Accounts for Integration of AdminStudio and App Portal with FlexNet Manager Suite

There are two requirements for accounts used in either AdminStudio or App Portal to allow integration with FlexNet Manager Suite / FlexNet Manager Platform:

Members of an appropriate Active Directory security group—Because FlexNet Manager Suite or FlexNet Manager Platform is configured to use Windows Authentication, integration accounts must be members of an appropriate Active Directory security group in order to access FlexNet Manager Suite / FlexNet Manager Platform.

Note:While AdminStudio normally runs under the normal user account, any account used to integrate with FlexNet Manager Suite / FlexNet Manager Platform must be in an appropriate security group.

Assigned to suitable roles—Internally within FlexNet Manager Suite / FlexNet Manager Platform, the accounts must be assigned to suitable roles that provide appropriate access controls.

Meeting these conditions allows the accounts both to look up products (with Flexera Identifiers) in the Application Recognition Library, and to set reservations against available licenses. The procedures for configuring accounts are described below.

Permissions to Access FlexNet Manager Suite / FlexNet Manager Platform
Privileges Within FlexNet Manager Suite 2015 or Later
Privileges Within FlexNet Manager Platform 9.2.3
Privileges Within FlexNet Manager Platform
Special Settings for Multi-Server Implementations
FlexNet Manager System Account on the AdminStudio or AppPortal Machines

Permissions to Access FlexNet Manager Suite / FlexNet Manager Platform

While it is possible to create an Active Directory domain group from scratch, this requires detailed knowledge of directories where FlexNet Manager Suite or FlexNet Manager Platform is installed. It is far simpler to make use of the existing group used to control access. At the same time, it is good practice to have a distinct group in which integration accounts are contained, named according to enterprise conventions. These two approaches can be used together by creating a custom group which is a child of the existing group now controlling access. The new child group inherits the access rights already functioning in its parent group.

To enable authentication for FlexNet Manager Suite / FlexNet Manager Platform:

1. Identify the Active Directory security group used to grant access to FlexNet Manager Suite / FlexNet Manager Platform. By default, this is called MGS Compliance Users.
2. In Active Directory, create a domain group as a child of MGS Compliance Users (or equivalent), and name the new group according to corporate conventions (for example, Flexera Integration Accounts).
3. Add all the integration accounts (accounts for AdminStudio or App Portal users that may access features from FlexNet Manager Suite / FlexNet Manager Platform) to your new child group.

Privileges Within FlexNet Manager Suite 2015 or Later

Privileges to access various functional areas within FlexNet Manager Suite 2015 or later are managed through access rights that are assigned to roles within that product. When appropriate roles exist, user accounts must be both created as operators and assigned to the roles in order to inherit access rights.

Configuring a New Role Within FlexNet Manager Suite 2015 or Later
Creating the Appropriate Service Account Records

Configuring a New Role Within FlexNet Manager Suite 2015 or Later

To configure a new role within FlexNet Manager Suite, perform the following steps:

To configure a new role within FlexNet Manager Suite:

1. In FlexNet Manager Suite, select Accounts on the Options menu:

The All Accounts tab of the Accounts page opens.

2. Select the Roles tab. The Roles view opens.
3. Scroll down until you see the Web Service role and click the copy icon.

The Create a Role view opens.

4. In the Name field, enter Integration.
5. Click the arrow next to each of the following product features and select the specified levels of access from the Privileges list:

Product Feature

Level of Access

Administration

None

Applications

Select one of the following:

If you are using AdminStudio 2016 or later and are going to be creating new local Flexera Identifier entries, select Full.
If you are not using AdminStudio 2016 or later, select Read only.

Business reporting portal

None

Licenses

Full

Management views and reports

None

Roles

None

SAP

None

All other features

Read only

After you have set these access levels, the Access rights area should look like this:

6. Click Create.

Creating the Appropriate Service Account Records

With the role(s) configured, move on to creating the appropriate service account records. These record the account names (identical to the names registered in the Active Directory security group) that will exercise the access rights just defined.

Tip:Other procedures are possible, such as importing the accounts from Active Directory and subsequently registering them as service accounts. This procedure assumes that an Active Directory import is inconvenient.

To register a service account and assign to groups within FlexNet Manager Suite 2015 or later:

1. In FlexNet Manager Suite, select Accounts on the Options menu:

The All Accounts tab of the Accounts page opens.

2. Click Create a service account. The Add Service Member to page opens.

3. Enter the details of the App Portal Service account and then click Save. The All Accounts tab of the Accounts page opens, listing the new account name.
4. Select the new account in the list and then click Open. The Account Properties view opens.

5. Set Status to Enabled.
6. Set Role to Integration.
7. Scroll to the bottom of the page and click Save.

Privileges Within FlexNet Manager Platform 9.2.3

Privileges to access various functional areas within FlexNet Manager Suite are managed through access rights that are assigned to roles within that product. When appropriate roles exist, user accounts must be both created as operators and assigned to the roles in order to inherit access rights.

Configuring a New Role Within FlexNet Manager Platform
Creating the Appropriate Operator Records

Configuring a New Role Within FlexNet Manager Platform

To configure a new role within FlexNet Manager Platform, perform the following steps:

To configure a new role within FlexNet Manager Platform:

1. In FlexNet Manager Platform, in the left-hand console tree, select the Roles node.
2. Click Add a new role.
3. In the New role dialog box, enter a unique name for the role you want to create (for example, Integration Accounts).
4. Click OK.
5. In the left-hand console tree, expand the Roles node to expose the newly-created role; right-click the role and select Manage access rights... from the context menu. The Manage Access Rights dialog box opens.

6. Select the specified levels of access for the following product features:

Product Feature

Level of Access

Software Assets

Administrator access

Custom Views and Reports

Normal access

Business Reporting Portal

No access

Administration

No access

All other areas

Read-only access

7. Click OK.

Tip:If you are concerned about users from AdminStudio using their accounts to log in to FlexNet Manager Platform and modify license data directly, you can repeat this procedure to create a second role exclusively for users of AdminStudio. Give it a distinct name, and rights identical with the above except that Software Assets require Read-only access for these personnel.

Creating the Appropriate Operator Records

With the role(s) configured, move on to creating the appropriate operator records. These record the account names (identical to the names registered in the Active Directory security group) that will exercise the access rights just defined.

Tip:Other procedures are possible, such as importing the accounts from Active Directory and subsequently registering them as operators. This procedure assumes that an Active Directory import is inconvenient.

To register an operator and assign to groups within FlexNet Manager Platform:

1. In FlexNet Manager Platform, in the left-hand console tree, select the Operators node.
2. Click Add.
3. In the General tab of the operator properties, to the right of the Account field, click the ellipsis button […] to open the Windows standard Select User dialog box.
4. Navigate to, and select, an account you previously registered in your Active Directory security group (such as Flexera Integration Accounts or MGS Compliance).
5. Record any other details you choose for this account. For example, for users of AdminStudio, you may wish to name the individual personnel for later tracking.
6. On the Roles tab, select Enable operator to use FlexNet Manager Platform.
7. At the bottom of the panel, click Add.
8. Use the fly-out list to choose the appropriate role (double-click, or select the row and click Select).
9. Click OK to save the operator’s properties.
10. Repeat this procedure for each operator.

Privileges Within FlexNet Manager Platform

Privileges to access various functional areas within FlexNet Manager Platform are managed through access rights that are assigned to roles within that product. When appropriate roles exist, user accounts must be both created as operators and assigned to the roles in order to inherit access rights.

Configuring a New Role Within FlexNet Manager Platform
Creating the Appropriate Operator Records

Configuring a New Role Within FlexNet Manager Platform

To configure a new role within FlexNet Manager Platform, perform the following steps:

To configure a new role within FlexNet Manager Platform:

1. In FlexNet Manager Platform, in the left-hand console tree, select the Roles node.
2. Click Add a new role.
3. In the New role dialog box, enter a unique name for the role you want to create (for example, Integration Accounts).
4. Click OK.
5. In the left-hand console tree, expand the Roles node to expose the newly-created role; right-click the role and select Manage access rights... from the context menu. The Manage Access Rights dialog box opens.

6. Select the specified levels of access for the following product features:

Product Feature

Level of Access

Software Assets

Administrator access

Custom Views and Reports

Normal access

Business Reporting Portal

No access

Administration

No access

All other areas

Read-only access

7. Click OK.

Tip:If you are concerned about users from AdminStudio using their accounts to log in to FlexNet Manager Platform and modify license data directly, you can repeat this procedure to create a second role exclusively for users of AdminStudio. Give it a distinct name, and rights identical with the above except that Software Assets require Read-only access for these personnel.

Creating the Appropriate Operator Records

With the role(s) configured, move on to creating the appropriate operator records. These record the account names (identical to the names registered in the Active Directory security group) that will exercise the access rights just defined.

Tip:Other procedures are possible, such as importing the accounts from Active Directory and subsequently registering them as operators. This procedure assumes that an Active Directory import is inconvenient.

To register an operator and assign to groups within FlexNet Manager Platform:

1. In FlexNet Manager Platform, in the left-hand console tree, select the Operators node.
2. Click Add.
3. In the General tab of the operator properties, to the right of the Account field, click the ellipsis button […] to open the Windows standard Select User dialog box.
4. Navigate to, and select, an account you previously registered in your Active Directory security group (such as Flexera Integration Accounts or MGS Compliance).
5. Record any other details you choose for this account. For example, for users of AdminStudio, you may wish to name the individual personnel for later tracking.
6. On the Roles tab, select Enable operator to use FlexNet Manager Platform.
7. At the bottom of the panel, click Add.
8. Use the fly-out list to choose the appropriate role (double-click, or select the row and click Select).
9. Click OK to save the operator's properties.
10. Repeat this procedure for each account.

Special Settings for Multi-Server Implementations

FlexNet Manager Suite On Premises or FlexNet Manager Platform may be installed on a single server, or on multiple servers so that the database is separate from the core compliance server. In such a multi-server implementation, the App Pool Identity Account configured within Microsoft IIS to support the web API (accessed by both AppPortal and AdminStudio) must be trusted by the separate SQL Server computer for delegation. For instructions see, Resolving Active Directory “Double Hop” Issues Which Occur if FlexNet Manager Suite and SQL Server are on Separate Computers.

FlexNet Manager System Account on the AdminStudio or AppPortal Machines

The FlexNet Manager Suite On Premises / FlexNet Manager Platform system account does not need access to AdminStudio or AppPortal because the communication is driven from the users of those products, not from FlexNet Manager Suite On Premises / FlexNet Manager Platform.