **Service account privileges** — suggested AD account: `svc-flexnet`
Privileges	Required on	Purpose
Membership in the following fixed database roles: `db_ddladmin` `db_datawriter` `db_datareader`. In addition, the account requires you to `GRANT EXECUTE` permissions on all operations databases (compliance data, warehouse data, snapshot data, and inventory data). Tip: In less stringent environments, it may be convenient to give this account membership in the `db_owner` role for the operations databases, which supersedes all of the above.	Database server	Normal operation (which includes execution of SQL stored procedures).
Logon as a Service, and run all FlexNet services Tip: Admin access for this account is convenient, and typically granted through membership in the `FNMS Administrators` security group in Active Directory; otherwise read, write, and execute permissions are required on all folders containing FlexNet installations, FlexNet data, and FlexNet log files.	Central application server(s) (including, where separated, web application server, batch server, and inventory server); All inventory beacons.	Runs all system operations, including batch services and web services. Important: In a multi-server implementation, the same service account must be used on all central servers, and it must be a Windows domain account. This is required for proper functioning of Microsoft Message Queueing between the servers. (A distinct service account may be used for inventory beacons.)
Logon as a Batch Job	Central application server(s) (including, where separated, web application server, batch server, and inventory server); All inventory beacons.	When the service account runs a batch job, this setting means the login is not an interactive user. Tip: This is particularly important on the batch server (for authorization details, see Authorize the Service Account).
Run scheduled tasks as a service account.	Central application server(s) (including, where separated, web application server, batch server, and inventory server); All inventory beacons.	Runs scheduled tasks within normal operations.
Run IIS application pools as a service account	Central application server(s) (including, where separated, web application server, batch server, and inventory server); Those inventory beacons that are running IIS	Normal operations
Internet connection to https://www.managesoft.com (Typically granted through membership in the `FNMS Administrators` security group in Active Directory.)	The batch server (or, in smaller implementations, the processing server or application server).	Scheduled collection of the Application Recognition Library, the SKU libraries, and the Product Use Right Libraries.

Tip: While the table above lists a single service account svc-flexnet on your application server(s) and inventory beacons, this may be adequate only in environments where security is not a significant concern. For greater security, consider a separate service account for each inventory beacon that has the permissions listed above on the inventory beacon, but no permissions on your central application server(s).

Note: At implementation time, all services are configured with the correct password using the PowerShell scripts provided. If at any time the password on the service account is forced to change, the services will cease to operate. To ensure service continuity, you may either (a) allow the service account password to never expire (as normal for Windows service accounts), where permitted by your corporate policies; or (b) review the accounts listed in Password Maintenance.