Accounts for Integration of AdminStudio and App Portal with FlexNet Manager Suite
There are two requirements for accounts used in either AdminStudio or App Portal to allow integration with FlexNet Manager Suite / FlexNet Manager Platform:
• | Members of an appropriate Active Directory security group—Because FlexNet Manager Suite or FlexNet Manager Platform is configured to use Windows Authentication, integration accounts must be members of an appropriate Active Directory security group in order to access FlexNet Manager Suite / FlexNet Manager Platform. |
Note:While AdminStudio normally runs under the normal user account, any account used to integrate with FlexNet Manager Suite / FlexNet Manager Platform must be in an appropriate security group.
• | Assigned to suitable roles—Internally within FlexNet Manager Suite / FlexNet Manager Platform, the accounts must be assigned to suitable roles that provide appropriate access controls. |
Meeting these conditions allows the accounts both to look up products (with Flexera Identifiers) in the Application Recognition Library, and to set reservations against available licenses. The procedures for configuring accounts are described below.
• | Permissions to Access FlexNet Manager Suite / FlexNet Manager Platform |
• | Privileges Within FlexNet Manager Suite 2015 or Later |
• | Privileges Within FlexNet Manager Platform 9.2.3 |
• | Privileges Within FlexNet Manager Platform |
• | Special Settings for Multi-Server Implementations |
• | FlexNet Manager System Account on the AdminStudio or AppPortal Machines |
Permissions to Access FlexNet Manager Suite / FlexNet Manager Platform
While it is possible to create an Active Directory domain group from scratch, this requires detailed knowledge of directories where FlexNet Manager Suite or FlexNet Manager Platform is installed. It is far simpler to make use of the existing group used to control access. At the same time, it is good practice to have a distinct group in which integration accounts are contained, named according to enterprise conventions. These two approaches can be used together by creating a custom group which is a child of the existing group now controlling access. The new child group inherits the access rights already functioning in its parent group.
To enable authentication for FlexNet Manager Suite / FlexNet Manager Platform:
1. | Identify the Active Directory security group used to grant access to FlexNet Manager Suite / FlexNet Manager Platform. By default, this is called MGS Compliance Users. |
2. | In Active Directory, create a domain group as a child of MGS Compliance Users (or equivalent), and name the new group according to corporate conventions (for example, Flexera Integration Accounts). |
3. | Add all the integration accounts (accounts for AdminStudio or App Portal users that may access features from FlexNet Manager Suite / FlexNet Manager Platform) to your new child group. |
Privileges Within FlexNet Manager Suite 2015 or Later
Privileges to access various functional areas within FlexNet Manager Suite 2015 or later are managed through access rights that are assigned to roles within that product. When appropriate roles exist, user accounts must be both created as operators and assigned to the roles in order to inherit access rights.
• | Configuring a New Role Within FlexNet Manager Suite 2015 or Later |
• | Creating the Appropriate Service Account Records |
Configuring a New Role Within FlexNet Manager Suite 2015 or Later
To configure a new role within FlexNet Manager Suite, perform the following steps:
To configure a new role within FlexNet Manager Suite:
1. | In FlexNet Manager Suite, select Accounts on the Options menu: |
The All Accounts tab of the Accounts page opens.
2. | Select the Roles tab. The Roles view opens. |
3. | Scroll down until you see the Web Service role and click the copy icon. |
The Create a Role view opens.
4. | In the Name field, enter Integration. |
5. | Click the arrow next to each of the following product features and select the specified levels of access from the Privileges list: |
Product Feature |
Level of Access |
||||||
Administration |
None |
||||||
Applications |
Select one of the following:
|
||||||
Business reporting portal |
None |
||||||
Licenses |
Full |
||||||
Management views and reports |
None |
||||||
Roles |
None |
||||||
SAP |
None |
||||||
All other features |
Read only |
After you have set these access levels, the Access rights area should look like this:
6. | Click Create. |
Creating the Appropriate Service Account Records
With the role(s) configured, move on to creating the appropriate service account records. These record the account names (identical to the names registered in the Active Directory security group) that will exercise the access rights just defined.
Tip:Other procedures are possible, such as importing the accounts from Active Directory and subsequently registering them as service accounts. This procedure assumes that an Active Directory import is inconvenient.
To register a service account and assign to groups within FlexNet Manager Suite 2015 or later:
1. | In FlexNet Manager Suite, select Accounts on the Options menu: |
The All Accounts tab of the Accounts page opens.
2. | Click Create a service account. The Add Service Member to page opens. |
3. | Enter the details of the App Portal Service account and then click Save. The All Accounts tab of the Accounts page opens, listing the new account name. |
4. | Select the new account in the list and then click Open. The Account Properties view opens. |
5. | Set Status to Enabled. |
6. | Set Role to Integration. |
7. | Scroll to the bottom of the page and click Save. |
Privileges Within FlexNet Manager Platform 9.2.3
Privileges to access various functional areas within FlexNet Manager Suite are managed through access rights that are assigned to roles within that product. When appropriate roles exist, user accounts must be both created as operators and assigned to the roles in order to inherit access rights.
• | Configuring a New Role Within FlexNet Manager Platform |
• | Creating the Appropriate Operator Records |
Configuring a New Role Within FlexNet Manager Platform
To configure a new role within FlexNet Manager Platform, perform the following steps:
To configure a new role within FlexNet Manager Platform:
1. | In FlexNet Manager Platform, in the left-hand console tree, select the Roles node. |
2. | Click Add a new role. |
3. | In the New role dialog box, enter a unique name for the role you want to create (for example, Integration Accounts). |
4. | Click OK. |
5. | In the left-hand console tree, expand the Roles node to expose the newly-created role; right-click the role and select Manage access rights... from the context menu. The Manage Access Rights dialog box opens. |
6. | Select the specified levels of access for the following product features: |
Product Feature |
Level of Access |
Software Assets |
Administrator access |
Custom Views and Reports |
Normal access |
Business Reporting Portal |
No access |
Administration |
No access |
All other areas |
Read-only access |
7. | Click OK. |
Tip:If you are concerned about users from AdminStudio using their accounts to log in to FlexNet Manager Platform and modify license data directly, you can repeat this procedure to create a second role exclusively for users of AdminStudio. Give it a distinct name, and rights identical with the above except that Software Assets require Read-only access for these personnel.
Creating the Appropriate Operator Records
With the role(s) configured, move on to creating the appropriate operator records. These record the account names (identical to the names registered in the Active Directory security group) that will exercise the access rights just defined.
Tip:Other procedures are possible, such as importing the accounts from Active Directory and subsequently registering them as operators. This procedure assumes that an Active Directory import is inconvenient.
To register an operator and assign to groups within FlexNet Manager Platform:
1. | In FlexNet Manager Platform, in the left-hand console tree, select the Operators node. |
2. | Click Add. |
3. | In the General tab of the operator properties, to the right of the Account field, click the ellipsis button […] to open the Windows standard Select User dialog box. |
4. | Navigate to, and select, an account you previously registered in your Active Directory security group (such as Flexera Integration Accounts or MGS Compliance). |
5. | Record any other details you choose for this account. For example, for users of AdminStudio, you may wish to name the individual personnel for later tracking. |
6. | On the Roles tab, select Enable operator to use FlexNet Manager Platform. |
7. | At the bottom of the panel, click Add. |
8. | Use the fly-out list to choose the appropriate role (double-click, or select the row and click Select). |
9. | Click OK to save the operator’s properties. |
10. | Repeat this procedure for each operator. |
Privileges Within FlexNet Manager Platform
Privileges to access various functional areas within FlexNet Manager Platform are managed through access rights that are assigned to roles within that product. When appropriate roles exist, user accounts must be both created as operators and assigned to the roles in order to inherit access rights.
• | Configuring a New Role Within FlexNet Manager Platform |
• | Creating the Appropriate Operator Records |
Configuring a New Role Within FlexNet Manager Platform
To configure a new role within FlexNet Manager Platform, perform the following steps:
To configure a new role within FlexNet Manager Platform:
1. | In FlexNet Manager Platform, in the left-hand console tree, select the Roles node. |
2. | Click Add a new role. |
3. | In the New role dialog box, enter a unique name for the role you want to create (for example, Integration Accounts). |
4. | Click OK. |
5. | In the left-hand console tree, expand the Roles node to expose the newly-created role; right-click the role and select Manage access rights... from the context menu. The Manage Access Rights dialog box opens. |
6. | Select the specified levels of access for the following product features: |
Product Feature |
Level of Access |
Software Assets |
Administrator access |
Custom Views and Reports |
Normal access |
Business Reporting Portal |
No access |
Administration |
No access |
All other areas |
Read-only access |
7. | Click OK. |
Tip:If you are concerned about users from AdminStudio using their accounts to log in to FlexNet Manager Platform and modify license data directly, you can repeat this procedure to create a second role exclusively for users of AdminStudio. Give it a distinct name, and rights identical with the above except that Software Assets require Read-only access for these personnel.
Creating the Appropriate Operator Records
With the role(s) configured, move on to creating the appropriate operator records. These record the account names (identical to the names registered in the Active Directory security group) that will exercise the access rights just defined.
Tip:Other procedures are possible, such as importing the accounts from Active Directory and subsequently registering them as operators. This procedure assumes that an Active Directory import is inconvenient.
To register an operator and assign to groups within FlexNet Manager Platform:
1. | In FlexNet Manager Platform, in the left-hand console tree, select the Operators node. |
2. | Click Add. |
3. | In the General tab of the operator properties, to the right of the Account field, click the ellipsis button […] to open the Windows standard Select User dialog box. |
4. | Navigate to, and select, an account you previously registered in your Active Directory security group (such as Flexera Integration Accounts or MGS Compliance). |
5. | Record any other details you choose for this account. For example, for users of AdminStudio, you may wish to name the individual personnel for later tracking. |
6. | On the Roles tab, select Enable operator to use FlexNet Manager Platform. |
7. | At the bottom of the panel, click Add. |
8. | Use the fly-out list to choose the appropriate role (double-click, or select the row and click Select). |
9. | Click OK to save the operator's properties. |
10. | Repeat this procedure for each account. |
Special Settings for Multi-Server Implementations
FlexNet Manager Suite On Premises or FlexNet Manager Platform may be installed on a single server, or on multiple servers so that the database is separate from the core compliance server. In such a multi-server implementation, the App Pool Identity Account configured within Microsoft IIS to support the web API (accessed by both AppPortal and AdminStudio) must be trusted by the separate SQL Server computer for delegation. For instructions see, Resolving Active Directory “Double Hop” Issues Which Occur if FlexNet Manager Suite and SQL Server are on Separate Computers.
FlexNet Manager System Account on the AdminStudio or AppPortal Machines
The FlexNet Manager Suite On Premises / FlexNet Manager Platform system account does not need access to AdminStudio or AppPortal because the communication is driven from the users of those products, not from FlexNet Manager Suite On Premises / FlexNet Manager Platform.