Identify (or Set Up) Accounts
You may have accounts correctly configured from your previous implementation. If you need to adjust, here are the details.
For upgrade and operation, FlexNet Manager Suite requires several different sets of account privileges. While it
is possible to load a single account with all these privileges, this is typically
unacceptable in secure environments, which require a separation of concerns between
interactive login accounts for installation and maintenance, and operational service
accounts (usually with long-term and closely-guarded credentials).
Important: The accounts used for administration of FlexNet Manager Suite must be mapped to SQL Server User objects in some way (depending on whether
you use Windows Authentication, SQL authentication perhaps embedded in
connection strings, and so on). It is critical that every relevant SQL Server
user has the same default schema for each of the databases, correctly
configured. (By default, Microsoft SQL Server Management Studio does not check
the default schema name, so it is best entered explicitly – and without
enclosing square brackets.) For more information, see Upgrade/Create Databases.
The following tables list the various privilege levels, their
purpose within FlexNet Manager Suite, and a suggested set of Active Directory
accounts allowing for that separation of concerns. The three account types described
are:
- A database administrator (typically this is an existing database administrator within your enterprise)
- An installing system administrator (account details must be made available
to
db-admin) - A service account for normal operations (account details must be made
available to
db-admin).
Tip: Where privileges are controlled by Active Directory Group
Policy Objects (GPOs), ensure that the accounts and group(s) are added to the
appropriate GPO settings prior to attempting installation. A suggested practice
when creating the databases is to assign the installing administrator account
(
fnms-admin) and the service account
(svc-flexnet) to an Active Directory
group (suggested: FNMS Administrators) in order to grant them
appropriate privileges; so you may choose to manage other rights through that
group. Also note that these accounts and their privileges must remain active for
the lifetime of the FlexNet Manager Suite environment. Important: The Microsoft SQL Agent security restrictions require that any
future database upgrade is performed by either:
- The owner of the database, being the same SQL user that creates the database in the first place; or
- A member of the
sysadminrole for Microsoft SQL Server.
sysadmin role for
the duration of the set-up process. However, since sysadmin
privileges are not required for normal operations, the same user can be removed
from the sysadmin role during normal operations of FlexNet Manager Suite. (If, instead, you are using the original owner for the
upgrade, this SQL user requires at a minimum membership
in the SQLAgentUserRole, or in a more privileged role such as
SQLAgentReaderRole or
SQLAgentOperatorRole. Privileges for any of these roles are
sufficient to successfully run the scripts provided for database creation and
migration.) | Privileges | Required on | Purpose |
|---|---|---|
| Database administrator, with db_owner rights on all operations databases related to FlexNet Manager Suite (compliance data, warehouse data, snapshot data, and inventory data). | Database servers | Provides the following accounts with database access rights as described. |
Member of the public database role in
the model database on the database
server. |
Database servers | Required so that the account can run scripts that check the database compatibility level. |
SELECT rights to the following tables in the
msdb database:
|
Database servers | Only required if an existing installation of FlexNet Manager Suite 2015 or earlier is being migrated to a later release. |
Tip: If you are installing Flexera Analytics
(powered by Cognos) as part of your implementation, you also need a SQL Server
account with read/write access to the Content Store database required by Cognos. The
Flexera Analytics installer asks for the login name and password for this
account (for details, including character set restrictions, see Upgrading Flexera Analytics from FlexNet Report Designer).
| Privileges | Required on | Purpose |
|---|---|---|
|
Membership in the db_owner role on all operations databases (compliance data, warehouse data, snapshot data, and inventory data). |
Database server. |
Post-installation, for continuing administration, this account can be reduced to the same privileges as for the service account (described below). However, the standard installation scripts set some database properties (ARITHABORT, QUOTED_IDENTIFIER) that can only be configured by an account with db_owner privileges. Therefore the installing account needs membership in the db_owner role at least temporarily during installation. |
| Local administrator |
|
Installs and configures software on all servers. On inventory beacons, interactive login to the inventory beacon interface also requires local administrator privileges (that is, on inventory beacons this is an operational account as well as being required for setup). |
| Set the execution policy for, and execute, PowerShell scripts |
Central application server(s) (including, where separated, web application server, batch server, and inventory server). |
PowerShell scripts are used to complete the configuration of central servers during implementation. Includes an attempt to enable Microsoft Message Queuing, where this is not already enabled. |
| Create tasks in Windows Task Scheduler |
|
Runs PowerShell scripts during installation that create scheduled tasks. |
| Internet connection to https://flexerasoftware. flexnetoperations.com | A central server (with network access to all other central application servers in a multi-server implementation). | Retrieve installers for implementing FlexNet Manager Suite and the license from Flexera for its operation. |
| Internet connection to
https://www.managesoft.com
(Typically granted through membership in the |
The batch server (or, in smaller implementations, the processing server or application server). |
Maintenance or unscheduled collection of the Application Recognition Library, the SKU libraries, and the Product Use Right Libraries. |
| Privileges | Required on | Purpose |
|---|---|---|
Membership in the following fixed database roles:
Tip: In less
stringent environments, it may be convenient to give this
account membership in the
db_owner role for the
operations databases, which supersedes all of the
above.
|
Database server |
Normal operation (which includes execution of SQL stored procedures). |
| Logon as a Service, and run all FlexNet services Tip: Admin access for this account is convenient, and
typically granted through membership in the
FNMS
Administrators security group in Active
Directory; otherwise read, write, and execute permissions
are required on all folders containing FlexNet
installations, FlexNet data, and FlexNet log
files. |
|
Runs all system operations, including batch services and web
services. Important: In a multi-server
implementation, the same service account must be used on
all central servers, and it must be a Windows
domain account. This is required for proper functioning of
Microsoft Message Queueing between the servers. (A distinct
service account may be used for inventory beacons.)
|
| Logon as a Batch Job |
|
When the service account runs a batch job, this setting means
the login is not an interactive user. Tip: This is
particularly important on the batch server (for
authorization details, see Authorize the Service Account).
|
| Run scheduled tasks as a service account. |
|
Runs scheduled tasks within normal operations. |
| Run IIS application pools as a service account |
|
Normal operations |
| Internet connection to
https://www.managesoft.com
(Typically granted through membership in the |
The batch server (or, in smaller implementations, the processing server or application server). |
Scheduled collection of the Application Recognition Library, the SKU libraries, and the Product Use Right Libraries. |
Tip: While the table above lists a single service account
svc-flexnet on your application server(s) and inventory beacons, this may be
adequate only in environments where security is not a significant concern. For
greater security, consider a separate service account for each inventory beacon that has the permissions listed above on the
inventory beacon, but no permissions on your central
application server(s). Note: At implementation
time, all services are configured with the correct password using the PowerShell
scripts provided. If at any time the password on the service account is forced
to change, the services will cease to operate. To ensure service continuity, you
may either (a) allow the service account password to never expire (as normal for
Windows service accounts), where permitted by your corporate policies; or (b)
review the accounts listed in Password Maintenance.
In addition to the three core accounts described in the tables, your implementation may require additional accounts for special circumstances.
For example, if you are using adapters to connect to other systems and import data, you need appropriate accounts. For details, see documentation for the adapters you need, such as FlexNet Manager Suite Inventory Adapters and Connectors Reference.
Tip: There may be several
accounts needing to log in directly to the application server for tasks
related to FlexNet Manager Suite, such as manipulating log files, scheduling
tasks, and the like (this excludes access through the web interface,
which is not relevant to this discussion.) It is often convenient for these
accounts to have the same database permissions as the services account on all
components of the operations databases: compliance data, warehouse data,
snapshot data, and inventory data. A suggested method is to create either a
local or Active Directory security group (such as
FNMS
Administrators) and add all such accounts to this group. Then you
can, for example, set these permissions by opening each database in Microsoft
SQL Server Management Studio, and granting the appropriate privileges to the
security group. The procedures are detailed in the topics covering database
creation. Accounts to list in the security group minimally include: - The operational service account (suggested:
svc-flexnet) - The installing administrator account (suggested:
fnms-admin) for post-installation on-going administration (remembering that db_owner membership is required temporarily during installation, as described in Identify (or Set Up) Accounts) - Any operational account needing to log in to a central inventory beacon installed on your batch server
(remember that, since the inventory beacon requires administrator privileges
to run, this account is both a local administrator on the batch server and a
db_owner) - Any future back-up administrator accounts needed for the application server.